10 Things You Need to Know About Cross-Border Data Flows
As the Internet continues to break down the connection between our physical location and the location of our data, laws surrounding government access to information haven’t kept up. Particularly since the leaks about NSA surveillance activities and the 2014 U.S. government case against Microsoft for not providing access to data held in Ireland, lawmakers are increasingly focused on questions surrounding data held in or outside the United States.
Most recently, the Senate held a hearing on May 24th entitled “Law Enforcement Access to Data Stored Across Borders: Facilitating Cooperation and Protecting Rights” and tomorrow the House Judiciary Committee is conducting their own investigation. So what do you need to know about cross-border data flows?
- Where Is Your Data?
Technological advances in the way that data are stored, transferred, and protected make our Internet-connected lives more streamlined and secure, but have also broken down traditional ideas of where data is located and how to get access to it. Now, much of your data isn’t “at rest” on your personal computer, it is either “in transit” or “at rest” in the cloud. This means your files are in a system of servers, operated in one or many countries, that transmits the data to you when you “access” it.
The U.S. is the global tech leader, which means data are often stored here or held by American companies on servers they own and operate in other countries. Depending on the cloud company you entrust with your data, the physical location could shift as the service provider optimizes its storage system.
2. Data Security and Law Enforcement
This new system pays huge dividends for consumers and the Internet economy, but it also poses challenges for law enforcement and national security officials. Now, they can’t just serve a warrant, take your computer and filing cabinet, and call it a day. Instead they have to explore a multitude of options to collect evidence — increasingly, across borders.
This gets even more complicated as private citizens increasingly use encryption to shield their data from hackers and other prying eyes. Even if the police intercept a message or acquire a hard drive, the data are often scrambled by code that even a supercomputer can’t break. Law enforcement is left with a shrinking slate of options: hope the suspect left behind enough unencrypted data, use Network Investigative Techniques (NITs) — aka government hacking — or deputize a third party under U.S. jurisdiction to decrypt which leads to:
3. Data Localization Laws
The Internet thrives when data flow seamlessly between nations. But concerns over privacy and espionage — coupled with global trends toward nationalism, protectionism, and populism — have pushed many countries to prevent data about their citizens being stored abroad. To that end, governments in the EU, Russia, China, and others are passing data localization laws, requiring tech companies to keep certain categories of data within their physical boundaries. This further complicates U.S. law enforcement jurisdiction, as U.S. companies may hold information about foreign actors that pertain to domestic investigations, such as in:
4. The Microsoft-Ireland Case
In 2013, the U.S. Department of Justice (DoJ) got a warrant to access a Microsoft email account as part of an investigation. The company turned over only data that was physically stored in the U.S. But the emails from the account turned out to be stored in Ireland, and Microsoft maintained that the warrant did not apply to data stored overseas. Law enforcement sued in district court and Microsoft was held in civil contempt.
That decision was appealed and, in 2016, the Second Circuit ruled that, under the Electronic Communications Privacy Act (ECPA), a warrant obtained by law enforcement applies only to data that is physically in the United States. Separately, three district courts said the opposite: that any data held by a U.S. provider can, in fact, be reached with a warrant under ECPA. Given the contradictory rulings, this issue may end up at the Supreme Court, but the pathway and timeline remain unclear. In the meantime, the uncertainty undermines law enforcement activities and the competitiveness of American businesses abroad.
5. Congress is Looking Into These Issues
Congress has been assessing these complex legal issues for some time.
One proposed solution was introduced in 2015: the Law Enforcement Access to Data Stored Abroad (LEADS) Act. It would (1) recognize that U.S. agencies can’t compel disclosure of communications that aren’t stored in the country — unless the account is held by a U.S. person; and (2) strengthen the process for exchanging law enforcement information between governments, known as mutual legal assistance treaties (MLAT) by having the Attorney General create an online docketing system for MLAT requests and to publish new statistics on the number of such requests. The bill didn’t pass, but started a valuable conversation and earned broad support in the House with more than 130 co-sponsors.
Improving on those ideas was the International Communications Privacy Act (ICPA), which included a similar MLAT reform and a warrant requirement for all electronic communications content. ICPA would also create a legal framework that allows U.S. law enforcement to access any U.S. person’s communications — regardless of where the data are stored. The main difference from LEADS is that ICPA would grant warrants based on nationality and the location of the cloud service customer — not state borders. ICPA stalled, but led to a hearing last February.
DOJ has also proposed legislative changes that would require providers subject to U.S. jurisdiction to produce data in accordance with ECPA, even if the provider chooses to store that data outside the United States. Overall this would be a direct reversal of the Second Circuit’s Microsoft decision.
At the Senate hearing on May 24th, Congress took another important step in examining the multilayered and complicated issues surrounding cross-border data flows. The Senators’ questions focused on two main issues:
6. ECPA
Under ECPA, does a U.S. warrant grant law enforcement access only to content stored physically within the U.S.?
In February of 2016, during the House hearing on conflicts of law concerning cross-border data flows, Rep. Darrell Issa (R-CA) expressed general concerns with the current state of affairs and raised two questions: Should we treat tangible and intangible evidence the same way? Can law enforcement force a tech company to “bring in” evidence that is not in the U.S. just because they said so?
The search for answers continued in the recent May hearing, which explored whether a legislative reversal of the Microsoft v Ireland case is enough to clear this up, or if there should be more comprehensive ECPA reform.
The witnesses agreed that ECPA needs to be updated and that Microsoft’s outright ban on cross-border data warrants puts too much pressure on law enforcement. Witnesses differed on how best to update the law.
Brad Wiegmann, U.S. Deputy Assistant Attorney General, urged Congress to update ECPA and overrule Microsoft altogether, whereas other witnesses warned that would be no better then the ban we have right now.
Brad Smith, Chief Legal Officer of Microsoft, argued that a clean reversal of the Microsoft case will create conflicts of law and put tech companies in the middle.
In answering these questions, policymakers will need to weigh foreign citizens’ concerns over U.S. law enforcement and surveillance activities, the benefits of keeping U.S. tech companies headquartered in the U.S. and their global competitiveness, and the ability of law enforcement to investigate efficiently.
7. What Happens When Another Country Is Looking For Data?
This was the second focus of the hearing: when a foreign government is investigating a local crime and seeks access to data that happens to be in the U.S.
Creating a uniform process for each country to make requests may seem like an easy fix. But since many nations lack the due process and human rights protections guaranteed in the U.S., the solution must be more nuanced.
Senator Sheldon Whitehouse (D-RI) asked about creating a clear path into the “club” of chosen countries that can get stored data from the U.S. via a simpler procedure. Professor Jennifer Daskal assured Senator Whitehouse that such a mechanism can be implemented and there are already a few countries who are “on the margins” of being considered democratic with human rights protections that meet U.S. standards.
8. MLATs
That is why the mutual legal assistance treaty (MLAT) procedure was created — a web of agreements made between two or more countries regarding international cooperation in criminal investigations.
Unfortunately, MLATs didn’t smoothly solve the underlying issues. The bureaucratic process has led to severe bottlenecks, since U.S. companies hold a disproportionate share of the world’s data. It usually takes at least 9–10 months to get a response to an MLAT request. The U.S. government didn’t even request the data stored in Ireland through MLAT, referring to the process as “slow and cumbersome.” During the hearing, Rep. Suzan DelBene (D-WA) expressed the widespread view that the MLAT process needs to be updated.
Baseline reforms are needed to make the process more efficient and standardized, including implementing an “online request” system.
9. Bilateral agreement with UK
David Bitkower, former Deputy Assistant Attorney General at DoJ and witness at the February 2016 hearing, testified that adopting bilateral agreements with “high volume” (large number of requests) countries will remove some friction from the MLAT process. Additionally, a bilateral agreement with strategic partners who ensure due process and protect human rights will facilitate investigations and international cooperation, easing tension between U.S. tech companies and law enforcement.
During the recent Senate hearing, both the members of the Subcommittee on Crime and Terrorism and the witnesses expressed optimism that the U.S.-U.K. agreement could serve as a model for any future bilateral agreement. For it to work, Congress would need to amend U.S. law to remove the legal barrier preventing U.S. companies from complying with lawful U.K. requests for data. And to ensure due process protections and their enforcement across the globe, the U.S. should lead the charge in helping to establish a web of such bilateral agreements.
Key scholars have proposed a framework for U.S. leadership in establishing agreements, including minimization procedures, an independent adjudicator, and transparency reports. Further, some suggest that requests should only be granted when (1) data is held by a U.S. tech company and (2) the crime occurred wholly in the requesting country.
10. Proposed Legislation
During the most recent Senate hearing, Sen. Orrin Hatch (R-UT) declared his intention to reintroduce a modified version of ICPA.
To determine which country has jurisdiction, the revised bill would use the location of the suspect. If that person is a U.S. citizen or located in the U.S., “then law enforcement may compel disclosure, no matter where the data is stored, provided the data is accessible from a U.S. computer and law enforcement uses proper criminal process,” said Hatch.
Brad Smith (Microsoft) welcomed the new ICPA bill, stating it will “open the door to a new and constructive discussion” on law enforcement access to data.
Removing barriers to cross-border data flows is no simple task, and it deserves the significant attention it receives from Congress. The key is continuing to focus on bilateral agreements while updating the MLAT process and revising ECPA — both to better protect privacy and remove friction in the process.
This wouldn’t just address the jurisdictional issues facing law enforcement and U.S. tech companies; it will also ease the tension surrounding encryption both at home and abroad as law enforcement scrambles to meet its mission in a changing environment. Doing so ensures not only the continued success of U.S. economic interests, but also protects a free and open Internet.
