Paytm, India’s most popular mobile wallet has been at the centre of controversy after becoming the target of a sting operation by Cobrapost, an online investigative news platform, last Friday. The operation caught a senior vice-president of Paytm on camera claiming that the company handed over the data of its users on receiving a call from the Prime Minister’s Office in the aftermath of stone-pelting incidents in Kashmir last year.

The company, in response through a blogpost, clarified that they only respond to “legally compliant data requests from law of the land”. The company added that they respond to requests for user data only from bonafide agencies.

The larger problem, however, lies in the “law of the land” itself. Currently, law enforcement agencies requesting data from Indian online service providers primarily rely on a legacy framework in the Code of Criminal Procedure, 1973 (CrPC) that was never meant to request electronic data.

The Cobrapost Paytm story highlights, perhaps more importantly, the inadequacy of the legal system in place when requesting data from online companies that collect vast quantities of information about their users. The Paytm app requires over 20 permissions, each of which forms discrete data sets that the company has access to. Admittedly, some of this information is essential for the application to function. Many of these however can reveal significant details about the user such as precise location, contents of external storage and call logs. Existing laws in India provide little to no safeguards to protect this data.

As India undergoes an upheaval of its data protection regime, the legal system underlying government access to user data needs to be urgently revisited – the procedure needs to be clarified, safeguards built and transparency introduced.

Procedure for law enforcement access to data

An investigating officer, to obtain data from an Indian service provider for the purposes of an investigation, usually produces a written order under Section 91 of the CrPC to the person in possession of the “document or thing.”

The practice that service providers follow when responding to requests for user data has evolved voluntarily – companies have identified procedural requirements that police agencies need to adhere to. These include the requirements for a request to come from an authorised government email id, with the appropriate letterhead and containing the relevant sections under which the crime is being investigated.

While an officer can approach the concerned user directly to access data, self incrimination laws can empower the user from refusing to disclose the information.

Investigations also often require not notifying the person being investigated. Instead, officers approach the service provider to compel the production of the user information. A Section 91 order is not mandatory to comply with, but companies mostly choose to cooperate with law enforcement. Companies, however, sometimes do not offer complete information in response to a request since demands for data can often be broad in scope.

Unlike the US, under Indian law, there is no differential treatment for different types of data. There is no additional legal threshold that has to be met for an officer to access content data beyond the metadata such as IP address, device information etc. The law governing telecom and Internet service providers is markedly more onerous requiring all licensees to provide interception and monitoring services at their own cost within their companies.

It is not only law enforcement but also the government that has the legal power to access user data in the interest of protecting sovereignty, national security and public order. The Information Technology Act, 2008 under Section 69 allows any officer of the Central or state government to direct an agency of the appropriate government, presumably law enforcement agencies, to intercept or monitor communications in real time or decrypt stored data. While this provision is more detailed than Section 91 of the CrPC and is widely used for passing interception orders, police officials do not seem to rely on it to obtain data stored on company servers.

Moreover, the IT Act currently only requires an executive committee to review requests for interception – it is unclear if this mechanism is in operation – and there is no legal mandate for a court to approve a request for user information. Additionally, the section allows the government to target broadly and can access data of a “class of persons” on any particular subject.

The right way forward

At a time when these laws require closer examination, regulating government access to data does not seem to be an equally important priority as restricting commercial exploitation of data. The ‘White Paper’ released by the committee of experts established to draft the data protection law does not deal with this issue in significant detail. It merely raises the question of whether investigation of crimes and national security can be a broad exemption from the ambit of the new data privacy law. This is the exact opposite of the approach that Indian policymakers need to take.

Accessing data for law enforcement and criminal investigations should ideally be authorised by courts of law. As the Paytm episode shows, current laws and processes are susceptible to misuse as long as the judiciary is kept out of the loop.

Indian technology companies in the meantime need to be more transparent about the ways in which they share the data belonging to their users. This can be contained in law enforcement guidelines, specifically providing the legal provisions that they respond to and the procedural requirements that they demand from law enforcement agencies. They should also publish transparency reports to make users aware of the total number of such requests that they receive and the numbers that they respond to.

India is already the country making the second highest number of government requests for data to Facebook. As Indian companies grow in size and reach, requests for their data will also witness a significant rise. This is also likely to be compounded by the recent move by the Reserve Bank of India to localise the storage of financial data within India’s borders.

The Cobrapost investigation is just a sharp reminder that the threat to online privacy does not come from just corporate exploitation but also from legislative inaction.

Madhulika Srikumar is with the Cyber Initiative, Observer Research Foundation, New Delhi. She tweets @madhumachi.