Law Enforcement Cross-Border Data System Needs Fix: DOJ

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

July 20 — Foreign countries seeking data for law enforcement purposes rely on an outdated and cumbersome system designed for the analog age, but a recent proposal may update the process for the digital era, academics recently told Bloomberg BNA.

A recent proposal by the U.S. Department of Justice would help alleviate hurdles in the process by making changes to the Stored Communications Act (SCA), the Wiretap Act, and the Pen/Trap Statute, the DOJ said in a July 15 statement. The proposal, if it became law, is seen as a necessary step to a bilateral law enforcement cross-border data sharing agreement between the U.K. and the U.S, the DOJ said. (15 PVLR 433, 2/29/16).

Under the DOJ proposal, foreign governments with a valid warrant would only be allowed access to data on foreign citizens who aren't residing in the U.S. Also, the U.S. Attorney General would have to “certify to Congress that foreign partners have met obligations and commitments designed to protect privacy and civil liberties.”

The proposal “lifts the blocking statute that prohibits U.S.-based providers from turning over the content of communications (i.e. e-mails) to foreign governments, even when they are investigating their own citizens,” Jennifer Daskal, assistant professor of law at American University Washington College of Law, told Bloomberg BNA.

The proposal “is an important step forward—one that will minimize the negative incentives in favor of data localization mandates, unilateral assertions of jurisdiction, and use of malware and other surreptitious means of accessing sought after data,” she said.

However, not all are happy with every aspect of the DOJ proposal. Greg Nojeim, senior counsel at the non-profit advocacy group Center for Democracy & Technology in Washington, told Bloomberg BNA that the proposal “has some significant problems,” such as allowing foreign countries to engage in wiretapping in the U.S. This would be a “huge expansion in mass surveillance,” he said.

Unlike other treaties, the proposal essentially eliminates Congress' ability to put a check on the executive branch by allowing the Attorney General to approve the agreements, he said.

Post- Microsoft Implications

The issue of cross-border data sharing for law enforcement purposes was highlighted by the recent U.S. Court of Appeals for the Second Circuit's decision in the Microsoft-Ireland e-mail case (15 PVLR 1465, 7/18/16).

Microsoft Corp. squabbled with the U.S. over the past three years to quash the warrant that sought the release of the e-mails allegedly related to a drug prosecution. In December 2013, a New York magistrate judge issued a search warrant for information associated with a specific e-mail account controlled and operated by Microsoft. The company produced the non-content information that was stored on U.S. servers, but declined to provide any data that was stored in its Dublin data center. After the U.S. District Court for the Southern District of New York upheld the warrant in 2014 (13 PVLR 1416, 8/11/14), Microsoft appealed the ruling (14 PVLR 1678, 9/14/15) and ultimately won the case.

The Second Circuit ruled that the SCA doesn't “authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers.” It concluded that “Congress did not intend the SCA's warrant provisions to apply extraterritorially.” Instead, the U.S. would have to rely on other methods outside of the SCA to obtain the data.

Although the DOJ proposal doesn't address warrants to access U.S. citizens' data stored on foreign servers, the agency still called for legislation to address “the significant public safety implications of the decision.”

Andrew K. Woods, assistant professor of law at the University of Kentucky College of Law, told Bloomberg BNA that the case backs up the notion that “the test for jurisdiction over data is the location of the data center,” and that it is “precisely the wrong message to send to countries that are trying to figure out how to assert their sovereignty over the internet.”

However, Nojeim said that if the court didn't reach this decision, “you could bet your bottom dollar” that other “governments would start beating down the doors of U.S. providers to reach content stored in the U.S.”

Slow and Inefficient?

One way for the U.S. to obtain the data that the Microsoft case excluded is through the Mutual Legal Assistance Treaty (MLAT) process.

MLAT allows a law enforcement agency from one country to ask a law enforcement agency in a foreign country for private data from a citizen of the foreign country for use in a criminal investigation.

The DOJ's proposal is an attempt to work around the MLAT system that is both inefficient and cumbersome for cross-border law enforcement requests, the academics said.

Daskal said that the system is “slow and inefficient,” and it may “take an average of ten months for foreign governments to access data located in the U.S.”

Woods said that the U.K.-U.S. bilateral agreement is the reason behind the DOJ proposal. “The reason countries must go through the MLAT process to get access to data held by U.S. companies is because the Electronic Communications Privacy Act (ECPA) effectively acts as a blocking statute—barring firms from cooperating with foreign law enforcement,” even when they have good reasons to get the data, he said.

The DOJ proposal “would remove the blocking features, only with regard to serious crimes, and only for countries that enter into an agreement with the U.S.,” Woods said.

The countries that enter into an agreement with the U.S. must respect “the rule of law, due process and human rights” to be able to request data directly from U.S. companies,” Woods said.

However, Nojeim said that “often times foreign governments don't have the same factual and probable cause” tests as the U.S., which may be a “step backwards for human rights.” Data may be released to countries that have a “poor human rights record,” without a “sufficient factual basis for reaching evidence of a purported crime,” he said.

MLAT Reform

The DOJ proposal doesn't directly call for reform to the MLAT system. However, the agency said that updates to the MLAT system “must remain a priority.”

Daskal said that the DOJ proposal doesn't allow for foreign governments to access U.S. citizens' data and must rely on the “MLAT system—and ultimately obtain a U.S. warrant based on a U.S. standard of probably cause.”

More congressional action is needed, Daskal said. “Congress should reform the relevant statutes to ensure U.S. law enforcement can directly compel the production of U.S. persons' data, wherever located and pursuant to lawful process, if necessary to the investigation of criminal activity,” she said.

Nojeim agreed there is a need for MLAT reform. “Right now the MLAT process works too slowly and should be updated,” he said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editors responsible for this story: Donald G. Aplin at daplin@bna.com ; Jimmy H. Koo at jkoo@bna.com

For More Information

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.