U.S. President Donald Trump’s $1.3 trillion government spending bill, signed March 23rd, offered 2,323 pages of budgeting on issues ranging from domestic drug policy to defense. The last-minute rush to fund the U.S. government through this all-or-nothing “omnibus” presented legislators with a golden opportunity to insert policies that would escape deep public scrutiny. Case in point: the Clarifying Lawful Use of Overseas Data (CLOUD) Act, whose broad ramifications for undermining global privacy should not be underestimated, was snuck into the final pages of the bill before the vote.
Between the U.S. CLOUD Act and new European Union (EU) efforts to dismantle international rules for cross-border law enforcement investigations, the United States and EU are racing against one another towards an unfortunate finish-line: weaker privacy protections around the globe.
The U.S. CLOUD Act allows the U.S. President to enter into “executive agreements” with qualifying foreign governments in order to directly access data held by U.S. technology companies at a lower standard than required by the Constitution of the United States. To qualify, foreign governments would need to be certified by the U.S. Attorney General, and meet certain human rights standards set in the act. Those qualifying governments will have the ability to bypass the legal safeguards of the Mutual Legal Assistance Treaty (MLAT) regime.
In addition, U.S. law enforcement agencies (from local police to federal agents) can now compel U.S. and foreign technology[1] companies to disclose communications data of U.S. and foreign users that is stored overseas, regardless of the data’s physical location, potentially bypassing the countries’ privacy and data protection laws. Permitting the U.S. access to data which can be located anywhere sets a dangerous precedent for other countries, who are likely to demand similar access to data held in the United States. Such expansion of U.S. law enforcement power breaks the principle of territoriality, the core component of international law, and will produce a domino effect of information requests that overstep responding countries’ privacy safeguards.
Leaked documents obtained by the media network EURACTIV revealed the European Commission’s plans to launch on April 17th two proposals: A regulation on access to and preservation of electronic data held by companies that mirrors the CLOUD act’s self-serving agenda; and a Directive "to appoint a legal representative within the [EU] bloc".
According to EURACTIV, the regulation would grant EU member states the power to circumvent the responding countries’ privacy laws in fulfilling information requests. If passed, countries could demand data access of technology companies within 10 days or, in the case of an “imminent threat to life or physical integrity of a person or to a critical infrastructure,” technology companies could be compelled to comply within just six hours. Such demands would apply to internet companies such as Google, social networks like Facebook, Instagram, and Twitter, as well as cloud technology providers, domain name registries, registrars and “digital marketplaces” that allow consumers and/or traders to conclude peer-to-peer transactions.
The directive, as reported by EURACTIV, will force any company collecting data in the EU to appoint a legal representative to the EU bloc to address law enforcement data-requests. This demand would be particularly onerous for companies who do not even have an office in the EU, let alone store their data in the EU. Requiring all companies to maintain an EU legal representative will stifle innovation by further stacking the deck in favor of tech giants who have the resources to comply.
Prior to the announcement of the U.S. CLOUD act, the European Commission had already begun a process to improve access to electronic evidence within EU member states. On June 2017, the European Commission presented to EU Justice Ministers a set of options to improve cross-border access to e-evidence. Ministers then asked the Commission to come forward with concrete legislative proposals. A public consultation that was held from August to October 2017 gave some hints of the EU’s intention to adopt legislation that would enable far-reaching information demands on companies located not only within, but outside the European Union, as well.
In a statement on how the European Union can “improve” cross border access to data, Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality said:
"Our current investigation tools are not fit for the way the digital world works … These tools still work within the limits of the principle of territoriality, which is at odds with the cross-border nature of e-services and data flows. As a result investigators' work is slowed down when dealing with cybercrime, terrorism and other forms of criminal activities, even where such crimes are not cross-border in nature. This is why we launched an expert consultation in 2016."
However, the EU proposals—coupled with the U.S. CLOUD Act—signal a potentially dangerous and uncoordinated race to the bottom. Although territorial protections for privacy were being litigated before the U.S. Supreme Court in the case United States v. Microsoft, before the CLOUD Act, U.S. officials could not ignore local privacy safeguards when seeking access to data hosted in a foreign state. (Just last week, the U.S. Department of Justice submitted a motion to the court to declare the case “moot,” according to a recent report by The Irish Times.)
Similarly, EU law must currently respect U.S. privacy safeguards when seeking to access content stored by companies in the United States. Both initiatives are willing to jettison the principle of territoriality and the foreign privacy safeguards that accompany it: the U.S. CLOUD Act allows U.S. law enforcement to ignore EU privacy protections, while the EU proposals, if passed, ignore U.S. privacy protections regarding access to content stored in the United States. However, neither would be pleased with the reciprocal impact of a world without territorial privacy.
Indeed, Commissioner Jourova has already decried deficiencies in the United States’ approach, stating on Twitter that she wants to see “the EU and the U.S. have compatible rules for obtaining evidence stored on servers located in another country, in order to solve serious crimes. Unfortunately, the U.S. Congress has adopted the CLOUD Act in a fast-track procedure.”
It remains to be seen whether EU and U.S. based lawmakers or courts will accept the European Commission’s attempts to bypass EU and U.S. privacy safeguards. Our friends from European Digital Rights (EDRi) have warned against such proposals in the EU.
EDRI’s Senior Policy Advisor, Maryant Fernández, told EFF:
"If the Commission does not change its mind prior to publication of its proposals on April 17, it would be proposing dangerous short cuts to access people's data directly from companies, turning companies into judicial authorities."
The irony is that such unilateral moves to ignore foreign privacy standards are hardly necessary. While practical challenges currently exist in cross-border access to data, these challenges relate primarily to a lack of efficiency and clarity in the prevailing MLAT regime. This deficiency can be easily addressed through:
- The express codification of a dual privacy regime that meets the standards of both the requesting and the host state. Dual data privacy protection will help ensure that as nations seek to harmonize their respective privacy standards, they do so on the basis of the highest privacy standards. Absent a dual privacy protection rule, nations may be tempted to harmonize at the lowest common denominator, and
- Improved training for law enforcement to draft requests that meet such standards, and other practical measures.
Now is the time for improving MLATs. The EU must ensure a level of predictability, accountability and procedural safeguards that is at least equal to the level that currently exists. Moreover, the EU does not have to follow the U.S. down the same path of privacy abandonment. Instead, EU institutions and Member States have the opportunity to champion logical solutions that help law enforcement access digital evidence while still protecting privacy and maintaining respect for the sovereignty of other nations. Until we know more, we must wait. But know that, as soon as these proposals produce their first public agreements, EFF will learn, evaluate, and potentially fight for better privacy rights in Europe, and around the world.
[1] U.S. extraterritorial warrants could apply to foreign companies--the U.S. just has to find a sufficient jurisdictional nexus to send an order. So Telegram, even though German, serves customers in the U.S. and can be subject to an order.