Handling cross-border cybercrime cases in India involves a complex process due to the involvement of multiple jurisdictions, legal frameworks, and international cooperation mechanisms. Indian courts employ various strategies to address cross-border cybercrimes effectively. Here's an overview of how Indian courts handle such cases: 1. Jurisdictional Challenges: Determining Jurisdiction: Indian courts may face challenges in determining jurisdiction over cross-border cybercrimes, especially if the perpetrator or the target of the crime is located outside India. Territorial Jurisdiction: Jurisdictional issues may arise based on where the crime was committed, where the perpetrator resides, or where the victim is located. Indian courts may assert jurisdiction based on principles of territoriality, nationality, or passive personality. 2. Mutual Legal Assistance: International Cooperation: Indian authorities may seek mutual legal assistance from foreign governments and law enforcement agencies to gather evidence, extradite suspects, or coordinate investigations in cross-border cybercrime cases. Extradition Treaties: India has extradition treaties and mutual legal assistance agreements with several countries, facilitating cooperation in cross-border criminal investigations and prosecutions. 3. Cybercrime Laws and Treaties: Applicable Laws: Indian courts apply relevant domestic laws, such as the Information Technology Act, 2000, and the Indian Penal Code, to prosecute cybercrimes committed within Indian jurisdiction. International Treaties: India is a signatory to international treaties and conventions addressing cybercrime, such as the Budapest Convention on Cybercrime. Indian courts may consider these treaties when dealing with cross-border cybercrime cases and cooperate with other countries in accordance with their provisions. 4. Digital Evidence: Admissibility of Digital Evidence: Indian courts have developed procedures for the admissibility of digital evidence, including electronic documents, computer records, and digital communications, in cybercrime cases. Forensic Expertise: Courts may rely on forensic experts to analyze digital evidence, trace the origin of cyber-attacks, and establish the identity of perpetrators involved in cross-border cybercrimes. 5. Cyber Cells and Law Enforcement Agencies: Specialized Units: Indian law enforcement agencies, such as the Cyber Crime Cells, Cyber Crime Investigation Cells, and National Cyber Crime Reporting Portal, are tasked with investigating and prosecuting cybercrimes, including those with cross-border implications. International Liaison Officers: Indian agencies may appoint international liaison officers to facilitate communication and cooperation with foreign counterparts in cross-border cybercrime investigations. 6. Judicial Cooperation: Judicial Assistance: Indian courts may seek judicial assistance from foreign courts through letters rogatory or other international legal instruments to obtain evidence, enforce orders, or coordinate legal proceedings in cross-border cybercrime cases. Conclusion: Handling cross-border cybercrime cases in India requires a coordinated approach involving legal, diplomatic, and law enforcement measures. Indian courts address jurisdictional challenges, seek international cooperation through mutual legal assistance and extradition treaties, apply relevant cybercrime laws and international treaties, admit digital evidence, rely on forensic expertise, and collaborate with specialized cybercrime units and law enforcement agencies to effectively investigate and prosecute cross-border cybercrimes while upholding principles of due process and international law.
Answer By Ayantika MondalDear client, Introduction The average internet user in India consumes about 10.40 gigabytes (GB) of wireless data per month on communications, entertainment, information and a host of other online services. As personal and commercial interactions increasingly move to the digital space, the state’s interest in gaining better knowledge about these transactions has also increased. More detailed information about such transactions may help a state design better policy interventions, monitor regulatory compliance, and discharge its law enforcement functions more effectively. State agencies’ ability to gain access to data for law enforcement purposes is shaped to a significant extent by the cross-border character of digital transactions. This includes situations where the entity in control of the data or the location of the stored data may be based outside the country. Per the European Commission’s estimates, electronic evidence is needed in around 85 percent of criminal investigations, two-thirds of which involve online service providers based in another jurisdiction. Similar figures are not available for India, but transparency reports released by service providers offer a valuable indicator of the growing digital footprint of criminal investigations. For instance, Facebook received 49,382 information requests from India in 2019, three times higher than the request volume in 2016. Similar trends have been seen in transparency reports from Google and Twitter. This trend may be attributed, in part, to the sharp rise in India’s internet user base in the last three to four years. This explosive rise has led to a corresponding increase in the volume of digital transactions, many of which tend to have cross-border elements. Cross-border data access requests are governed both by the local laws of the country making the request, and those of the jurisdiction where the entity receiving the request or its data storage facility is based. Often, these laws may limit personal data access by third parties, including foreign government agencies. The normal route to gain access to data under such circumstances is through the use of MLATs (mutual legal assistance treaties). As of November 2019, India had entered into MLATs with forty-two countries and was a signatory to six international conventions with mutual legal assistance provisions. However, the MLAT route remains widely criticized for being slow and cumbersome and lacking sufficient data protection safeguards. As a result, policymakers have sought other alternative models of data access for law enforcement purposes, making it a recurring theme in many policy discussions. Access to data for crime detection and evidence gathering was a rationale given by the Justice B. N. Srikrishna Committee on data protection while proposing the localization of personal data in India. Following the findings of that committee’s report, the government introduced a draft Personal Data Protection Bill (PDP Bill) in 2019, which provided for local storage only for sensitive data but local storage and processing for more critical types of personal data. The draft intermediary guidelines, which have been in the pipeline for about two years, are another attempt to make intermediaries more responsive to law enforcement requests. For instance, the draft rules require intermediaries to furnish a prompt response to information requests (within seventy-two hours) and mandate a local incorporation requirement for intermediaries above a certain size, which is presumably meant to ensure better enforcement. Most recently, the Kris Gopalakrishnan Committee on nonpersonal data has spoken about simplifying access to data for national security, law enforcement, legal, and regulatory purposes. Existing Mechanisms for Cross-Border Data Access Law enforcement agencies typically request data that fall under three broad heads. The first is basic subscriber information, such as name, age, address, and other details that the subscriber provides at the time of enrollment. The second is traffic or metadata, including the origin, destination, time, and duration of the communication. The third involves the underlying content of the communication, which could be in a stored form or may entail the interception of live communications. On receiving a valid request under Indian law, ordinarily the responding entity is required to provide the requested information from any of these categories. However, in practice, domestic law enforcement agencies have varied ability to gain access to the data, depending on the nature of the information requested, the location of the service provider or the data storage facility, and the laws governing each of these aspects. Other factors, like data encryption, can also affect authorities’ ability to access certain kinds of data. According to the United States’ Stored Communications Act, entities that fall within its jurisdiction are barred from sharing the contents of stored communication, except in accordance with the provisions of that law. One of the permissible forms of access is through a court order passed in the United States, if the requesting entity can demonstrate that there are “reasonable grounds to believe” that the contents being sought are relevant for an ongoing investigation. Law enforcement agencies in India may also take advantage of this option by asking their U.S. counterparts to seek a court order for access to data pursuant to the terms of the MLAT between the two countries. U.S. law also permits service providers to share non-content-related records or other information pertaining to a subscriber with foreign agencies on a voluntary basis. Another available access route is to seek information through the LR process. An LR is a formal request issued by a criminal court in India, at the request of an investigating agency, seeking the assistance of a court or authority in another jurisdiction for gathering evidence. This process is often used in situations where there is no MLAT between the parties or the information being sought falls outside the scope of the treaty. In addition, an LR can be issued to any other country without a bilateral or multilateral arrangement, based on an assurance of reciprocity. In addition, India is also a member of the G7 (Group of 7) 24/7 Cybercrime Network. This network of about eighty countries was formed “to enhance and supplement (but not replace) traditional methods of obtaining assistance” by enabling the preservation of electronic evidence in other participating countries. Its genesis lies in the recognition that delays in being able to obtain access to evidence held in another jurisdiction could result in the loss or destruction of the electronic evidence. To address this concern, each member of the network agrees to designate a twenty-four-hour point of contact for handling preservation requests and to make best efforts to get internet service providers to freeze the information that may be required for law enforcement purposes. This mechanism, however, focuses only on the preservation of information and not its production, so countries still must rely on MLATs or LR for that purpose. Challenges of the Present System Despite the availability of these different mechanisms, law enforcement agencies in India have reported practical difficulties in gaining access to data in a cross-border context. The first issue relates to delays in gaining access to the required information under the MLAT/LR route. As described above, the process of obtaining data through the MLAT route can be complex, involving multiple agencies in both countries. The LR process, similarly cumbersome, can be even slower than the MLAT route. As per a 2013 report prepared by the U.S. President’s Review Group on Intelligence and Communications Technologies, Liberty, and Security, MLAT requests submitted to the United States took an average of about ten months to be completed. The delay in the processing of data requests, coupled with the denial of the request in many cases, has become a sore point for law enforcement agencies in other jurisdictions. At the same time, at least part of the delay and denial of data requests can be attributed to requests that are incomplete or poorly drafted. In a bid to address some of these issues, India’s Ministry of Home Affairs recently released a new set of guidelines on the data request process. The stated objective of the guidelines, which also deal with the issue of summons and judicial documents, was to streamline the MLAT process and make it compliant with international norms. The guidelines set out a step-by-step guide for making MLAT/LR requests. They contain instructions on the form, content, and language of requests as well as the grounds that the investigating agency should consider before initiating the request. These grounds could include an assessment of the necessity, timelines, potential grounds of refusal, legal basis, need for confidentiality, and limitation period. The guidelines also offer a template of the request format. The standard forms and checklists given under the new guidelines offer a significant improvement over the existing process. Yet it is also important to acknowledge that neither the MLAT nor the LR processes were originally designed to handle the massive volumes or types of requests that they now experience. To put this in perspective, India’s first MLAT with Switzerland was signed in 1989, well before the introduction of internet services in the country. Expecting the same systems to cope with the current situation of more than 700 million internet subscribers, and the increasing reliance of criminal investigations on electronic evidence, may well be a tall order. To the extent that countries are able to seek direct access to subscriber information from service providers, the limitation of scope (limited to noncontent data) and significant discretion given to service providers remain a cause of concern for the authorities. At present, each service provider specifies its own mechanism through which law enforcement requests must be made. For instance, entities like Google, Twitter, and Facebook maintain separate systems through which law enforcement agencies can submit and track requests, while China-based TikTok specifies an email address to which the requests must be sent. Some of the requirements in the processes adopted by different companies are that a lawful request should come from an official (not personal) email address; be issued on an official government letterhead; and should clearly identify the law at issue, the account whose details are being requested, and its link with the investigation. In addition, emergency data request mechanisms are also available for situations where the information being sought is necessary to prevent an imminent threat to a person’s life or safety. Interviews with service providers and their affiliate entities also brought to light certain issues that they face in the handling of data access requests by law enforcement agencies. They highlighted that service providers often receive requests that contain errors, are missing important details, or seek information that is not available with the Indian affiliates of global businesses. Further, the requests may contain unclear language or may not specify the legal provision under which the request is made. It was also pointed out that requests are sometimes sent based on defunct laws, such as section 66A of the Information Technology Act, 2000, which has been invalidated by the Supreme Court’s decision in Shreya Singhal v. Union of India. Receipt of requests that are not sent from government email accounts was another repeated concern. One of the respondents also brought up the issue of receiving multiple requests for the same piece of information from different departments, and even from different persons within the same department. All of these insights suggest that besides thinking about the scope of powers available to law enforcement agencies, improvements in their internal processes and capacity-building initiatives would also be in order. Recommended Approach The Ministry of Home Affairs’ latest guidelines on handling of MLAT requests is an example of a unilateral effort by India for strengthening its existing MLAT enforcement. The United States also has undertaken an MLAT reform process that reportedly helped reduce its caseload backlog by a third. Any kind of broader MLAT reforms, however, would have to be undertaken as a bilateral or multilateral initiative. This may include the renegotiation of existing agreements or entering into new ones, which can take place only through consensus among the contracting parties. Accordingly, India will need to work with other nations to improve the existing MLAT framework. Such improvements may include increasing the geographic spread of such agreements and pursuing measures to reduce delays and enhance protection of human rights. Some specific suggestions that have been made in this regard are as follows: Increased resources, infrastructure, training, and digitization of the MLAT process Strengthened due process requirements, including defendants’ ability to request evidence Improved privacy standards by incorporating requirements of necessity, proportionality, and encrypted transmission of data Better transparency regarding requests and responses However, as the following sections indicate, the willingness of state parties to undertake systemic MLAT reforms might be overshadowed by the shift in focus toward direct data access arrangements. While India formulates its strategic position on such arrangements, it can take several steps at the domestic level to improve existing data access provisions. First, India needs to develop robust and transparent SOPs (standard operating procedures) or guidelines on the process through which law enforcement agencies can request data access from service providers. The proposed SOPs must be grounded in existing laws. As the subject of “criminal procedure” falls under the concurrent list of the Constitution of India, the Ministry of Home Affairs can issue the proposed guidelines and, if required, each state government may modify them as appropriate. Per an affidavit submitted by the central government before the Supreme Court, the government already has SOPs on this issue although a copy of it is not available in the public domain. However, the current SOPs do not specify the agencies that are authorized to call for information under it and have also been criticized for the lack of accountability and appropriate safeguards. An improved set of SOPs would, therefore, be in order. Similar to the guidelines for mutual legal assistance requests, the guidelines for direct requests to service providers should specify the applicable step-by-step process; authorized agencies and officers; and the format, expected content, and language of the requests. The following list presents specific suggestions regarding the form and content of data requests sent to service providers. Any request should be initiated only from an official government email address of a designated official of an authorized law enforcement agency. It should be signed and on the letterhead of the requesting authority. It should cite the legal provision under which the request is being made. It should specify the number and details of the first information report and a brief note on the link between the case and the requested information. It should clearly identify the scope of the data request, including the relevant identifier of the target for which data access is being requested. Second, the guidelines referred to above should be framed through an open and consultative process. Once adopted, they should be incorporated in the training programs for police personnel, judicial officers, and staff of law enforcement agencies. In addition to the training on Indian laws and procedures on data access, it may be useful to include basic training on the laws and standards of certain other jurisdictions that may have a significant bearing on cross-border data requests. For instance, the United States’ Stored Communications Act is one such legislation, which limits the ability of U.S. service providers to provide certain kinds of data. Knowledge of such provisions can help law enforcement bodies in India understand the limitations of current cross-border access arrangements and take them into account while framing their requests. Third, it would be useful to have a streamlined mechanism to transmit, authenticate, and complete requests being sent from law enforcement agencies to service providers. At present, each service provider maintains an independent system for managing data requests, making it necessary for law enforcement agencies to navigate these different systems. A new law enforcement data request platform could identify the various service providers to whom data requests are being sent and facilitate back-end integration with different providers while maintaining a common front-end platform for the law enforcement agencies. A streamlined system of this sort should include features like access controls and follow industry standards of encryption and other mechanisms to ensure secure data transmission. Section 91 of the CrPC provides that an order summoning the production of a document or any other thing can be issued by a court or the “officer in charge of a police station.” The proposed system, therefore, should be able to confirm that any request sent through it is verified to be from an officer that satisfies this condition—a consideration that a service provider may not find it easy to confirm on its own. The logs of information requests and responses exchanged on this platform can form the basis for necessary government transparency on the number and nature of data requests. Facilitating such enhanced transparency about data access requests for law enforcement purposes should be an integral part of the system’s design. Finally, inter-state and intra-agency coordination on data information requests should be enabled to ensure an optimum utilization of time and resources. For instance, the government of Jharkhand has put in place an Online Investigation Cooperation Request Platform, through which any investigating officer in the country can request authorities in Jharkhand for cooperation regarding investigation of cyber crimes. The scope of such initiatives can be expanded to include collaboration on data requests being sent to service providers, where such data may be required by more than one authorized agency in connection with the same investigation. All such requests would, however, have to adhere to strict authentication requirements and security safeguards, including those listed in the first and second recommendations. This is to ensure that the proposed coordination mechanism should not become the basis for unchecked data sharing among government agencies. Should you have any queries, please feel free to contact us!
Discover clear and detailed answers to common questions about Cyber Crime. Learn about procedures and more in straightforward language.