How Stricter Procedures in Existing Law May Provide a Useful Path for Cloud Act Executive Agreements
The Cloud Act authorizes the U.S. government to enter into executive agreements with other nations, so long as listed privacy and human rights protections are built into those agreements. One prime requirement is that the non-U.S. government request for criminal evidence “shall be subject to review or oversight by a court, judge, magistrate, or other independent authority prior to, or in proceedings regarding, enforcement of the order.” This requirement of “review or oversight” by a judicial officer could split the world into two categories – countries who use judicial process to get evidence (such as many EU countries), and countries who do not. To date, some observers have assumed that the latter countries are simply not eligible for a Cloud Act executive agreement.
This post shows why this assumption may be mistaken. We examine the example of India, where standard practice is for a law enforcement officer to request evidence, without participation by a judge. Indian law, however, also already authorizes a judicial process for seeking that evidence. This judicial process creates a hitherto-unsuspected way to implement a Cloud Act agreement – an executive agreement could apply to requests in India that use the judicial route, even where non-judicial requests would not qualify.
One advantage of this approach, in terms of implementing the Cloud Act, is that current law in India thus appears to authorize judicial “review or oversight.” Executive agreements are likely to be easier to negotiate and implement to the extent that they can succeed under existing law, rather than needing legislative enactments. Building on the India example, other nations may have options under existing law that similarly meet Cloud Act requirements, even though current practice doesn’t always use those options. More attention should be paid to existing (even though little-used) legal authorities – these authorities may qualify for the Cloud Act, even where other current procedures do not.
The Cloud Act’s Requirements for Foreign Evidentiary Process
18 U.S.C. § 2523 contains the Cloud Act’s executive agreement eligibility requirements for foreign governments. These requirements include, in part, detailed requirements for any order issued by the foreign government subject to a Cloud Act executive agreement, including that any order:
(i) Shall be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism;
(ii) shall identify a specific person, account, address, or personal device, or any other specific identifier as the object of the order
(iii) shall be in compliance with the domestic law of that country, and any obligation for a provider of an electronic communications service or a remote computing service to produce data shall derive solely from that law
(iv) shall be based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation; and
(v) shall be subject to review or oversight by a court, judge, magistrate, or other independent authority prior to, or in proceedings regarding, enforcement of the order.
As described in further detail below, Indian Code of Criminal Procedure authorizes law enforcement officers to demand the production of evidence without any judicial process, which is a part of Indian law enforcement’s standard practices. Since this authority is not necessarily subject to independent review or oversight, that practice would not meet subsection v’s requirement above. Just because this standard practice does not meet the Cloud Act requirements, however, does not exclude the possibility of other Indian law procedures that would qualify.
Authorized Investigatory Powers under Indian Law
Indian law enforcement has the authority to order the production of electronic evidence under a number of different authorities, including the Code of Criminal Procedure (“CrPC”), the Information Technology Act, and the Telegraph Act. In practice, Indian law enforcement officers generally rely on their own authority under Section 91 of the CrPC to require the production of any document “necessary or desirable for the purpose of an investigation, inquiry or trial.” Unsurprisingly, it appears that law enforcement regularly makes use of this broad authority, even continuing to order the production of data under the CrPC despite stricter provisions in other specialized statutes like the IT Act and Telegraph Act.1
Section 91 in the alternative authorizes courts to issue summonses for the production of data, as long as the document satisfies the same “necessary and desirable” standard. Case law suggests that this authority has typically been used by the accused, complainants, and prosecutors who would petition the court to compel the production of documents at various stages of a trial. The Indian Supreme Court has noted, however, that a police officer can petition the court as well to compel the production of evidence “for the purpose of an investigation, inquiry, or trial.”2 Under that Supreme Court statement, a law enforcement officer would be able to request a judicially authorized order for evidence, an apparent match with the Cloud Act’s requirement of judicial “review or oversight.”
Issues of specific versus general warrant arise under section 93 of the CrPC, which authorizes the court to issue a search warrant if it has reason to believe that the object of the warrant will not produce the information sought pursuant to a Section 91 demand. In issuing a warrant, the court has the authority, under the Cloud Act language, to “identify a specific person, account, address, or personal device.” Section 93, however, does not require such specificity. Section 93 also explicitly permits general warrants where the information sought is not known to be in the possession of a specific person, or where the court believes the proceeding will be served by a general search or inspection.
Our point is the following. Indian law in some cases may not meet the Cloud Act requirements because: (i) law enforcement acts without judicial review or oversight; and (ii) the scope of searches may be too general rather than specific. A Cloud Act executive agreement can nonetheless operate with India, however, if : (i) the order uses the judicial process under Section 91; and (ii) the order is defined with sufficient specificity. Requests that meet those two requirements, permitted under existing Indian law, could be eligible for Cloud Act treatment, while other requests would not.
We highlight here the multiple procedures that a government can use to access criminal evidence. The phenomenon we describe exists in U.S. law as well. To take one example, the Right to Financial Privacy Act authorizes government access to evidence under the non-judicial administrative subpenas (sic) of Section 3405, or judge-ordered search warrants or judicial subpenas under Sections 3406 and 3407. The Electronic Communications Privacy Act similarly offers a judicial and a non-judicial option under 18 USC 2701(b): (i) an administrative or grand jury subpoena can seek evidence, where there is prior notice from the government to the subscriber or customer; or (ii) a court order from a judge is also available, without the requirement for prior notice.
In short, a country such as India may have some procedures that comply with the Cloud Act, even when other existing procedures do not. An executive agreement can authorize the streamlined non-U.S. government access to evidence using the procedures that comply. Where these alternative procedures exist, such as under CrPC 91, the executive agreement may become much easier to negotiate. India, for instance, could meet the Cloud Act requirements without the need for new legislation, and without needing to change its criminal procedure for all cases. Only Cloud Act-compliant requests would qualify for the streamlined treatment. More generally, for other countries seeking executive agreements, a careful review of existing legal procedures and safeguards may reveal that these countries meet more of the Cloud Act’s requirements than is obvious on first glance.
i Some scholars have argued that reliance on the CrPC in spite of more specialized procedures may not be lawful. See Sunil Abraham & Elonnai Hickok, Government access to private-sector data in India, 2(4) INTERNATIONAL DATA PRIVACY LAW 302, 304 (2012).
ii State of Orissa vs. Debendra N. Padhi,  2 SCC 711 (“When the section refers to investigation, inquiry, trial or other proceedings, it is to be borne in mind that under the section a police officer may move the Court for summoning and production of a document as may be necessary at any of the stages mentioned in that section.”)