Lawmakers should ensure law enforcement agencies can gain lawful access to information to protect their citizens and uphold U.S. laws, but without putting companies and workers at a disadvantage, according to a report from the Information Technology and Innovation Foundation.
“Achieving this will require modernizing the process by which governments around the world obtain data stored outside their borders,” said Alan McQuinn, research analyst, and Daniel Castro, vice president of ITIF. “Existing legal processes and treaties are woefully out of date and needlessly complex.”
Countries have conflicting laws about receiving police data. There is no framework for how to navigate cross-border jurisdictional disputes, especially those involving the digital sphere, where border lines are often blurred.
This report recommends that lawmakers:
- Modernize the internal processes for responding to foreign requests for legal assistance.
- Work with other governments to draft and adopt model MLAT 2.0 language.
- Push back against foreign data-localization requirements.
- Update the Electronic Communications Privacy Act (ECPA) to protect domestic digital communications.
- Restrict companies from storing data in countries with conflicting laws that limit law enforcement.
- Engage with other nations to develop a “Geneva Convention on the Status of Data.”
One high-profile case included a law enforcement request for data from Microsoft.
In 2013, Federal law enforcement officials obtained a warrant to seize the contents of an email account belonging to a Microsoft customer whose data the company stored in Dublin, Ireland. Microsoft refused to comply with the order, arguing that the U.S. government cannot force a private party to use a warrant to conduct a search and seizure operation on foreign soil.
“This case exposed the cracks in the foundation of the current framework used by law enforcement agencies to access digital information and determine jurisdiction on the Internet,” McQuinn and Castro said. “Moreover, attempts to resolve this dispute risk either hamstringing law enforcement efforts or distorting the global marketplace for digital services.”
ITIF said that if the court rules for the government and declares that companies must provide access to data stored abroad, it could hurt the competitiveness of U.S. providers selling services abroad, given the perceived risk of U.S. government access. It could also cause other governments to similarly require companies to produce data stored outside of their borders, including that of U.S. citizens stored in the United States. This situation could be at odds with U.S. protections against unreasonable search and seizure—setting up international conflicts over sovereignty.
On the other hand, if the courts rule that search warrants cannot be used to obtain data stored overseas from U.S. companies, foreign governments may try to force U.S. companies to store data within their country’s borders to make it impossible for U.S. law enforcement to execute a lawful search and seizure.
ITIF’s proposed reforms would sidestep some of the negative outcomes that would inherently come from the Microsoft case.
“No one nation can solve this problem alone,” McQuinn and Castro said. “Settling questions of jurisdiction over data will require global reforms. However, the United States can and should lead the way on these reforms, and this report offers a path forward.”