Data in a company is an asset which creates value for the company. The business model of many companies is built on the concept of “Data as Raw Material” and “Processed data as finished product”. In between, there is “Data Under Process which is work in progress”, “Data Discarded as process waste or an effluent”. Hence “Data” is often seen as a valuable industrial asset by itself.
Just as a machine in the machine manufacturing company is a finished good and is a capital asset in the company where it is used for production, Data in a data processing company is a raw material or a finished good and in another company where it is used as a software or production meta data, it is a “tool of production”. In a manufacturing company where data is generated under the automated machine environment, data is a “Catalyst” or an activity record.
Additionally, “Data” is often used as an “Object of Crime” or a “Tool of Crime” when it becomes the subject matter of criminal laws of the jurisdiction in which the victim of a cyber crime may reside.
Data Processing companies and data protection professionals are often confronted with the conflict between two individuals where one is demanding information and another is resisting disclosure because of a possible violation of his privacy. In such cases, there is a conflict between “Right to information” and “Right to Privacy” both of which are individual constitutionally protected rights. In any practical situation, it may not be easy to decide whose right is legally more acceptable.
One way to resolve such conflicts is to create a documentation of a “Harm Audit” where an expert will document the pros and cons of the requested disclosure and give a value judgement on whether the disclosure be permitted or not.
Similar conflicts may also arise between the “Right of the Data Principal/subject” and the “Legitimate interests” of the organization.
Here again there is a need to conduct a “Harm audit” and document the findings. But a harm audit conducted when there is a reported conflict between the organization and a data subject will involve a “Conflict of interest” when the audit is conducted by an employee of the same organization. Such conflict is found in many activities of the Data Protection Officer and often the resolution in favour of the organization would not be acceptable to the data subject and the matter may end up in a grievance redressal muddle including courts.
In the third kind of conflict where there is a conflict between the need for disclosure to a law enforcement authority for investigation and subsequent prosecution of a crime, the organization is in a more difficult situation as any refusal could lead to the organization itself being charged with “with holding of evidence” or “Non Cooperation with a law enforcement authority” which may be offences by themselves.
When an organization is confronted with such requests from the law enforcement authority, it is essential to recognize that non compliance of the demand is not an option under the law of the land.
What is required under these situations is to first examine whether the demand has come from the right authority and after due process. If so, the demand should be honoured. However if the demand could be honoured with the use of disclosure of pseudonymous information (which may not be acceptable when the request is for identification of a potential criminal himself), only pseudonymous information may be disclosed.
Where the personal data to be released is part of the protected Personal Data under a law (eg personal data of a EU citizen protected under GDPR), then there is a possibility that the action of disclosure may come under the scrutiny of the EU regulatory authority.
While all data protection laws recognize the sovereign rights of the country where processing takes place and provides for exemption, there could be a need for the data importer-processor who has received the law enforcement demand to inform the data exporter.
While sending such requests either before or after the disclosure to the law enforcement agency, it would be better for the Data Importer to document a “Disclosure Approval” by recording a legitimate interest indicating the compelling need for disclosure arising out of the demand from a verified law enforcement agency and documenting also the harm that may be caused if any to one or more data subjects.
It must be remembered that the obligation to be compliant with local laws arises out of the law enforcement jurisdiction while the perceived conflict indicating the violation of GDPR compliance could arise out of a contractual commitment. In order to safeguard the company both ways, it is necessary to incorporate suitable provisions in all data processing agreements that demands from the local law enforcement agencies resulting in disclosure of personal data shall be permitted disclosures under the contract.
The organization shall however ensure that the principle of “Data Minimization” meaning only the data required and justified by the investigating agency shall be disclosed with an undertaking from the recipient that it shall be used only for the purpose for which it is requested and secured while in the custody of the recipient as required under law.
While disclosures under Section 69/69A/69B of ITA 2000 are reasonably protected through a process, the CrPc provisions exercised by the local police often donot have similar safeguards.
There is a need for the police to ensure that any CrPc request for data is issued in accordance with the procedure enumerated in the rules associated with Section 69/69A/69B of ITA 2000.
If the police does not include the ITA sections in the CrPc 91 notice, which is more likely, the organization , releasing the data should not forget to mention this in their data release note.
Where there is any disagreement between the law enforcement and the Police such as when the Police want a “Roving investigation”, the only remedy available for the organization is to get a Court order restraining the “Roving Investigation” but providing all the investigation that may be otherwise required for a specific investigation for which a valid authority is available with an investigating officer.
Any information released by an organization in such cases to Indian police authorities shall be accompanied by an appropriate Section 65B (IEA) certificate. Further, the data as well as the relevant associated data (even if not disclosed immediately) should be archived and held as “Data Related to Evidence and Potential Evidence”.