Time for Congress to Clarify Rules on Law Enforcement Access to Overseas Data

Share |

Technology companies are increasingly challenged by requests by law enforcement to access data stored outside the U.S. This issue came to a head in July 2016, when the Second Circuit Court of Appeals ruled against the U.S. Government in the case Microsoft v. United States, stating that the government cannot compel Microsoft, or other companies, to turn over customer emails stored on servers outside the United States.  The Department of Justice (DOJ) is expected to appeal this decision, and various other cases are making their way through the courts.

Unfortunately, the outcome of these cases is a lose-lose for industry and law enforcement alike, as SIIA has opined in the past.  A win for Microsoft is likely to result in data localization requirements by countries around the world (not good for U.S. cloud providers and the global internet), as well as a serious setback for law enforcement access to critical information.  On the other hand, a win by the DOJ would create an explicit conflict of law for U.S. technology companies storing data overseas.  In this event, other countries and global customers would avoid U.S. cloud services (and U.S. law enforcement would subsequently have reduced access to this information anyway). 

With such a mutually deplorable outcome from the courts either way, the time has come for Congress to fix our outdated laws.

SIIA held a well-attended Capitol Hill discussion on this issue on April 4, led by a panel of experts and highlighted by remarks from Senator Orrin Hatch (R-UT).  The panel discussion featured former DOJ Deputy Assistant Attorney General, David Bitkower, now with Jenner and Block, Jennifer Daskal, from American University Washington College of Law, as well as David Lieber from Google and Greg Nojeim from the Center for Democracy and Technology.

The discussion was in-depth, and good news in terms of the unanimous agreement that Congress should fix the laws.  However, how to accomplish this is still tricky.  After years of consideration, it is virtually unanimous that we can’t craft a legal system that hangs on the location of the data (see the making of a “splinternet.”).  But while Mr. Bitkower explained the potential law enforcement benefit of a “location of the crime” based standard for access, Mr. Nojeim and Mr. Lieber noted that this approach still presents challenges for non-U.S. persons whose national privacy laws are supposed to restrict access to their data.  Sen. Hatch, and others in Congress proposed the International Communications Privacy Act (ICPA) in the last Congress—with broad support from SIIA and the U.S. technology industry.  Mr. Bitkower and Ms. Daskal highlighted concerns from U.S. law enforcement that this approach would limit access to critical information on relevant U.S. investigations involving international parties or data storage.  Mr. Nojeim highlighted that all of these approaches pose international privacy concerns for internet users, an issue CDT and other privacy advocates will go to the mat for.

U.S. information technology companies are global leaders in providing cloud computing services for users around the world, but this status is threatened as long as the laws are unclear, and U.S. law enforcement remains unable to efficiently access critical information.  Global privacy, too, hangs in the balance. 

Fortunately, despite the varying perspectives about how the law could be changed, there was broad agreement among our diverse group on multiple fronts.  First, and most importantly, there was broad agreement on the need for Congress to fix the 1986 laws that created this system.  Second, all sides must be mindful of global privacy laws and expectations.  Finally, with respect to the solution, there was agreement that the law can be crafted to provide for law enforcement access—with a warrant—to critical data stored by U.S. IT companies, and also recognize the interests of foreign government’s privacy protections.  There was broad agreement on the panel that a related framework proposed in 2016 for bilateral data sharing between the U.S. and U.K. could provide the basis for international cooperation.

Balancing the sometimes-competing imperatives will still be a tricky endeavor, but Sen. Hatch closed the event with a reaffirmation that he will continue to lead on this critical legislative reform effort, urging DOJ to engage with him to help craft revised legislation to fix what is currently a lose-lose for industry and the U.S. economy, and create a new framework for international communications privacy.

David David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPolicy.