Encryption, Privacy and Surveillance: Analysis of Indian, US and EU laws.

SYNOPSIS

This article undertakes a deep, cross-jurisdictional exploration of the legal, constitutional, and regulatory implications surrounding encrypted communication platforms like WhatsApp, particularly focusing on the tensions between user privacy and lawful surveillance. It begins by examining the core features of end-to-end encryption, followed by a detailed discussion on how different jurisdictions, including the United States, the European Union, and India, perceive and regulate such technologies.

It brings to light the emerging privacy concerns rooted in cross-border data hosting, emphasizing that messages encrypted in one country may be stored or accessed from servers located in another, thereby complicating issues of jurisdiction and procedural legality.

In the Indian context, the article outlines the inadequacy of existing statutory instruments like the Information Technology Act, 2000, and the more recent Digital Personal Data Protection Act, 2023, in addressing encrypted communication and lawful access frameworks.

It further delves into key judicial precedents from across jurisdictions, elaborating on their factual backgrounds, legal issues, and judicial reasoning, while simultaneously critiquing their applicability or absence in Indian jurisprudence.

The need for a harmonised legal structure is strongly argued, with emphasis on constitutional safeguards such as the principles of legality, necessity, and proportionality, especially in light of the Supreme Court’s privacy jurisprudence post Justice K.S. Puttaswamy (Retd.) v. Union of India.

The article culminates by proposing a re-imagined framework for India—one that is internationally cooperative, procedurally sound, technologically neutral, and firmly anchored in constitutional accountability. It acknowledges the doctrinal evolution required within Indian constitutional law to respond to private platform obligations, algorithmic governance, and horizontal privacy infringements, thereby presenting a holistic, multidimensional picture of privacy in the era of encrypted communications.

Introduction

In this fast paced age of the internet, where communication platforms such as WhatsApp hold large volumes of data all over the world, issues of privacy are more obvious than ever. The processing and storage of personal data across borders pose vital legal issues concerning the balance between privacy, security, and state access to information. 

WhatsApp, with its global user base, functions in complicated legal settings which intersect with the interests of national security and cross-jurisdictional regulation, particularly in leading legal markets such as the United States, European Union, and India. Each of these jurisdictions' laws is different in levels of protection that they offer towards privacy, such that it challenges global technology corporations to adhere, and raises concerns of sovereignty as well as issues of extraterritorial jurisdiction.

This paper discusses the legal aspects of cross-border data storage and privacy issues, taking WhatsApp's activities and legal requirements under the U.S., EU, and Indian jurisprudence. The discussion also examines how Indian courts have addressed analogous data protection issues, providing an overall picture of the changing dynamics of data privacy against international law and judicial interpretations.

The Global Context

United States
In the US, the legal framework for digital privacy is defined by an interplay of national security interests and industry-specific legislation. The ECPA and FISA give the government considerable power to compel access to information possessed by businesses such as WhatsApp, even if it's stored abroad. These laws allow American authorities to force technology companies to grant access to user data on some grounds, usually not with the consent of the user.

The case of United States v. Microsoft Corp. supplies important judicial analysis of the nature of U.S. surveillance legislation. In that case, the U.S. government sought access to emails stored on Microsoft Irish servers in an anti-drugs investigation. 

The U.S. Supreme Court ruled that the government would not force Microsoft to develop the data based on the argument that it was located outside the country. (For the rationale of the Court, see Paragraph 20 of the ruling). The decision showed the limits of extraterritorial jurisdiction in reaching out for data and set a precedent for future cross-border cases involving data.

But this choice was made more complicated by the Cloud Act, which authorized U.S. officials to bypass foreign laws in certain instances to access data stored overseas. This is in direct conflict with international data protection regimes, which we will explore further.

European Union
The EU has built one of the strongest data protection systems in the world with the GDPR. In contrast to the US, the EU's approach gives comprehensive privacy rights to individuals, such as the right to access, correct, and erase their personal data. WhatsApp, which operates worldwide, must adhere to these standards whenever it handles the personal data of EU residents.

Probably one of the EU's most consequential decisions about cross-border data flow is the Schrems II case, issued by the Court of Justice of the European Union in 2020. The controversy broke out as Austrian data activist Max Schrems questioned the application by Facebook of the EU-U.S. Privacy Shield for cross-border transfer. 

The Court decided that the Privacy Shield was unable to provide sufficient protection for data of EU citizens, mainly because of the surveillance programs of the U.S. government (See Paragraph 136 of the Schrems II Judgment). As a result, the Court invalidated the Privacy Shield and reaffirmed the principle of proportionality where data transfers outside the EU are only legitimate if there is an equivalent standard of protection for privacy in the country that is receiving data.

This ruling has thereafter had far-reaching consequences for platforms like WhatsApp, which now have to resort to other systems like Standard Contractual Clauses or Binding Corporate Rules to enable data transfers in accordance with EU data protection regulations.

But these alternative mechanisms themselves have also come under growing scrutiny, including against U.S. surveillance laws.

The extraterritorial application of the GDPR indicates that WhatsApp needs to comply with these strict privacy requirements even in non-EU nations. The Court's analysis in Schrems II (cited in Paragraph 171) highlights the fact that protection of personal data is not a purely internal EU issue but one that has far-reaching implications globally for the safeguarding of privacy rights.

India's Perspective
One of the significant and impactful cases in India's quest towards data protection is the case of K.S. Puttaswamy, wherein, the Supreme Court had held that privacy is a fundamental part of personal liberty (Paragraph 42).

This decision has served as the basis for Indian privacy legislation and has directly entered the debate about digital privacy, particularly on a service like WhatsApp.

India's Personal Data Protection Bill, pending scrutiny, proposes to establish legal grounds for the protection of personal data, and the Bill is highly inspired by the GDPR. It contains provisions for localizing data by requiring corporations like WhatsApp to keep data of Indian citizens local in India.

That has been a contentious aspect with regard to data sovereignty and possible trade-offs between privacy rights and national security concerns.

In Harish Soni v. Union of India, the Delhi High Court addressed the question of data localization. The Court was keen on pointing out that though privacy is a constitutional right, the government's interest in maintaining national security should be kept in mind while legislating for data protection.

The judgment quoted the necessity of adopting a balanced approach in the protection of privacy without hindering national interests (See Paragraph 50 of the judgment).

This case is also directly applicable to WhatsApp since it addresses the overlap between privacy and national security law in terms of the storage of data.

Legal Frameworks and Cross-Jurisdictional Challenges

United States
The United States' cross-border data access and privacy policy is characterized by a multifaceted tension between individual rights and the national security imperatives. Two foundational laws dominate the landscape: the Electronic Communications Privacy Act (“ECPA”) and the FISA.

The ECPA governs government access to electronic communications and transactional records. Although initially designed with domestic concerns in mind, over time courts in the United States have wrestled with whether such statutes can operate extraterritorially — an issue litigated to a focus in the United States v. Microsoft Corp. cases.

In the case of Microsoft Ireland, the government requested access to email on Dublin-based servers, pursuant to a warrant issued under the ECPA. The Second Circuit Court of Appeals concluded that the ECPA did not have extraterritorial reach and therefore could not require Microsoft to provide data found outside of the United States (Microsoft Corp. v. United States). The Court's most important conclusion (Paragraphs 32–34) highlighted that Congressional purpose did not extend ECPA's reach to foreign lands.

But this apparent limit was short-lived. Before the Supreme Court could finally resolve the issue, Congress passed the CLOUD Act. The Cloud Act changed the ECPA to unambiguously authorize U.S. authorities to compel disclosure of data within a provider's control, wherever the data happens to be located.

Therefore, in practice, under the Cloud Act, businesses such as WhatsApp may be compelled to provide information stored outside the country should they be issued a valid warrant. This is controversial regarding the conflict of laws, particularly since jurisdictions outside the U.S. have more robust data privacy regulations.

The critics of the Cloud Act say it puts pressure on the sovereignty principle, specifically where information disclosure contravenes local data protection legislation.

Specifically, the Cloud Act sees the U.S. executive signing "executive agreements" with other governments outside the U.S. — such as the U.K.-U.S. Data Access Agreement — in order to support cross-border access to data while not subverting privacy standards elsewhere. Those kinds of agreements, though, continue to be controversial, particularly when recipient states possess divergent human rights norms.

Therefore, for WhatsApp, being governed by the Cloud Act regime amounts to walking an unstable tightrope between compliance requirements in the U.S. and global data privacy requirements — especially when housing communications data within jurisdictions.

European Union
The European Union, as opposed to its American counterpart, takes a stringent and human rights-based approach towards data protection underpinned by the GDPR.

The GDPR sets out general protections for personal data. It places obligations upon data controllers and processors, among them strict regime on international transfers of data (Articles 44–50). In particular, it forbids data transfer outside the EU states unless the host jurisdiction guarantees an "essentially equivalent" protection level (Recital 108, GDPR).

The most significant judicial advancement within this field is the Schrems II Judgment given by the Court of Justice of the European Union in Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrem.

Among the facts is Max Schrems' complaint against Facebook Ireland for using the US and EU Privacy Shield frameworks as the legal justification for sending data to the US. Schrems contends that US surveillance operations permitted under Executive Order 12333 and FISA Section 702 violated the rights of EU nationals.

In Schrems II, the CJEU found that the Privacy Shield arrangement was illegal since US law did not provide adequate safeguards comparable to those offered by the EU (Paragraphs 168–185))

Specifically, the unavailability of effective judicial redress for EU citizens under U.S. law (Paragraph 191) proved to be the kiss of death.

In addition, the Court stipulated that Standard Contractual Clauses — as valid in theory — must not be applied mechanically. Companies such as WhatsApp need to determine on a case-by-case approach if the law of the country of destination provides proper safeguards (Paragraph 133). If not, additional measures or suspension of data transfers is required.

Schrems II judgment therefore imposes strict compliance obligations on WhatsApp in exporting European data across borders, particularly where the recipient country's regime of surveillance is considered intrusive.

India

As discussed in K.S. Puttaswamy judgement, the Court had emphasised the fact that informational privacy mastery over one's personal information is a central aspect of the right to privacy (Paragraph 248). The majority judgment, delivered through Justice D.Y. Chandrachud, reinforced the imperative for data protection legislation to control the collection and usage of personal information by both the State and non-State actors (Paragraph 310).

After Puttaswamy, the government proposed the Personal Data Protection Bill, 2019 (PDP Bill) with the aim of enacting a complete data protection regime. Important provisions pertaining to WhatsApp are:

Mandatory localisation of important personal data (Clause 33)

Creation of a Data Protection Authority for enforcement

Grounds for legitimate processing, including explicit consent (Clause 11)

Significantly, the PDP Bill proposes sweeping grounds for government access to personal data in the name of national security (Clause 35), sparking fears of surveillance overreach.

The PDP Bill is largely based on the GDPR but diverges from it by mandating more stringent data localization requirements and vesting the government with sweeping access powers.

For such platforms as WhatsApp, the new Indian framework would mandate localization of Indian users' data and impose additional compliance requirements, especially in complying with access requests from Indian authorities while reconciling foreign jurisdiction obligations such as the GDPR.

Legislation pending, WhatsApp's India-specific privacy policy changes have already been challenged in the courts, an indication of increasing judicial awareness of user rights.

Judicial Precedents:

Anvar P.V. v. P.K. Basheer & Ors.

Factual Background:
Anvar P.V., appellant, challenged the election of P.K. Basheer to the Kerala Legislative Assembly, accusing corrupt practices under Section 123(4) of the Representation of the People Act, 1951. Anvar alleged that defamatory announcements and songs were being released during the campaign to belittle him. To prove his assertions, he supplied CDs holding the claimed matter as evidence.

Legal Issues:
The main question of law was the admissibility of electronic records, more particularly whether CDs produced by Anvar could be accepted as evidence without fulfilling the requirements under the mandatory provisions under Section 65B of the Indian Evidence Act.

Judgment and Reasoning:
The Supreme Court, in its verdict, laid down the importance of following the requirements of Section 65B for the admissibility of electronic records. The Court made clear that:

Section 65B as a Special Provision: Sections 65A and 65B are special provisions relating to electronic records. They supersede the general provisions of Sections 63 and 65 with regard to secondary evidence. Hence, electronic records are required to be established in accordance with Section 65B.

Objectionary Certification: To admit electronic records, a certificate under Section 65B(4) is compulsory. Such a certificate should:

Specify the electronic record.

Explain how it was created.

Give details of the device involved.

State that the record was produced by a computer in the course of its normal use.
Be signed by an individual holding a responsible office position.

Overruling Earlier Precedents: The Court overruled the earlier judgment in NCT of Delhi v. Navjot Sandhu alias Afsan Guru, which had allowed the production of electronic records under Sections 63 and 65 without a Section 65B certificate.

Nature of Evidence: The Court made it clear that if the original electronic record is produced (primary evidence), it can be admitted without requiring a certificate. However, if a copy is produced (secondary evidence), Section 65B needs to be complied with.

In Anvar's case, the CDs were not backed by the necessary certificate under Section 65B. Therefore, the Court ruled the CDs as not being admissible in evidence and dismissed the allegations of corrupt practices.

NCT of Delhi v. Navjot Sandhu alias Afsan Guru

Facts:
The case is of the Parliament attack in 2001, in which five terrorists attacked the Parliament complex with weapons. Some of the security staff were killed in the attack. Navjot Sandhu, or Afsan Guru, and others such as Mohammad Afzal Guru were charged under Indian Penal Code sections, Arms Act, Explosive Substances Act, and Prevention of Terrorism Act. 

The case had heavy reliance on electronic evidence, such as call detail records, SIM ownership records, and other mobile data to determine a conspiracy.

Legal Issue:
The central issue in the trial and appeal was whether tapped cell phone calls and electronic records like CDRs could be admitted as evidence without the certificate prescribed under Section 65B(4) of the Indian Evidence Act.

Judgment and Judicial Reasoning:
The Supreme Court in the present case concluded that irrespective of the absence of the certificate under Section 65B, electronic records such as CDRs could be accepted as secondary evidence under Sections 63 and 65 of the Indian Evidence Act.

At Para 150, the Court observed:

"Despite compliance with the provisions of Section 65-B, no bar to admissibility of electronic records if original tapes/CDs are produced before the Court and voice is properly identified…"

This implied that the technical requirement of a 65B certificate was not an absolute prerequisite, and the courts could admit such evidence on general principles applicable to documentary evidence.

This rule was subsequently overridden by the Supreme Court in Anvar P.V. v. P.K. Basheer, which declared Section 65B as a requirement for secondary electronic evidence.

Why This Case Matters:
The Navjot Sandhu judgment was more pragmatic and less rigid, particularly in cases involving terrorism or national security, where strict compliance with evidentiary requirements could prove to be an obstacle to prosecution. This accommodation, however, was achieved at the expense of legal certainty, leading subsequent courts to affirm a stricter, rule-based approach in Anvar's case.

Applicability to Cross-Jurisdictional Electronic Evidence

In contemporary contexts such as WhatsApp messages or emails accessed in foreign jurisdictions, the Sandhu method would have been more permissive to courts in accepting such material. 

But post-Anvar, any such content will have to satisfy Section 65B(4), which is operationally challenging if the content is being held by cloud servers belonging to foreign entities such as Meta (now Facebook), Apple, or Google.

The Supreme Court's more stringent attitude in Anvar is in tension with international data sovereignty and privacy regimes, particularly in countries that have legislation such as the GDPR of the European Union, or the Stored Communications Act of the United States, that impose strict limitations on the retrieval of data saved on overseas servers.

Arjun Panditrao Khotkar versus Kailash Kushanrao Gorantyal 

Facts:
An election petition filed under the Representation of the People Act served as the case's initial basis.  Arjun, a candidate for the Maharashtra Legislative Assembly, filed a case to nullify the defendant's election. 

Of note in Khotkar's petition was electronic evidence in the way of certified copies of documents transmitted by way of e-mail. The central issue was whether these documents were admissible without a Section 65B(4) certificate.

Since the documents in issue had been downloaded and printed out from e-mails without the necessary certification, admissibility of such secondary electronic records came into question. The controversy between Navjot Sandhu and Anvar P.V. resurfaced, and a larger bench was needed to settle the law.

Legal Issue:
Whether or not electronic evidence created without a certificate pursuant to Section 65B(4) of the Indian Evidence Act, 1872 can be admitted in a court of law. The case also attempted to settle diverging opinions between Navjot Sandhu and Anvar P.V., and determine whether the production of a certificate was only procedural or an essential precondition.

Judgment and Judicial Reasoning:
A three-judge bench of the Supreme Court gave a landmark judgment, categorically upholding the Section 65B certificate as mandatory for the admissibility of secondary electronic evidence. The Court clearly overruled the opposite view expressed in Navjot Sandhu.

At Para 58, the Court ruled:

"It is hereby clarified that the required certificate under Section 65B(4) is a condition precedent to the admissibility of evidence by way of electronic record."

In addition, at Para 64, the Court observed:

"The Court shall reject any electronic evidence which is attempted to be produced without the necessary certificate, even in the absence of objection from the other party."

Therefore, failure to produce a 65B certificate is lethal to the admissibility of any secondary electronic evidence, whether it is WhatsApp chats, emails, or any other kind of digital record. The Court reiterated that this requirement was not one of procedural formality but one of substance to ensure against tampering or creation of false electronic evidence.

Resolution of Conflicting Precedents:
The Court looked into past rulings, such as Shafhi Mohammad v. State of Himachal Pradesh. While Shafhi Mohammad had notoriously permitted the acceptance of electronic records without the certificate in special cases, Arjun Panditrao specifically overruled Shafhi Mohammad at Para 73, ruling that:

"The judgment in Shafhi Mohammad was per incuriam and does not lay down the correct law."

Practical Implications:
This ruling had a profound impact, particularly on the police and litigants in civil and criminal proceedings relating to electronic evidence. For example, a WhatsApp message retained on Meta's overseas servers cannot be led into evidence at trial unless backed by a Section 65B certificate from the server-controlling individual (normally, the service provider).

This creates significant hurdles in cross-border collection of evidence, especially in jurisdictions with data localisation laws or strict privacy legislations such as the GDPR within the European Union

Indian courts also do not have extensive authority to order foreign technology companies to provide such certificates, and mutual legal assistance treaty mechanisms are too slow for expeditious legal recourse.

Relevance to Privacy and Cross-Jurisdictional Concerns

The requirement of a 65B certificate represents a balancing process between data genuineness and privacy protection. But when the servers are situated outside the home country, there are concerns related to data sovereignty, state intrusion, and private encryption rights, particularly under the GDPR and the US Stored Communications Act.

In places such as the EU, the need for express and purpose-specific consent to process or transfer data transnationally presents extra obstacles for Indian authorities or litigants seeking to obtain digital evidence from sources outside India.

Shafhi Mohammad v. State of Himachal Pradesh.

Factual Background:
This case involved a criminal trial where the prosecution was based on a video recording of a suspected mob violence. However, the video was produced without a Section 65B(4) certificate of the Indian Evidence Act. The question was whether electronic evidence can be admitted even if the certificate is not produced, especially in case the person producing it is not in control of the device or system from which the electronic record is produced.

Legal Issue: Whether the issue of a certificate under Section 65B(4) is obligatory in every situation, or whether it may be waived where the person producing the evidence is unable to produce such certificate.

Judgment and Judicial Reasoning:
The Court, in this comparatively limited two-judge bench ruling, held that the condition under Section 65B(4) is not obligatory. At Para 20, it said:

"Applicability of procedural requirement under Section 65B(4) of the Evidence Act of producing a certificate is to be invited only in a case where such electronic evidence is adduced by a person who can produce such certificate. wherever the certificate could be readily obtained, it must be obtained and produced."

The Court established a distinction between situations where an individual can procure a certificate and when it is not practicable, thereby enabling the court to accept electronic evidence without the certificate in the latter situation.

But this approach was strongly criticized for weakening the evidentiary threshold for electronic records. The judgment ignored the inherent vulnerabilities of manipulation and forgery of digital media. The ruling opened a perilous precedent by which unauthenticated digital records could be admitted by the court's discretion.

Later Overruling in Arjun Panditrao:
This decision was categorically overruled in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, where the Court held the rationale in Shafhi Mohammad to be per incuriam. At Para 73 of Arjun Panditrao, the Supreme Court ruled:

"We, therefore, declare that the judgment in Shafhi Mohammad does not lay down the correct law and is overruled."

This reinstated a strict and obligatory method to Section 65B certification and reasserted the judicial commitment to evidentiary integrity in the digital era.

Server Jurisdiction and Data Sovereignty

The admissibility of WhatsApp communications, especially those stored on overseas servers, raises a maze of legal issues in contemporary evidentiary law. 

Most fundamental to this problem is the tension between local procedural laws of evidence and extraterritorial storage of data — a tension that is progressively heightened by the structure of international cloud-based communication networks. 

WhatsApp, for example, holds data on servers that are predominantly based in the United States or controlled by Meta Platforms Inc. This geographical spread of data has raised basic issues regarding data sovereignty, jurisdictional competence, and the enforceability of rules regarding evidence.

In the context of law, this is most concretely faced with regard to the Information Technology Act, and the Indian Evidence Act. Although Section 65B of the Indian Evidence Act prescribes the circumstances for the admissibility of electronic records, nothing is said by it regarding territoriality of servers where the records are kept. 

The courts have therefore been forced to wrestle with the question of whether Indian courts may compel production or use evidence that is hosted within a jurisdiction over which Indian courts lack coercive jurisdiction. 

It becomes especially challenging when such data is being kept in countries that have strong privacy protections, such as the United States under the Stored Communications Act or the European Union under the GDPR.

The significant case of United States v. Microsoft Corp., while finally made moot through legislative intervention, answered the question whether U.S. law enforcement can force Microsoft to produce emails found on servers situated in Ireland. 

The case highlights the legal struggle between sovereign control over data saved within their own borders and the extraterritorial assertion of legal process. The eventual U.S. Congressional passage of the CLOUD Act clarified that U.S. providers would have to honor valid warrants even for foreign-stored data, as long as specific conditions apply.

India's structure has not yet provided such legislative clarity. The Ministry of Electronics and Information Technology has floated frameworks like the Personal Data Protection Bill (now transformed into the Digital Personal Data Protection Act, but these are regulatory in focus and not as directed toward evidentiary enforcement across borders. 

In the absence of mutual legal assistance treaties or cross-border data-sharing agreements that are efficient and enforceable, courts stand at a procedural juncture. Though Section 166A and 166B of the CRPC permit the grant of letters rogatory, the procedure is notoriously slow and is of little use in cases requiring speed like corporate fraud, cybercrime, or matrimonial cases involving digital evidence.

Binoy Viswam v. Union of India, the Supreme Court addressed the procedural significance of data security and access procedures, observing in paragraph 98 that Indian and foreign law enforcement agencies must share data mediated through law and not by executive arrangements alone. This impacts WhatsApp chats residing outside the country and accessed by private means rather than through letters rogatory or other formal modes.

From a legal perspective, Indian courts have been inconsistent in their approach. For instance, in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, (2020) 7 SCC 1, the Supreme Court reiterated that unless a Section 65B certificate is presented, electronic evidence such as chats and emails are not admissible. 

But what if one cannot get such a certificate because the data is hosted overseas and the custodian — in this case, Meta — is uncooperative? Although this was not directly discussed, the consequences are severe: the entry to justice can be sealed simply on grounds of technological design. This poses urgent questions regarding access to justice and the enforceability of domestic rights in an internationalised communication environment.

Briefly, the juridical structure in large economies such as the US and EU attempts to harmonize national security, digital sovereignty, and individual privacy — usually at the expense of transnational data access. India, with its developing data protection regime and underdeveloped jurisprudence regarding cross-border data evidence, has challenges in procedural speed as well as substantive equity.

Right to Privacy vs State Surveillance

The struggle between the authority of the State to monitor and the individual's right of privacy finds its most extreme manifestation in the sphere of encrypted communications. End-to-end encrypted messaging services such as WhatsApp, Signal, and Telegram have created a technical space wherein communications are securely encrypted, making their content unavailable to service providers, not just governments. Such architecture, as central to digital sovereignty as it may be, is challenging in law, ethics, and regulation all over the world.

Conceptually, the right to privacy is based on the principle of informational self-determination that people should remain in control over their own personal data, including who gets access, under what circumstances, and why.

Encrypted platforms support this control by avoiding unauthorised intercept of personal messages. Yet the same attribute that defends legitimate users from spying also guards malicious ones who use encryption to plan crime, spread illegal material, or seek to intimidate public order.

From a legal-theoretical perspective, this has precipitated a critique of the classic doctrines of surveillance. Traditional doctrines assumed that the State could intercept communications under targeting, subject only to procedural conditions being fulfilled. 

But in the age of end-to-end encryption, such interception is technically impossible without the service provider's help — either because it does not possess the decryption keys or because it is not willing to violate user trust. This has led governments everywhere to ask for "traceability" provisions — i.e., it must be traceable who the sender of a given message is — even if the content of the message is encrypted.

Such demands pose a direct threat to the architecture of encryption. In the case of countries such as India, the conflict on traceability escalated with the passing of Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, that impose duty upon "significant social media intermediaries" for the purpose of facilitating traceability on request made by competent authorities. 

While these regulations short of requiring backdoor access, they have been criticized for weakening encryption by forcing intermediaries to rewrite their architecture in order to keep metadata or identifiers in which they can rebuild the sender chain.

The theoretical objection here is the slippery slope such regulations bring about: once traceability is in place, even with procedural protections, it legitimizes a surveillance regime that can creep over time, particularly in weak-institutional-checks jurisdictions. 

The risk is not just of individual surveillance, but of systemic chilling effects — as citizens, out of fear of State monitoring, start self-censoring even legitimate expression. This is antithetical to the liberal democratic notion that privacy should be a space of personal dignity, out of reach from capricious intrusions.

Across the globe, various jurisdictions have reacted differently. In the European Union, privacy is not only a statutory right but an integral right of the Charter of Fundamental Rights of the European Union. 

The GDPR ensures that even metadata is safeguarded, and any interference must be justified by an interest of the State, under the conditions of proportionality, necessity, and legal certainty. 

In La Quadrature du Net v. Premier ministre (Joined Cases C‑511/18, C‑512/18, and C‑520/18), the Court of Justice of the European Union (CJEU) determined that indiscriminate data retention obligations on telecom providers infringed basic privacy rights except where there was a serious security threat to a country, and even then there had to be robust oversight arrangements. 

This ruling, indirectly regarding messaging platforms, highlights an aspect that is vital to secure platforms: the broad surveillance mandate is unconstitutional without being narrowly targeted.

Compare that to the approach in the United States, wherein the Fourth Amendment safeguards against the unreasonable search and seizure, yet such doctrines like the "third-party doctrine" have made privacy in digital communications tricky to apply.

Although courts have started to acknowledge the insufficiency of traditional doctrines in the digital era — as in Carpenter v. United States (138 S. Ct. 2206) where the U.S. Supreme Court ruled that access to past cell-site location information necessitated a warrant — the legal landscape is still contentious. 

The U.S. government has used national security to call for backdoors from firms frequently, particularly under the CLOUD Act, that requires U.S. firms to obey legitimate orders even where data is stored abroad.

In India, the lack of a robust data protection regime for years has resulted in encrypted messaging being regulated by a mosaic of IT rules, judicial declarations, and policy guidelines. 

While the newly passed Digital Personal Data Protection Act, 2023 acknowledges the rights of data principals, it allows the government to exempt agencies from its provisions in the interests of national security, public order, and the like exceptions — a provision wide enough to undermine the Act's promise of protection. 

In addition, Indian surveillance legislation such as the Telegraph Act, 1885 and the IT Act, 2000 remain short on procedural transparency, judicial checks, or parliamentary oversight, as opposed to protections that are built into EU or even U.S. systems.

This asymmetry is compounded by greater jurisprudential dissonance when data is resident in or travels between borders. A WhatsApp message sent in India could be stored on U.S. servers, processed according to U.S. law, but sought by Indian law enforcement under Indian legal systems. 

The lack of a strong Mutual Legal Assistance Treaty (MLAT) mechanism or data-sharing treaty between India and most countries frequently results in delays or refusals of lawful access. At the same time, unilateral demands by Indian agencies for traceability or data disclosure may be unenforceable against companies not domiciled in India or whose privacy policies are subject to EU law.

The cross-jurisdictional nature of this issue poses a root theoretical question: are privacy rights territorial in a borderless world where data flows are unrestricted? The short answer, more and more, seems to be no. 

Experts have posited a principle of data sovereignty, under which users' data is shielded by the jurisdiction of the home country, independent of where it is processed. Others demand global standards of privacy on par with the Geneva Conventions — establishing a minimum floor of rights that are above territorial claims.

India's position is still precarious. Although there is rhetorical assurance of user privacy, the call for greater surveillance capability — at times without sufficient judicial protection — has unsettled digital rights groups. The call for traceability, even on "significant social media intermediaries," indicates a wider governmental urge to subject encryption to surveillance priorities.

Cross-Jurisdictional Issues in the Era of Encrypted Communications

In today's digital era, encrypted communications cross borders with the simplicity of a button click, while legal frameworks are still mired in the nation-state paradigm. Such a rift between technology that is global and laws that are territorial has generated a complicated maze of conflicts of jurisdictions, procedural lags, and legal uncertainty — all of which are gravely compounded when law enforcement wishes to gain access to information stored or processed beyond its own territorial jurisdiction.

The fundamental problem in this context is the question of whose jurisdiction governs access to information: the user's home country, the home country of the service provider, or the country where the information is located? 

This particular legal issue is the most challenging one when dealing with encrypted platforms such as WhatsApp or Signal, which are potentially world platforms, have user data hosted on distributed cloud servers, and are operated by companies established in jurisdictions such as the United States or countries with strong privacy policies in the European Union.

Mutual Legal Assistance Treaties

Historically, countries have used Mutual Legal Assistance Treaties to access information stored abroad. They are bilateral or multilateral treaties that enable one country's law enforcement to seek the assistance of another country's authorities for evidence collection, including electronic evidence. 

These treaties, however, are notoriously slow, bureaucratic, and not conducive to time-sensitive investigations. The standard MLAT request between the United States and India, for instance, can take months to be processed, making them practically useless in fast-paced criminal cases or exigent national security issues.

Secondly, MLATs rely on high trust between cooperating States. Where political relations are tense or legal requirements diverge markedly — as they typically do between privacy-oriented regimes such as the EU and security-oriented regimes such as India or China — mutual cooperation becomes theoretical rather than practical. 

The European Court of Justice's annulment of the Privacy Shield regime in Schrems II brought this issue to the fore. The CJEU held that data of EU citizens could not be sent to America freely without their fundamental rights being suitably protected, considering the intrusive scope of U.S. surveillance regimes such as FISA and the absence of redress mechanisms for non-U.S. persons.

India's failure to achieve timely access to information in the hands of American companies has spawned growing calls for data localisation — insistence that firms keep Indian citizens' data within India's geographical limits.

This strategy is evident in clauses of the Reserve Bank of India's 2018 notification on payment data and previous drafts of the Personal Data Protection Bill. The rationale is that if data are locally stored, Indian enforcement agencies and courts can directly enforce access without foreign assistance. This also creates independent issues regarding internet fragmentation, costs to businesses, and State encroachment. 

CLOUD Act and Extraterritorial Reach

In response to increasing dissociation of national criminal law enforcement from global technology platforms, the United States passed the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) in 2018.

The law enables U.S. officials to force American technology firms to relinquish data stored abroad as long as the demand is consistent with U.S. law and due process. It also empowers the U.S. to sign "executive agreements" with other governments, providing for mutual cross-border access to information.

Although the CLOUD Act seems to address some of the issues of conflict of jurisdiction, it amplifies others. Critics say it erodes other countries' sovereignty by enabling the U.S. to access information without regard to local governments. 

In addition, not everyone is eligible for CLOUD Act arrangements — they must have proven rule-of-law commitments and human rights protection standards that India has not yet met to the approval of American assessors.

Indian Judicial Stance on Foreign-Stored WhatsApp Chats and Evidence

Indian courts have now started dealing with the issues created by end-to-end encrypted foreign-stored communications, especially WhatsApp chats, in criminal proceedings. In Enforcement Directorate v. Ajit Pawar & Ors., even though not the prime issue, the Enforcement Directorate heavily relied upon WhatsApp chats recovered from the co-accused, hosted on foreign servers. 

The court examined their admissibility under the Indian Evidence Act, especially Sections 65A and 65B, which cover electronic records. The issue is raised when such chats are extracted from cloud servers or foreign backups and no authentic Section 65B certificate is furnished.

Indian courts have reaffirmed that without strict adherence, including evidence of the server location and verification of the source, such chats could be inadmissible.

This was sealed in the Supreme Court's ruling in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, where it held that a certificate issued under Section 65B(4) is essential for electronic evidence to be admissible, and secondary evidence not certified cannot be accepted unless the original device is brought forth.

Although the case was not about cross-border data, it imposed a strict standard of proof that makes it difficult to use foreign-stored WhatsApp chats unless complete cooperation and verificatory mechanisms are created.

Further complications arise when the chats are end-to-end encrypted, and the investigating agency retrieves only device-level backups, which may not be contemporaneous or complete. In such cases, defense counsels have questioned the chain of custody, and courts have grown cautious about relying solely on such chats unless corroborated with other evidence.

European Jurisprudence

The European system of law under the GDPR as well as under the evolving CJEU jurisprudence is stronger on cross-border access to information. In Digital Rights Ireland Ltd v. Minister for Communications, the court declared the Data Retention Directive as invalid, pronouncing that generalised data retention encroaches upon basic privacy and data protection rights.

Such an argument could be extended to surveillance and transmission of data to foreign jurisdictions where the third nation lacks a correlative legal measure of protection.

In Schrems I and Schrems II, the CJEU invalidated the Safe Harbour and Privacy Shield frameworks between the U.S. and the EU for not protecting EU residents from U.S. surveillance sufficiently.

Even though the cases were not directly about end-to-end encrypted messenger apps, the rationale behind them that non-U.S. countries' surveillance law may not undermine core rights is highly relevant.

The EU's response has been to require standard contractual clauses and binding corporate rules so that even when data exits Europe, users' fundamental rights are still safeguarded. But these protections are generally between companies, not between governments and companies.

So where law enforcement is concerned, even the GDPR cannot completely shield data subjects from extraterritorial requests, particularly where such requests are issued outside formal MLAT channels.

Legal Theory

Conceptually, the jurisdictional questions posed by encrypted platforms assail classical conceptions of sovereignty and legal power. Jurisdiction, traditionally conceived in territorial terms, becomes permeable in the new digital environment.

Other scholars such as Uta Kohl and Dan Svantesson have suggested a pluralist, effects-based conception of jurisdiction in which control is a function not of where the data reside, but of where their effects are felt.

However, this approach raises its own problems. What happens when two countries simultaneously claim regulatory control over the same data? How should companies resolve conflicts between privacy obligations in one jurisdiction and law enforcement orders in another? 

Should they comply with the stricter standard, or the one that permits more access? In most cases, companies hedge by refusing to comply with unilateral demands unless court-ordered or unless diplomatic assurances are given.

India's existing legal framework does not provide much guidance. Neither is there an equivalent of the U.S. CLOUD Act nor the EU's GDPR as far as cross-border access to data is concerned. The Digital Personal Data Protection Act only reserves cross-border transfers for future government notification, and thus, until such regulations are formulated, Indian regulators work in a vacuum.

Towards a Harmonised Legal Framework: Potential Reforms and Constitutional Balancing

In the face of the mounting legal mayhem concerning encrypted communications and access to cross-border data, the demand for a harmonised, rights-compliant, and practically enforceable legal framework has never been greater. 

Such a framework needs to function at various levels: nationally, to bring legal certainty; internationally, to provide cooperation; and constitutionally, to protect privacy and procedural fairness. 

The issues surrounding encrypted communication — specifically WhatsApp and like services — are not merely matters of technological design but constitutional philosophy, vision for the Constitution, and the role of the State in a digital society.

India's Legislative Gap and the Need for Specific Provisions

India, as contrasted with the United States or European Union, has not yet passed a specific law that delineates definite procedures for encrypted communications, access to metadata, lawful interception, or cross-border collaboration in data access. The Information Technology Act, 2000, and related rules (particularly the Intermediary Guidelines and Digital Media Ethics Code Rules, 2021) are not modern and do not have the capability to handle advanced end-to-end encryption or offshore storage paradigms. 

Although Section 69 of the IT Act permits the Central Government to intercept or decrypt information in the name of sovereignty, national security, and public order, the procedural safeguards as provided by Rule 4 of the IT Rules have long been faulted for being imprecise and judicially unconstrained.

In addition, the new Digital Personal Data Protection Act, 2023 (DPDPA), though setting up consent-based data processing standards and permitting cross-border data transfer with government notification (Section 16), is practically silent concerning encrypted communication platforms. 

There remains no clarity on how law enforcement agencies can access such information legally without infringing on either the constitutional right to privacy under Article 21 of the Constitution or the intermediary's contractual and technical commitments to its users

A harmonised model needs to define the following: (i) how and when State agencies may seek the decryption keys; (ii) whether intermediaries such as WhatsApp can be forced to decrypt communications or develop backdoors; (iii) what procedure due process must precede such a request; and (iv) what redress is provided to individuals when their private communications are accessed unlawfully.

Comparative Constitutional Perspectives: Striking the Balance

Across jurisdictions, courts have acknowledged that the right to privacy has to be weighed against strong State interests — specifically law enforcement and national security — but the machinery of the balance differs enormously.

The question in United States v. Microsoft concerned whether the government may compel Microsoft to provide emails stored on an Irish server. In the digital era, the CLOUD Act brought up important issues about the limits of national enforcement power and extraterritorial applicability.

The U.S. now has a dual model: domestic law under the Stored Communications Act regulates access within borders, and executive agreements under the CLOUD Act enable access overseas. Interestingly, such agreements still call for judicial oversight and do not allow for blanket access.

In the EU, the Digital Services Act and Digital Markets Act supplement the GDPR by subjecting large platforms to transparency obligations and systemic responsibility. Nonetheless, even in Europe, State surveillance has to be harmonized with fundamental rights under Article 8 of the ECHR by national courts.

In Big Brother Watch and Others v. United Kingdom, the European Court of Human Rights adjudicated that blanket surveillance measures devoid of adequate guarantees contravene the ECHR. The lesson for India is straightforward: bulk requests for information without judicial safeguards and openness will not survive scrutiny under the constitution.

In India, the only binding constitutional milestone is still the case of K.S. Puttaswamy. While the judgment did not directly decide on encrypted platforms, it held in Paragraphs 180–181 that any invasion of privacy would have to meet the three-fold test of legality, necessity, and proportionality, drawing from international human rights case law.

This means that any legislation attempting to overwrite end-to-end encryption has to be passed through Parliament, have a legitimate State purpose, and be narrowly targeted. Currently, India's system falls short on all three.

International Norm-Building and the Future of Jurisdiction

One of the most promising advances is the OECD-led approach on trusted government access to data across borders, designed to establish normative standards on lawful access, accountability, redress, and transparency.

The Second Additional Protocol to the Budapest Convention on Cybercrime also establishes provisions for direct access requests between law enforcement authorities and service providers across borders, under the protection of human rights.

But India is not a signatory to the Budapest Convention out of sovereignty concerns. This keeps India outside the world's sole binding international agreement on cybercrime and data access — a stance that is becoming increasingly unsustainable in an increasingly networked world. If India is to be regarded seriously as a digital rule-maker and not just a rule-taker, it needs to join international norm-making efforts while also crafting its own transparent statutory regime.

Reimagining Constitutional Doctrines in the Digital Age

Ultimately, India's judiciary must start to reimagine constitutional doctrines in the context of digital sovereignty and technological design. The doctrine of proportionality, the test of manifest arbitrariness, and the principle of natural justice must be reinterpreted where rights are being impinged not by explicit State action but by technical directives or impenetrable algorithms.

India needs to adopt a balanced model that does not depend on sovereignty and criminal law alone to obtain encrypted information. It needs to include procedural fairness, judicial review, international cooperation, and technological neutrality — values that constitute the essence of the constitutional compact in the digital era.

CONCLUSION

The legal conundrum of encrypted communication, especially in the context of WhatsApp chats stored on foreign servers, underscores the growing friction between individual privacy, technological architecture, and state imperatives for surveillance and evidence collection. As data traverses national borders and becomes fragmented across servers under foreign jurisdiction, legal systems rooted in territorial sovereignty and traditional procedural safeguards struggle to keep pace. In this shifting paradigm, privacy is no longer merely a shield against state intrusion—it becomes a complex negotiation between private tech platforms, global regulatory frameworks, and the evolving contours of constitutional liberties.

India, like many jurisdictions, finds itself at a critical juncture. The current legislative apparatus—comprising the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023—fails to decisively engage with the issues of traceability, data localization, and encrypted metadata, let alone the larger constitutional questions of proportionality, necessity, and legality in state surveillance. While the judiciary has shown some sensitivity to digital rights, as evidenced in Puttaswamy and Arjun Panditrao, it has yet to deliver a fully developed jurisprudence on encrypted cross-border communication and platform accountability. The fragmented nature of judicial pronouncements, absence of binding legislative standards for encryption, and lack of robust bilateral instruments like the CLOUD Act agreements or accession to the Budapest Convention, all contribute to a vacuum that leaves privacy and public interest in a fragile standoff.

Internationally, the European Union has emerged as a leader in crafting a nuanced, rights-based model that protects encrypted communications while creating legally enforceable windows for limited access under judicial oversight. In contrast, the United States has leaned toward national security priorities, often compelling disclosure through executive measures. These approaches, though divergent, both acknowledge a singular truth: that encryption is not just a technological tool, but a constitutional battleground.

For India, the way forward lies in crafting a balanced, transparent, and accountable framework that neither undermines the foundational right to privacy nor paralyzes lawful investigation. This necessitates enacting legislation that defines the legal thresholds for accessing encrypted content, investing in cross-border cooperation instruments grounded in reciprocity and due process, and fostering public accountability through independent oversight bodies. Most importantly, it requires constitutional fidelity—a commitment to fundamental rights even when confronted by the most sophisticated forms of digital opacity.

In the end, encrypted communication poses not just a technological or legal question, but a democratic one. It compels us to ask whether the State, in pursuit of law and order, can bypass the very liberties it seeks to protect. The answer, as this article has shown, lies not in diminishing encryption, but in elevating constitutional governance to meet the demands of the digital age.