Increasingly, evidence critical to ordinary criminal investigations is located across territorial borders. Before the rise of cloud computing, evidence of crimes generally was available within the requesting country’s territorial jurisdiction. Today, the content of emails, social network posts, and other content are often stored in a different country. A 2018 report by the European Commission found that “more than half of all investigations involve a cross-border request to access [electronic] evidence.”
This globalization of criminal evidence is creating significant challenges for law enforcement. Traditional cross-border mechanisms such as Mutual Legal Assistance Treaties are widely considered too slow and cumbersome. Countries around the world are responding with new laws and legal proposals, with consequential effects on privacy and human rights, in addition to changes to law enforcement procedures and governance of the internet.
The CLOUD Act
The CLOUD Act, passed by Congress as part of an appropriations bill in March 2018, marks a major change in how cross-border access to evidence may develop. The first part of the CLOUD Act mooted the pending Supreme Court case of United States v. Microsoft. To summarize briefly, Microsoft argued that the U.S. warrant had no legal force because the emails being sought were stored outside the United States, in Ireland. The United States argued that Microsoft could access the data from within the United States and thus the place where the data happened to be stored did not matter. The CLOUD Act resolved the legal issue, providing that the kind of compelled disclosure orders at issue in the Microsoft Ireland case apply “regardless of whether such communication, record, or other information is located within or outside of the United States.” The act also created a new “comity” provision for addressing possible conflicts between U.S. law and the laws of other countries, albeit applicable in limited situations.
The second major part of the CLOUD Act creates a new mechanism for other countries to access the content of communications held by U.S. service providers. Under the Electronic Communications Privacy Act, U.S.-based companies are prohibited from disclosing communications content directly to foreign governments. Foreign governments are instead required to make an MLAT or other diplomatic request for the data, even when it is the data of their own citizens in connection with local crime. This has been an increasing source of frustration for many governments, particularly since so much cloud-based data is held by United States-based providers.
The CLOUD Act enables the bypassing of these restrictions in specified circumstances, based on the adoption of “executive agreements” between the U.S. and other countries, and subject to a number of baseline substantive and procedural requirements. Where executive agreements are in place, the blocking provisions of ECPA are partially lifted, and countries can directly request communications content of non-U.S. citizens and residents from service providers. The CLOUD Act authorizes these executive agreements only for countries meeting human rights and rule of law requirements, and only with a long list of requirements for each request. As Daskal and Swire have explained previously, these kinds of agreements can, if done right, help raise key privacy and human rights protections (although there have been sharp criticisms from some about whether the protections are strong enough). As Swire has discussed recently in Lawfare, the U.S. has been negotiating the first executive agreement with the United Kingdom.
eEvidence in the EU
A few weeks after the adoption of the CLOUD Act, the EU Commission introduced an important legislative package called “eEvidence,” which is a kind of “European CCLOUD Act” aimed at facilitating access to electronic evidence by European police and judicial authorities. Like the CCLOUD Act, eEvidence seeks to provide an alternative to the existing mutual legal assistance framework. If adopted, it would enable law enforcement authorities in one member state to preserve and obtain stored data directly from online service providers located or represented in a second member state. Like the CLOUD Act, eEvidence stipulates that the obligation to produce or preserve electronic evidence exists “regardless of the location of data.”
More precisely, this legislative package contains two texts. First, a draft directive requires appointment of a legal representative for every online service provider that is “established” in or has a “substantial connection” to at least one EU member state. That representative must have the capacity to accept and comply with orders to produce evidence in criminal proceedings from the appropriate member state authorities. Second, a draft regulation sets out a comprehensive scheme to facilitate law enforcement access to electronic evidence through two new legal instruments — the European Production Order and the European Preservation Order. In the case of a production order, providers would be compelled to produce the data directly to the issuing member state authorities (within 10 days in normal cases, six hours in emergency situations), subject to certain exceptions and limitations.
The EU Commission presented the eEvidence proposal in April. It is now slated to be reviewed by the Council as well as the EU Parliament, which has a hearing scheduled in a few weeks. The Parliament’s rapporteur is MEP Birgit Sippel, who has emphasized the importance of ensuring that privacy and fundamental rights are adequately protected.
Data nationalism or global cooperation?
As the CLOUD Act and eEvidence have been under development, other countries have taken or considered different approaches. Both Russia and China, among numerous other countries, have enacted laws that require “data localization” — storing communications records within the country. Data localization provides an advantage for local law enforcement — the records remain in the country, subject to the local rules (or lack of rules) for how the government can access the records. These kinds of data localization laws can also have, in our view, considerable negative effects. Among other concerns, data localization rules can threaten to undercut privacy and human rights by helping repressive regimes to access data without basic privacy protections and fundamental rights in place. Localization thus threatens a key benefit of the internet, which has allowed dissidents and human rights activists to use global internet services that are located outside their nation’s territorial jurisdiction and thus protected, in part, from local surveillance.
Meanwhile, other countries around the world, large and small, are seeking ways to address the challenges facing law enforcement due to the globalization of evidence. In June 2017, the 61 parties to the Budapest Convention on Cybercrime agreed to launch the preparation of an additional Second Protocol to the Convention to help law enforcement secure evidence on servicers in foreign, multiple or unknown jurisdictions. Australia is currently considering major reforms to its laws for access to data for criminal cases. The Canadian Association of Chiefs of Police recently passed a resolution calling for negotiation of an executive agreement with the U.S. under the CLOUD Act. India has actively debated data localization requirements, to assist law enforcement access. Discussions in a 2018 conference hosted by the Internet and Jurisdiction Project also highlighted a range of reforms being considered in Africa, Latin America and elsewhere.
In sum, the globalization of criminal evidence is driving historic change in the rules for how law enforcement can gain access to communications and other records consistent with privacy and human rights protections. As we explain in a separate IAPP post, the new Cross-Border Data Forum is designed to provide a mechanism for studying, debating and improving the new legal structures for these vital issues.
Jennifer Daskal, Théodore Christakis, Peter Swire, CIPP/US.
This article first published in the IAPP’s Privacy Tracker blog.