By Madhulika Srikumar
Apple’s clash with the FBI in 2016 was touted as an “American Revolution” and a reminder of “why we (Americans) have the fourth amendment.” Indeed, Apple’s challenge signified the pivotal role that tech companies play in defining the parameters of government surveillance. It did so by publicly challenging a court order requiring the company to break the encryption built into its iPhone device.
Cut to 2018: to the chagrin of privacy advocates everywhere, Apple announced that it would move the data of Chinese users to servers owned by a state-run company to comply with China’s data localization law. The company later announced that they would host the encryption keys in China; and that the Chinese partner would “have access to all data” of users registered in the country.
An emerging body of scholarship has now examined the role that tech companies play in instances like Apple’s clash with the FBI – where “surveillance intermediaries” constrain government surveillance, as Alan Rozenshtein argues. Scholars have examined the incentives and tools that tech companies use to resist the government (U.S. government in most analyses) and the net positive effect that it has ushered in for users against surveillance excesses by law enforcement.
What these scholarly attempts have omitted, however, is taking the latter reality into account – where tech companies accede to (sometimes regressive) government demands. The number of internet users in India and China is over four times larger than the United States excluding the number of future users. This fact alone introduces finer nuances that dismantle the existing understanding of financial and policy incentives that drive intermediary behavior.
I lay out in the following sections why tech companies must instead be treated as privacy negotiators – not only advocating for user privacy but negotiating the tradeoff between cooperation or resistance in the short term vs. compliance with unintended regulatory consequences in the long term. Over the past year, the scales have tipped in favor of the latter outcome. The difficulty of obtaining electronic data from U.S. tech companies combined with the historic resistance put forth by these companies has been recognized as the primary reason behind the onerous regulation introduced in India.
In response, tech companies are increasingly relenting to government pressure thereby complying with regulation that is not only poorly designed but one that could pose serious consequences to the privacy of Indian users.
I argue that as privacy negotiators, tech companies are in a unique position in the surveillance architecture to reform cross-border access to data for law enforcement in a manner that secures the privacy interests of Indian (and all foreign) users. Given that these tech companies are privy to the nature of requests and have the legal standing to pushback against the requests- their role as privacy negotiators is established firmly.
In earlier work, I examined the challenges in the current cross-border regime where Indian government requests data from U.S. tech companies, arguing that the respective governments must consider an India-US executive agreement under the Clarifying Lawful Overseas Use of Data Act or CLOUD Act. I argued that such a bilateral agreement would not only ease cross-border access to data and make it more efficient but also safeguard user privacy in the process and ultimately strengthen the overall case against mandatory data localization.
This article takes off from there – given that there is an alternative on the table, there are still no significant advances being made in the conversation. This article explores why. Even while the challenge arising out of the conflict of laws is undeniable, I argue that there is an emerging “conflict of interests” which has resulted in tech companies acceding to Indian government’s demands for localization. The article, therefore, addresses the gap between current literature that examines the challenge of cross-border access to data and the growing scholarship on governing tech companies as “information fiduciaries.”
In Part I, I briefly lay out the challenge of Indian government access to data highlighting how U.S. tech companies have fallen into the role of privacy negotiators. The section also briefly addresses the significant normative turnaround that an India-US executive agreement on data sharing can bring about.
In Part II, I examine how the push for data localization from the Indian government came about and the competing incentives of tech companies that may ultimately drive them to comply with a larger localization mandate.
In Part III, I explore how the recognition of tech companies as data fiduciaries under Indian law may enhance the legal responsibility of privacy negotiators – requiring them not only to pushback against localization but also push for more privacy protecting alternatives such as the CLOUD Act. In the final section, I argue that private tech firms indeed have the clout to push for an executive agreement between India and the U.S. to raise the privacy standards of law enforcement access to data.
This article is limited to examining the regulatory responses stemming from the cross-border conundrum when Indian law enforcement agencies (LEA) request user data from U.S. tech companies whose services are widely used in the country. Any reference to “tech companies” in this paper is limited to prominent U.S. tech service providers that are operational worldwide. Their function as privacy negotiators, therefore, is emblematic of the role they carry out in the current surveillance regime – and as I argue later in the article, also indicative of the duty they must discharge towards all users. Developments in India present a compelling lens to examine this contention since companies’ recent actions in the country exhibit a decisive turnaround in the incentives that earlier drove their resistance in the surveillance regime worldwide.
Conflict of Laws
The system for cross-border access to electronic data for criminal investigations between India and the United States has often been criticized for being outdated and time consuming, sometimes taking as long as three years. At the heart of the issue is the conflict of laws between where the user is located, where the company is headquartered and in some cases, where the data is stored.This has led to fragmentation of legal frameworks across jurisdictions and reliance on slow inter-governmental processes like Mutual Legal Assistance Treaties (MLAT).
Access to electronic data – specifically communications content – has become instrumental not just for crimes committed online but also to further investigations where these crimes cause ‘real-world’ harm. U.S. tech companies, governed by the Stored Communications Act, disclose non-content data to government agencies that honor the rule of law and respect fundamental rights. Companies only voluntarily disclose content data during exigent circumstances involving danger of death or serious physical injury to any person
Under normal circumstances content data can only be shared in response to a warrant issued in the U.S. As a result, in most cases investigating officers in India must obtain a warrant meeting the probable cause standard from a U.S. court through the India-U.S. MLAT to access content data. Due to delays and uncertainties associated with the MLAT process, Indian law enforcement officials often express their dissatisfaction of having to comply with a foreign law, especially while tackling crucial cases. One such instance is the recent case of disinformation spread through WhatsApp that resulted in mob violence and deaths of 27 people.
Given this reality, the Indian government in the past year has called for data to be localized or stored within India’s borders. The mandate to store data locally either completely or in the form of “mirror servers” is a harmful and ill-suited policy approach for two reasons.
First, mandating data to be localized is especially dangerous to user privacy since police officials in India rely on legacy laws to access electronic data which require no prior authorisation by courts. Legacy laws in India provide that any court or police officer in charge of a police station can compel the production of any “document or other thing” that is necessary or desirable for the purposes of an investigation or trial (Source: Section 91, Code of Criminal Procedure, 1973). Not only has this power been interpreted broadly but in practice it is only police officers who issue notices to companies requesting user data. This imposes a much lower threshold than the U.S. Probable Cause standard that is currently enforced on Indian users through the MLAT process where the court issues a warrant.
Second, data localization is ill-suited for the stated purpose of law enforcement access. Major service providers may not be able to comply with user data requests from the Indian government since U.S. law still effectively bars these companies from disclosing user data to foreign law enforcement authorities. Even if U.S. companies comply, only data of Indian citizens can be provided. In cases of transnational crimes such as online radicalisation, money laundering and cybercrimes, Indian police will have to continue to rely on cooperative models like the MLAT process.
It is crucial that a common framework is devised that eases the existing conflict of laws and increases institutional cooperation between states to discourage further fragmented developments such as mandatory data localization. Access to electronic data, therefore, must be determined on the basis of where the user is located and not where the data is stored. States must strive towards enacting direct data sharing arrangements between foreign LEAs and technology companies to operationalize this. The CLOUD Act signed into law last year by the U.S. Congress can actualize this for the first time and decentralize control over data from U.S. authorities where popular technology companies are located (This, however, requires an executive agreement between the United States and the foreign country certifying that the state will rely on robust privacy protections, and respect for due process and the rule of law when making requests to companies directly. Such a framework over time, will not only need to be transparent and hold both companies and LEAs accountable but also be scalable to respond to the increasing volume and complexity of requests. Specifically, due process safeguards on user notification, redressal etc. will need to be incorporated. The U.S. Department of Justice recently issued clarifications on how the CLOUD Act will be operationalized available at source).
Even while the CLOUD Act is an imperfect solution – the Act by allowing executive agreements between states to bypass the existing conflict of laws provides a workaround that was earlier unavailable. In effect, an India-U.S. executive agreement under the CLOUD Act would establish a higher standard of privacy protection for Indian users that is currently unavailable under Indian law such as limiting the scope of requests and judicial review.
Conflict of Interests
Push for Data Localization
Calls for mandatory data localization by the Indian government over the past year have emerged as the overwhelming bone of contention. Far from mere rhetoric, the Reserve Bank of India (RBI) has already made it mandatory for all payment service providers to store copies of data locally (Source: Reserve Bank of India Notifications, “Storage of Payment Systems Data”, Apr. 6, 2018).
India’s first draft data protection law imposes mandatory data localization – requiring all data fiduciaries operating in the country to store at least one serving copy of data on a local server (Source: Sections 40 and 41, The Personal Data Protection Bill, 2018). The draft law further empowers the government to recognize certain categories of data which must not only be stored but also processed exclusively in the country (Source: Sections 40 and 41, The Personal Data Protection Bill, 2018).
Admittedly, this push for data localization is part of a larger strategy that the government is rolling out to reassert their sovereignty in the digital economy. However, in no uncertain terms, the committee drafting the law has cited the difficulty that law enforcement faces in accessing user data during criminal investigations and prosecutions as the primary motive behind the move (Source: Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians”, 27 July 2018). The committee reasons that forcing companies to localize data, even just a copy, can enable “quick and easy access.”
The government directive to command cooperation from companies on surveillance is not limited to data localization. The draft amendment rules to the Information Technology Act imposes an obligation on intermediaries to respond within 72 hours of receiving a request from any government agency; preserve data upon requests for 180 days or longer; and enable “tracing” the originator of the messages shared on their platforms.
Forcing companies to store data locally – even just copies– has been widely panned by stakeholders in India and abroad. Broadly, enforcing data localization is criticized as a regulatory tool that can lead to unchecked surveillance, impose significant costs on companies, ironically on local startups, compromise security, and as per the U.S. government be discriminatory and trade–distortive.
It is undeniable that the Indian government has a legitimate interest in regulating tech companies, especially given their growing strategic importance. A case can even be made that a carefully nuanced localization law – that is backed by evidence and least obstructive in practice – can be an appropriate regulatory response in some cases.
It is undeniable that the Indian government has a legitimate interest in regulating tech companies, especially given their growing strategic importance.
However, the current data localization directive is driven by the government’s waning patience in eliciting compliance from tech companies across issues – from online speech to taxation. Even in the absence of a consensus across agencies on the extent, indeed the rationale behind data localization, the government is hurtling towards a point of no return. The government’s frustration stems from private and foreign companies wielding public power and, consequently, opposing state sovereignty.
Compliance with such a law would run wildly contrary to the public stance that tech companies have long held on this issue. If passed in its current form, this law will also be counterproductive defeating the government’s intended purpose, likely hurting law enforcement efforts, undermining user privacy in the process.
First, as I mentioned above, it is unclear whether a mandate to relocate data locally will translate into easier access for Indian law enforcement. Given that U.S. law effectively bars these companies from disclosing user data to foreign law enforcement authorities, companies are in a position to legally refuse to comply with requests. As is current practice, companies can continue to demand a judicial order from a U.S. court to comply with a request for content of any online communications.
Second, even if localizing data could assuage fears of foreign surveillance, it could easily lend itself to domestic surveillance. The Committee has sought to localize data for law enforcement but “categorically refused to afford this data any procedural protection”. The Committee has instead placed the onus on Parliament to enact another comprehensive legislation for surveillance reform. In other words, the government is enacting data localization in the absence of any, let alone strong, data protection laws and enforcement mechanisms. Some have gone on to argue that the mandate may therefore not fulfill the standard laid out by the Supreme Court on what constitutes a reasonable restriction on an individual’s right to privacy. This reasoning is compelling since the government can just as easily adopt less onerous regulations that could serve the purpose adequately and proportionately.
Competing Incentives of Tech Companies
Developments over the past year conclusively indicate that tech companies are relenting to Indian government demands to forcefully localize data. While these demands are not new, the RBI made a decisive move towards enacting this mandate for the first time targeting big tech companies – posing an existential peril to the payment ecosystem in the country. The principal banking regulator made it mandatory for all “payment system providers” to store payments data locally and ensure “unfettered supervisory access” to the data stored within a six-month period (Source: Reserve Bank of India Notifications, “Storage of Payment Systems Data”, Apr. 6, 2018). Eighty percent of the players, including Google, Amazon, and Whatsapp, have reportedly either complied with the regulation or are planning to.
Undoubtedly, the RBI notification has a far-reaching impact – not only because it is the first policy of this kind, but more importantly for what it signals lies in store. It has been reported that the Central Bank is relying on the localization regulation to “prepare ground” for a stringent data protection law that would be applicable across sectors not limited to financial data. Further, the close involvement of the central government in seeking compliance with the RBI regulation firmly indicates the emergence of a “whole-of-government” approach, laying the foundation for a wider localization requirement under the upcoming data protection law.
Admittedly, big tech companies have complied with data localization laws in Russia and China previously. However, I argue here, that submitting to an Indian regulation (and thereby a mandate issued by a democratic state) represents a turning point in the incentives that drive their behavior in emerging economies. Take Facebook, for instance. The company recently not only acknowledged that choosing where to build data centers is “one of the most important decisions” they make, but also committed to not storing sensitive data in countries with weak human rights records or lacking security safeguards. Meanwhile, Facebook’s subsidiary Whatsapp is on the final stretch before storing all payments-related data within India in the absence of adequate checks and balances under Indian law.
It may be unclear, even unnecessary, to characterize these actions of tech companies as hypocrisy or doublespeak. Tech companies have been and will continue to strike a balance between cooperation with, and resistance to lawful surveillance across jurisdictions.
In effect, however, the added complexity of responding to foreign governments has contributed to their resistance over time. This, in turn, has resulted in heavy-handed policies in growing markets such as India, which has distorted the incentives that earlier drove their actions. Companies are increasingly either adhering to these policies or showing a willingness to. Even while companies are incentivized by a profit motive, and understandably so, as privacy negotiators their acquiescence or pushback plays an outsized role for the privacy rights of Indian users. This alone demands an exercise in breaking down what incentives drive them.
Launch of new services: The launch of WhatsApp’s first-ever payments service coincided with the RBI localization notification. The RBI’s directive to all payment system providers to store payment data of the Indian leg of a transaction exclusively in India was issued in April 2018. In addition to the local storage requirement, the stated purpose behind the regulation was for providers to establish a mechanism to allow the Central bank to monitor this data end-to-end. The regulation was applicable to all payment providers including international card networks such as Mastercard and Visa, and operators of pre-paid wallets including WhatsApp Payments, Amazon Pay and Google Pay.
The consequent resistance to this regulation by global payment firms including big tech companies illustrated not only how their pushback was unsuccessful, but also the stakes involved for these companies as they were vying to expand in the Indian market. Tech companies view India as the “next frontier of growth” – fighting to capture the sizable and growing digital payments market, which is expected to be worth a reported $500 billion by 2020. Google Pay is reported to have 30 million users on the platform in India alone. With over 200 million monthly active users, India is the biggest market for WhatsApp – justifying why the company has been testing its payments service first in the country.
Even while complying with the RBI regulation heralded significant costs and an overhaul of existing operations; and is inconsistent with their previous policy positions on this issue, tech companies ultimately relented. Google, for instance, agreed to abide by all RBI requirements while at the same time maintaining that they promote cross border data flows since they generate more economic value. Apple, on the other hand, has reportedly stalled the launch of Apple Pay in India in light of RBI’s localization mandate.
Even under mounting pressure from industry bodies, U.S.-India trade organizations and U.S. senators, the Indian government has been unwavering in its demand. The Central Bank refused to extend their six-month deadline for compliance; did not concede to a less onerous alternative such as a “mirror server” requirement; and did not open up to public consultation. While companies challenged the RBI directive, it is clear that none of them pursued a legal challenge, though the reasons why remain unclear. Combined with the whole of government approach that the current administration in India has adopted, we see that tech companies acceded to the localization request given their significant growing interest in the market.
Localization as the “less bad” option: Increasingly, tech companies operating in India are seen to be viewing a localization mandate as a less bad option. First, tech companies across the board have agreed to comply (some at the first instance) with the RBI notification to exclusively store payment data arising out of the country locally. The majority of the global payment firms including Amazon and Google have abided by the law and satisfied the regulator’s requirements (Amazon not mirroring it abroad Whatsapp asked for 5 more months, mastercard and rest asked for one year). This differs significantly from how some of the companies have responded to Russia’s 2014 data localization law, with some either ignoring the obligation altogether and the rest failing to fully comply.
Second, it appears increasingly unlikely that the companies would continue to rely on U.S. law as a crutch to resist or delay responding to requests from Indian agencies. In effect by complying with the RBI requirement to store data exclusively in India, the companies have ceded to the regulators’ supervisory powers. Especially given the presence of physical infrastructure or personnel in the country, companies might consider the risk of not attracting punitive action more seriously.
Third, tech companies might be willing to acquiesce to data localization to stave off demands that could fundamentally alter their technological design. Over the past year, while WhatsApp has been under government pressure to localize data, the company was also fighting the fire to contain the spread of viral rumors on its platform. False videos of child abduction shared on the messaging app triggered a spate of mob-related killings that resulted in over 30 reported deaths.
The company’s plan to launch its payment service stalled as they came under intense scrutiny from the government to “not evade responsibility” and were being pressured to introduce technology changes to their service. This pressure culminated with the Ministry of Electronics and Information Technology (MeitY)’s draft intermediary guidelines late last year that mandatorily required companies to enable “tracing out the originator” of messages upon requests and to respond within 72 hours. While the company made changes to its messaging service to limit forwarding of messages, they pushed back on the tracing requirement as it could entail breaking the end-to-end encryption deployed by the platform. We see that while the company was willing to alter its architecture by storing data locally for its payment service, they were at the same time unwilling to alter a critical facet of its business model in encryption.
Responsibility of Tech Companies as Privacy Negotiators
U.S. tech companies operating in India are therefore caught up in what can best be termed as an identity crisis. At the crux of it, the aforementioned incentives muddy the waters for tech companies, making it difficult for them to push for a workaround to adequately address the challenge of Indian law enforcement access to data.
Since U.S. tech companies play a unique role when responding to government surveillance, acting both as the first and last line of defense, I argue that only companies can and must negotiate to protect the long-term privacy interests of Indian users. Especially given that these tech companies will soon be recognized as “data fiduciaries” in the Indian market, I argue that companies indeed have an additional legal responsibility to protect their users’ privacy interests. Through the CLOUD Act, tech companies can counteract the demands for data localization while upholding high standards of due process and privacy protections for Indian users that are currently unavailable under Indian law.
As current literature has exhaustively outlined, tech companies are the only actors privy to the nature of requests they receive from government agencies. Not only can tech companies afford the resources to comply with requests, but they can also cooperate more actively, and even pushback through a legal challenge when required. Ultimately it is only companies who have the resources or the legal standing to fight a request – further entrenching the role that they play as privacy negotiators.
The question that then arises is what role do companies discharge as privacy negotiators? Are there any obligations, legal or otherwise, on these companies to safeguard user rights within the larger surveillance architecture?
To predict the route that technology companies will adopt in the tussle between advocating for user privacy and acceding to lawful surveillance, it is necessary to distill the specific interests that tech companies have in going either way. Viewed as pure corporate actors following rational self-interest, it may seem unwise for the companies to assume any additional burden of resisting requests for access to data, even when requests may be overbroad or vague. This holds doubly true when American companies undertake the collective responsibility of addressing requests from foreign governments and are called on to find a fix to the current overburdened cross-border regime for data sharing.
Largely, the current scholarship falls on one of two sides of this debate. The first, popularized by Rozenshtein, adopts an empathetic view that companies as surveillance intermediaries have brought about an overall positive change or “disciplining effect” on the surveillance regime—through pushback in courts and mobilizing public opinion for the benefit of user privacy. Rozenshtein goes so far as to argue that tech companies have never before relied so significantly on a foreign user base and resisted government surveillance this aggressively in part due to their “intense libertarian aversion to government invasions of privacy.”
The second is more cynical in its outlook where scholars argue that tech companies shielding or delivering information to law enforcement is all happenstance and purely an outcome of their pervasiveness in our digital economy. Users should have no expectations to think a “technology company can and should be responsible for its users’ rights.” Regardless, the consensus across the two schools is loud and clear. Tech companies post 2013 Snowden disclosures have a commercial incentive to challenge lawful government surveillance and advocate for users rights; and indeed on the whole until now, companies’ actions support this contention.
However, this contention overall no longer holds any water. As I have outlined above, the incentives of tech companies are no longer aligned with the interests of users – at least Indian users. By conceding, indeed, complying with the Indian government’s mandate to store data locally in the absence of adequate privacy safeguards, tech companies’ interests have conclusively aligned with the government and regulatory interests and no longer appear aligned with those of Indian users; and by extension users in all emerging markets. The incentive to launch a new service in a crucial market or the act of conceding to localization in order to not attract other adverse regulatory mandates are compelling reasons for companies to abandon their seemingly voluntary role as privacy negotiators. Instead, the assertion that companies often choose to fight for user privacy because of their profit motives and not in spite of them—as advanced by the above mentioned cynical school—does a better job of explaining the turn of events helmed by tech companies in the country. Simply put, tech companies find themselves in a conflict of interests—advancing their market priorities versus prioritizing user privacy.
This relationship between tech companies and users stands fundamentally altered with the growing recognition of tech companies as fiduciaries. India’s upcoming draft data protection bill may well be one of the first few legislations that articulates this duty of care for tech companies – recognizing any individual, state, company, or juristic entity who determines the purposes and means of processing personal data (either alone or in conjunction with others) as data fiduciaries.
The constitutional law scholar Jack Balkin first proposed extending the common law doctrine of fiduciary relationships to the digital economy – and coined the term “information fiduciaries” (Source: Jack M. Balkin, “Information fiduciaries and the first amendment.” UCDL Rev. 49 ,1183, 2015). This proposal has gained wide acceptance, with the drafters of India’s data protection bill adapting it to develop a “fourth path” to deliver a data protection regime, distinct from the U.S., EU and China – relevant not just to India but to “all countries in the Global South”.
As information fiduciaries, tech companies including social media, search engines, etc. will have to discharge duties of care, confidentiality and loyalty towards users whose data they collect, store and use (Source: Jack M. Balkin, “Information fiduciaries and the first amendment.” UCDL Rev. 49 ,1183, 2015). This fiduciary responsibility bestowed on companies is over and above the contractual rights that users are entitled to and further confers the duty on companies to adopt a professional code of ethics to protect the data principal’s or user’s interests. Balkin likens this duty to that of a doctor’s or lawyer’s:
Suppose that a doctor, lawyer, or accountant sold personal information about their clients to a data broker. Suppose that they used personal information to manipulate a client’s actions for the doctor, lawyer, or accountant’s benefit. Or suppose that they simply disclosed it in order to gain a business advantage at the expense of their client. If they did any of these things, they would likely be liable for a violation of professional conduct … Even absent an express promise not to reveal, use or sell information, there is a duty not to do so in ways that will harm the interests of the client, or that pose a conflict of interest.
The fiduciary relationship between users and companies, however, is not extended to all online service providers who operate in the digital economy. Instead, four criteria must be met for a company to be considered an information fiduciary; whether users are placed in a position of significant vulnerability, whether users disclose personal information to the company in return for gaining access to important online services; and finally whether the company holds disproportionate volumes of data about the user which can be used against her interest (Source: Jack M. Balkin, “Information fiduciaries and the first amendment.” UCDL Rev. 49 ,1183, 2015, and Jack M.Balkin, “Fixing Social Media’s Grand Bargain.” Hoover Working Group on National Security, Technology, and Law, Aegis Series Paper 1814,2018.) Admittedly, India’s draft data protection bill adopts a broader sanction, indeed conferring the fiduciary duty on all actors who process personal data in the digital market.
The criteria set out above, however, are wholly met by private tech firms in the current surveillance ecosystem for the reasons I stated above – that tech companies are the first and last line of defense. While the above excerpt suggests that tech companies must be able to avoid conflicts that harm the interests of clients, or in this case users, altogether – the reality is not as wishful. Instead, with the statutory recognition of their fiduciary duty, tech firms have an obligation to carry out their duty of loyalty by resolving any conflict of interest to the benefit of their users’ interests and not their own. Therefore, as privacy negotiators, tech companies must respond to surveillance by not endangering the privacy of their users by localizing data in the absence of adequate safeguards, but instead work towards a sustainable workaround. Commentators have argued that the government’s push towards data localization in the data protection bill (and companies acceding to this demand) undermines the fiduciary relationship laid out in the very same bill – increasing not just privacy but the security risks of users located in India.
Indeed, the duty of loyalty translates into fiduciaries ensuring that they use data “only in ways that are consistent with users’ expectations.” (Source: Ariel Dobkin, “Information Fiduciaries in Practice: Data Privacy and User Expectations.” Berkeley Tech. LJ 33 2018: 1.) Expectations of Indian users can be easily traced in the submissions to MeitY during the recent public consultation process on the data protection bill. Not only has a significant section of civil society and industry opposed the localization mandate but there is also a growing consensus that an India-U.S. agreement under the CLOUD Act must be considered as a policy alternative. Therefore, as privacy negotiators bestowed with a fiduciary duty, tech companies must strive to leverage their clout to push for such an agreement.
The whole-of-government approach adopted by Indian policymakers combined with the support from the law enforcement and national security community has all but cemented the government’s single-minded objective of demanding U.S. companies to store personal data locally. This move cannot be seen in isolation – only stemming from the challenge that the Indian government currently faces either in accessing user data or enforcing domestic regulations. The government recognizing that data is a “strategic asset” is motivated to level the playing field between Indian and foreign players in the digital economy; even appointing industry representatives with reported conflicting interests to policy drafting committees. While there is acknowledgement that localization is not a silver-bullet solution for all of these multifarious concerns, law enforcement access is viewed as the only challenge that will definitively be solved by localizing data within Indian borders. With the lines between global tech companies and their Indian counterparts drawn, Indian companies have thrown their support behind localization; expecting that it will give them a competitive advantage against the outsized resources that the technology giants command.
Other developments over the past year have also contributed to a confrontation between foreign tech companies and the Indian government. The reveal, for instance that the Cambridge Analytica leaks had led to sharing of personal information of 560,000 Indians with the political consulting firm. And more recently, Twitter initially declining to appear before the parliamentary standing committee on information technology.
From the perspective of the users, however, there is a dawning realization that critical safeguards for privacy may be lost in this battle for compliance between the government and companies. Especially in the surveillance regime it is ultimately only companies that may have a legal standing to resist requests for excessive collection of user data – further cementing the role that they can play as privacy negotiators. In effect, global technology companies wield significant bargaining clout that,at least until now,as been used sparingly when user privacy has coincided with their commercial interests. On the face of it,that seems to be changing.
Major U.S. tech companies have openly supported President Trump’s signing of the CLOUD Act. Microsoft, for instance, has committed to additional privacy protections on top of the CLOUD Act including the requirement for prior-judicial sanction before responding to request. Apple is contributing to making the process more transparent by training law enforcement officials from around the world in lawful data collection and by creating a web portal for requesting user data and tracking the status of these requests. More recently, Amazon Web Services joined the list of prominent technology companies that have lent support to the CLOUD Act as the answer to data collection for law enforcement.
This support is not insignificant. With their sheer size, near complete integration with the digital economy and transnational operations, the companies have begun to resemble nation states in multilateral negotiations and as such will have a huge bearing on whether the new framework succeeds or fails.
However, as I have examined in Part II of the article, even as companies openly voice support for frameworks such as the CLOUD Act, their actions in response to regulatory pressure in India suggest otherwise. A critical consideration in this equation, however, is users’ trust in the companies’ ability to protect their data and privacy. This trust is not limitless and for it to persist, companies will need to walk the talk of safeguarding user privacy.
Frameworks like the Cybersecurity Tech Accord, signed by over 100 global companies committed to protecting users against malicious cyber threats (even those emanating from state actors), are symbolic of the clout that global tech companies can leverage – an initiative that need to be encouraged in conversations around law enforcement access to data.
Law enforcement demands for access to data have coincided and intensified with the evolution of electronic communications. And yet, the contours of this access are more fluid today than they have ever been and will only get murkier in the coming years. Two paradoxical trends in technology lend credence to this fact: even as larger and more complex data sets become available, a pivot towards anonymising technologies is likely to make more and more data inaccessible to law enforcement.
Law enforcement demands for access to data have coincided and intensified with the evolution of electronic communications.
Earlier this year, Facebook – arguably the most important arbiter of user privacy – announced the eventual merging of its three messaging services and the creation of an ecosystem where the chat app essentially becomes a web browser. The more significant part of the announcement, however, was the deployment of WhatsApp-like encryption across all its services. The company would store no content data and would therefore not be in a position to share it with law enforcement. This pivot towards universal encryption is likely to intensify the present demands for data access and a resurgence of the dichotomous debate around user privacy versus national security.
At the same time, as emerging technologies like facial recognition, wearables, and smart assistants become commonplace, they will create highly sophisticated datasets including behavioral data – compounding both the volume and types of data that can be available for criminal investigations.
While encryption will further frustrate law enforcement attempts to access data, new and emerging datasets will increase their dependence on technology platforms. Reconciling these two demands will need fixing the problems that currently plague cross-border data sharing. An important realization that has emerged in the context of controversies surrounding content moderation and speech regulation by social media platforms has been that centralization of these complex politico-legal decisions in the hands of a few actors.
Competing priorities around ensuring national security, investigating crimes and protecting user privacy have long evaded any meaningful reconciliation. In many ways, recent developments like India’s data localization mandate have forced technology companies and privacy advocates into a corner. At the same time, new policy frameworks like the CLOUD Act have, for the first time, thrown up an opportunity to arrive at a sustainable and privacy-strengthening solution.
The pivot that technology companies make in their public policy posture now will determine the way in which this debate will be resolved. It is critical that they step up and not only bargain for stronger user protection, but also highlight to countries like India how a cooperative and not compulsive framework will better serve all stakeholders in the long run.
Madhulika Srikumar is attending the graduate program at Harvard Law School as a 2019 Inlaks Scholar. She was previously an Associate Fellow and Programme Coordinator with the Cyber Initiative at Observer Research Foundation in New Delhi.
Acknowledgments: The author extends sincere thanks to Sharon Bradford Franklin, Andrew Woods, Greg Nojeim, Heather West, Jennifer Daskal, Tim Maurer and William Carter for their valuable insights. This paper would not have been possible without the kind support of New America and the invaluable guidance provided by Awista Ayub and Melissa Salyk-Virk. The author would also like to thank the 2019 India-US Fellows. All errors in this paper are the author’s alone.