Governance & Risk Management , Privacy , Professional Certifications & Continuous Training
Is India Ready for an Email Privacy Act?Citing Governance Issues, Leaders Cast Doubt on Prospects
Early last week, the U.S. House of Representatives unanimously approved the Email Privacy Act. The measure would require law enforcement to obtain a warrant before compelling third-party service providers to surrender their customers' email and text content (see: House Unanimously Approves Email Privacy Act). Is India ready for similar legislation, given that there is no overarching privacy law in India?
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Many observers believe that privacy can be a true game-changer for Indian enterprises in 2016. But privacy practitioners and leaders must help ensure that the discussion evolves into how privacy can help organizations drive business growth. Should email privacy be part of India's pending update to its Right to Privacy Bill? Some argue it is critical for India, considering that the industry is majorly dependent on outsourced partners or managed service providers (see: New Demand for Managed Services).
"As the government is about to release India's Right to Privacy Bill, it is critical to incorporate email and electronic communications privacy as the key subject of the bill," says Mumbai-based Prashant Mali, a High Court attorney and cyber law expert. "This bill should mandate compulsory data leakage reporting and class suit action on defaulters."
Does India Need Such an Act?
The first constraint, says Vinaykumaran Nair, head of high tech crime enquiry cell, police headquarters, Kerala Police, is that most email servers are outside India and mostly handled by internet service providers. These entities do not cooperate with Indian law enforcement agencies in investigating cybercrime, cyber terrorism and data misuse.
"Even if there are suits registered against the service provider for leakage of information, and though they are mandated to share information with the law enforcement groups for further investigation, the respective country's legislative framework may not allow sharing," says Nair.
Besides, most believe that since the data is away and beyond the reach of law enforcement agencies, it doesn't fall under the purview of Indian legislation. "Against this backdrop, having an email policy may not be effective," says Nair.
Kinshuk De, head, business operations, enterprise security risk management, at Tata Consultancy Services, predicts that India will not pass such an act because balancing national security and privacy is always difficult, as keeping information secure and private takes precedence.
The major constraint is law enforcement having to obtain a warrant before compelling the third-party service providers. Most often, Nair says, the challenge is to obtain a court order to carry out further investigation if a case is registered. "In India, out of 1,000 complaints of data leakage of cyber crime, only 100 are registered; for that, we have to wait months to obtain a warrant for further investigation, which is a big bottleneck."
Coimbatore-based S. Ravichandran, cyber crime investigator and member of CyberSociety of India agrees. "With the Indian Parliament rendered dysfunctional in the war between the government and individual privacy, there are several delusions surrounding privacy law in terms of terminology; hence it is kept on the back burner," he says.
Law Enforcement Bottlenecks
Ravichandran says law enforcement agencies are rarely consulted before any legislation is promulgated by the government, even if it has to play a major role in executing the law. "Their role is restricted to the use of the law as defined, interpreted and approved by legal advisers to the department," he says.
Mali notes: "I am skeptical about the Indian government passing such an act, as every ruling political party in India exploits LEA to its own advantage and the act, even if passed, will not make sense."
Security leaders say the existing Right to Privacy Bill 2014, which is undergoing an amendment process, falls short of details around email privacy.
For instance, Ravichandran says, "While the evidence act requires the consent of the individual or an enterprise whose data is being held by a third party to be shared, the Privacy Act doesn't clearly articulate this. In one clause, it says consent is required; in another, it says exceptions are available; hence it is ambiguous."
Practitioners argue that if the existing privacy bill can incorporate the email communication privacy clause in clear terms, it would help law enforcement in carrying out the investigation process and also help the complainant.
A few recommendations for privacy would include:
- A clear-cut procedure to determine if right to privacy is absolute or restricted. If restricted, then to what extent and the authority who can apply the restrictions;
- Prescribing limitations for service providers in sharing information and limiting access to critical data;
- The impact of the Supreme Court Judgement on 66 A of the IT Act on the definition of email, message, and freedom to communicate (see: Section 66A To Be Restored);
- The legality of using accessed data as evidence.