by Chris Calabrese, Vice President, Policy, Center for Democracy & Technology
Last week in United States vs. Microsoft, the Department of Justice (DOJ) petitioned the Supreme Court to decide the reach of the U.S. government when compelling U.S. companies to turn over data stored outside the U.S. Courts are divided on the issue. The Second Circuit Court of Appeals held that the Electronic Communications Privacy Act (ECPA) cannot reach extraterritorially. Magistrates in other circuits have disagreed, interpreting the search as occurring where a company discloses data, not where the data is seized. However, what no one disputes is that as the number of requests skyrockets, the system for accessing data across borders is deeply in need of reform and that courts are ill-suited to tackle the complicated equities at stake.
The current system uses Mutual Legal Assistance Treaties (MLATs) to allow foreign law enforcement to pass requests to their domestic counterparts, who in turn serve them on specific providers. The process is slow and sometimes frustrating for law enforcement. U.S. service providers are frequently caught in the middle – they are not only worried about violating the privacy rules of a particular country, but also about thwarting legitimate investigations. At the same time, privacy advocates rightly note that U.S. law – undergirded in many cases by the protections of the Fourth Amendment – is particularly strong and should not be abandoned.
While there are no perfect solutions to this problem, at the Center for Democracy & Technology we have argued that significant progress can made through a package of reforms focused in four areas:
- Bilateral agreements between select nations that would allow law enforcement to go directly to a particular service provider. These agreements must be cabined by strict privacy rules.
- Improvements to the existing MLAT system so countries that are not eligible for direct access can still work quickly with local police in appropriate situations.
- Improvements to domestic U.S. law that set a privacy baseline.
- Adoption of legal changes that allow U.S. law enforcement to reach data held outside of the U.S. in appropriate circumstances.
As part of recent congressional testimony, the Department of Justice described their own structure for bilateral agreements. Appropriately, it would authorize agreements only with countries that “provide robust protections of human rights, privacy and other fundamental freedoms” and lays out key criteria to meet that test. Unfortunately, these are only “factors” DOJ would consider; they are not requirements. To enact a strong, privacy-protective reciprocal framework within bilateral agreements between nations, each of these “factors” should be clarified and be made into “requirements”, and the evidence justifying them should be described in notice and comment procedures of the Administrative Procedure Act. DOJ must also improve the legal standards for accessing information so they more closely resemble the U.S. probable cause standard and require independent judicial review. Finally, no bilateral agreement should authorize invasive techniques like wiretapping or voluntary disclosure of metadata.
Second, since not every nation will qualify for a bilateral agreement like the proposed DOJ plan, Congress should reform the existing MLAT process. The International Communications Privacy Act (ICPA) introduced last Congress would reform the system by requiring DOJ to create and post an MLAT request form for foreign government use; creating an online docketing system that would allow foreign governments to track the status of their MLAT requests; and reporting on an annual basis the number of MLAT requests the U.S. receives from foreign governments and makes to those governments, and the average processing time for each.
Third, Congress must set a privacy baseline in U.S. law by passing the Email Privacy Act. This legislation – which has passed the House unanimously in the last two Congresses – would require law enforcement to obtain a warrant for the content of emails. While a warrant for content is generally assumed as the default for DOJ when talking about cross-border demands, the reality is ECPA authorizes access to content with the use of a simple subpoena with notice in many circumstances. While we commend service providers and the DOJ for voluntarily following the warrant requirement laid out by the Sixth Circuit in U.S. vs. Warshak, federal statutory reform needs to codify this standard.
Finally, any proposal should address how the U.S. accesses data held outside the country. We have to move away from the use of the location of data as a standard and establish a rule for the scope of U.S. warrants that turns on the nationality and location of the subscriber or customer whose data are sought. It should also respect other nations’ interests by deferring to them when bilateral agreements are in place.
Sorting out the appropriate policy response for the cross-border flow of data is fraught, involving the interrelationship of complicated systems and legal doctrines. However, we believe a legislative proposal that includes these four proposals can make significant inroads toward respecting the comity between nations, speeding lawful access by government to electronic communications and protecting individual privacy.