New Delhi: India’s hunt for the perpetrators of multiple bombing threats that significantly disrupted the domestic aviation and hospitality sectors has hit a roadblock in Europe, where most of the hoax calls are said to have been made through virtual private networks.
The Centre has been denied access to personal information trails in Europe, with the authorities citing the region’s stringent personal data regulations and their requirements, three senior government and industry officials told Mint on condition of anonymity due to the sensitivity of the issue.
“India has currently hit a roadblock in the European Union, with France and Germany being among the nations that have cited clauses under the EU General Data Protection Regulation (GDPR) Act,” one official said. “The reasoning offered to India is that the EU would need specific warrants pointing at perpetrators for the EU to enable pursuit of the investigation further. But in the case of this investigation, it’s difficult to point at one particular perpetrator—and this has led India's investigation of those suspected to be behind the bomb hoaxes to a standstill.”
Over the past month, airlines and hotels across India received over 500 calls delivering bomb threats, although each of them turned out to be a hoax. Modern-day hoax and scam callers use the internet, and virtual private networks help hide their location. For hoax calls traced to a foreign country, India will have to request its government to cooperate or follow legal procedures there.
India remains in talks with officials from France, Germany and other European nations to identify the sources of these calls, a second official added.
“The general intention from Europe is to help India—but without disrupting the law, which is considerably more stringent there,” the second official said.
A senior government official with direct knowledge of the matter said on condition of anonymity that the Centre “is taking up the issue with EU authorities through channels established by the ministry of external affairs.”
Cross-border data and internet laws differ vastly between nations and much depends on personal and bilateral relations. Another key challenge is to collect substantial and watertight evidence that points to a criminal, which is extremely difficult due to technical challenges.
The EU data protection regulations necessitate information belonging to an individual in residence in Europe to be maintained and protected within Europe and not be transferred overseas for any corporate benefits. While the GDPR allows data handling of European individuals in case of a European nation’s national security, it remains unclear if the regulations enable national security exemptions for other nations.
The US enjoys the ability to ask the EU for personal data from a European nation under select circumstances—through the Clarifying Lawful Overseas Use of Data (Cloud) Act. India does not have such an enabling bilateral regulation with Europe.
A senior lawyer advising European companies from which the Centre is seeking data said, requesting anonymity, that India currently stands at a disadvantage because of the lack of “any fluid and accessible data transfer treaties.”
“The only treaty that facilitates this is the Budapest Convention treaty, which India has refused to be a signatory of due to concerns that it would also have to divulge sensitive data if other nations come calling. The only current mechanism is for India to use an MLAT (Mutual Legal Assistance Treaty), which is a very slow process. The other is for a local police body to ask a local court to issue a letters rogatory to a foreign court seeking data—none of which are enabling regulations by nature,” the lawyer said.
He added that with global VPN operators mostly having exited India due to its stringent data maintenance and revelation clauses by law, India does not have the ability to force any private entity to produce the data it is demanding.
“The VPNs are the direct party here, but they too are clients of Big Tech firms with cloud servers globally. India would not get an answer if it went to any Big Tech company and asked them to reveal the data trail left by a particular customer of a particular VPN—this is an impractical process, created out of India’s own handling of cross-border data trails so far,” he said.
India’s investigation into the matter currently covers a multi-ministerial effort to identify perpetrators, with the ministry of electronics and information technology (Meity) spearheading the efforts.
An email sent to the ministry seeking comment on the matter remained unanswered until press time. Queries sent by Mint to the embassies of France and Germany in India did not immediately receive responses.
Stakeholders and lawyers said cross-border data regulations present complications in the absence of clearly defined laws between the EU and India.
A senior lawyer who consulted on the development of India’s Digital Personal Data Protection (DPDP) Act, 2023, said, “National security concerns typically involve more stringent and clearly laid-down laws. If the situation was reversed, India may also deny any foreign party access to personal data in India unless there were clear warrants pinpointing at perpetrators in case of legitimate national security concerns. With the DPDP Act’s rules close to being notified, this could offer India a stepping-stone into more formalised laws that could help our pursuit of cross-border data transgressions in the near future.”
However, others said that given India and Europe’s strong bilateral equations, a resolution should be sought.
“It would seem worrisome that even under the concerns of national security, the EU member states have so far failed to share the required information and data trails,” said Kazim Rizvi, founding director of policy think-tank The Dialogue, which also advised the ministry on data privacy and cross-border data transfer issues. “India and Europe have historically had strong bilateral cooperation on law enforcement, counter-terrorism practices and more—these relations must be leveraged further for the EU to aid India in a case of national security.”
He added that a dedicated law, such as the agreement between the US and the EU, could be key to circumventing privacy violation concerns.
“While it's true that a non-perpetrator’s personal data being linked into the investigation could violate GDPR, it’s important to note that in case of national security investigations, there are always reasonable grounds in exceptional cases to collaborate and coordinate on data access. While India and the EU so far do not have a dedicated agreement as the US-EU Cloud Act, there would be ways for the two geographies to work together in order to identify sensitive information in select cases,” Rizvi said.
According to the senior lawyer cited earlier, Europe is a far more proactively litigious society and if a non-perpetrator’s data is linked with an investigation, there is an obligation within the EU to disclose this to the individual concerned.
“This could then lead to legal conflicts and the individual seeking damages against who gave a third-party access to such personal data. But with a reasonable exemption clause across geographies in case of national security, such issues can be avoided in future,” the senior lawyer said.