“We need to have a fool-proof mechanism to define rules, procedures and the regulations. How law enforcement can intervene and investigate…that has to be clearly defined and there should be a very clear-cut reasonability in place. What kind of things they can call out? What kind of things they can ask for? If we have these kinds of things in place, only then we can elevate the confidence level of the [Indian digital] ecosystem across the globe,” stated Atul Kumar from the Data Security Council of India, a panelist at MediaNama’s MarketsNama conference held on May 19, 2023.
Speaking at the fourth session of the event — “Privacy, Cybercrime and Cybersecurity” — Kumar and other panelists touched upon what the upcoming Digital India Act (DIA) must entail, to improve cooperation between law enforcement agencies and companies, service providers, or data centres when it comes to cybercrime investigation. The panelists also talked about the kinds of challenges both entities face when dealing with data requirements for tackling cybersecurity-related crimes.
FREE READ of the day by MediaNama: Click here to sign-up for our daily newsletter with the top story of the day delivered daily before 9 AM in your inbox.
What must be considered in the Digital India bill?
As per IT Minister Rajeev Chandrasekhar’s indication at the DIA consultation in Mumbai on May 23, the first draft of the digital India bill is expected to be released in the first week of June. When asked about how law enforcement can be strengthened without compromising on the rights of individuals and companies, the panelists broadly emphasised the following points to be considered in the DIA:
- Privacy: Panelist Sukanya Thapliyal, from Centre for Communications Governance, is of the view that the analytical framework provided by the Puttaswamy judgment must be applied to test if certain law enforcement actions infringe upon privacy rights of citizens. She noted that the requirements of necessity and proportionality laid down in the privacy judgment must be “infused with provisions in the IT Act”. This, she said, “can provide some sort of guideline to the legal enforcement agencies who want the access of data, to first justify some of these aspects and within these, we can also think of infusing provisions including concepts like data minimization, purpose limitation, or access control”.
- Reasonability: Kumar added that in order to protect privacy, it is important to check whether the demand for data is reasonable. This pertains to the amount and kind of data law enforcement agencies ask for, and what the company can substantially provide in the given time frame. For example, it will be difficult for a service provider to give access to data that’s ten years old or is bound by sectoral laws at the time. Thapliyal also pointed out the conversations of mutual legal assistance with other countries at the UN Cybercrime Convention and certain provisions that provide guidance on what a requirement list for data should look like. If a similar guide is included in the DIA, it would make things easier for law enforcement agencies and also for service providers when they have to meet demands for data requirements.
- Safeguards: Further, Kumar stated that there must be a mechanism in place to safeguard the data that’s been collected, to prevent intermediaries from facing action if sensitive information is being misused by notorious actors.
- Data minimization: Panelist Venkatesh Krishnamoorthy, from BSA, The Software Alliance, emphasised the need to include provisions that may build contours around the kind of data that authorities can ask for and the way they can ask for it. Currently, law enforcement agencies may ask for all kinds of data without any specifications, which greatly exposes people’s personal information. The speaker stated that including provisions around data minimization can limit the scope of data accessed by authorities to only what’s required for specific cases.
- Procedural clarity: Krishnamoorthy noted that the DIA should include provisions that can offer clarity over rules for making different kinds of data requests. This must broadly categorise the kind of requests that need judicial pre-authorisation and those that need to be reviewed post-facto by another body. This, he said, will tackle the challenges of dealing with blanket requests for data.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
What Are The Problems That Companies Face When Law Enforcement Agencies Demand For Data? #NAMA
“Should There Be Safe Harbour At All?”: 30 Talking Points From The Digital India Act Consultation
Video: MarketsNama 2023, Delhi, 19th May
How The IT Act Allows The Indian Government To Spy On Internet Connections
Five Talking Points From Data Security Council Of India’s Discussion About Digital India Act’s Impact On Cybersecurity
You must be logged in to post a comment Login