U.S. Justice Department and United Kingdom national security officials today urged House lawmakers to pass legislation to clear the way for U.S. law enforcement agencies to obtain data relevant to criminal investigations that is stored abroad, and for foreign government agencies to obtain data relevant to public safety needs that is stored in the U.S.

“To address the first issue, we recommend a simple legislative fix to make clear that [Stored Communications Act] warrants can be used to obtain data under a provider’s custody or control, even if it is stored abroad. To address the needs of foreign countries and providers facing a conflict of laws, we recommend a new bilateral data-sharing framework that would protect both American and foreign citizens’ privacy interests,” Richard Downing, acting deputy assistant attorney general for the Justice Department’s Criminal Division, said in his written testimony for today’s hearing before the House Judiciary Committee. Some lawmakers questioned whether agreements between countries should be left to law enforcement agencies, or whether they should be adopted through a formal treaty process.  Some committee members also suggested that the proposed legislation should have a provision requiring a congressional vote of approval or allowing for a congressional veto of intergovernmental agency agreements, but Mr. Downing said that such a provision could be found unconstitutional under existing court precedents.

The need for action on the issue of law enforcement access to cross-border data was exacerbated by the July 2016 ruling of the U.S. Court of Appeals for the Second Circuit (New York) that held that Congress did not intend the warrant provisions of the SCA to apply to data stored outside the U.S., allowing Microsoft Corp. to ignore a U.S. search warrant for customer data stored in Ireland (TR Daily, July 14).

In his opening statement, committee Chairman Bob Goodlatte (R., Va.) said, “U.S. law restricts access to data by foreign countries, making it difficult, if not impossible in some instances, for foreign governments to obtain evidence of crimes or terror plots carried out by their own citizens. This has resulted in foreign governments enacting their own legislation to address the problem, including laws requiring U.S. companies, as a prerequisite for doing business, to comply with foreign government requests for data.  Others are considering legislation that would require U.S. providers to locate servers in the foreign country to ensure foreign jurisdiction over the U.S. provider. This is sometimes referred to as ‘data localization.’

“Moreover, certain foreign countries prohibit the removal of data from their boundaries.  U.S. law, by contrast, makes no distinction between data stored domestically and data stored abroad, nor with regard to the nationality or location of the customer. The result of these conflicts is that U.S. technology companies find themselves having to comply with either U.S. law or foreign law, as it is often impossible to comply with both.  This is an untenable situation,” Chairman Goodlatte added.

“In the wake of the ‘Microsoft’ decision, other providers have refused to comply with warrants on the basis that some or all of the data pertaining to the subject of an investigation is stored on servers located outside of the United States.  In the courts, however, five recently-issued opinions diverge from the Second Circuit’s ruling, concluding that data must be disclosed pursuant to lawful process, regardless of the location of the data being sought.  It is clear that Congress must find a contemporary solution that embraces the modern manner in which data is stored and acquired internationally.  A legislative fix to the Stored Communications Act is necessary to remedy the problem made clear by the ‘Microsoft’ decision,” Chairman Goodlatte said.

Committee ranking minority member John Conyers Jr. (D., Mich.) called for the Senate to pass the Email Privacy Act, which “has passed unanimously in the House twice.”  It would require a warrant for government agencies to obtain stored communications in criminal investigations, eliminating the Electronic Communications Privacy Act’s existing distinction based on how long the e-mail has been on the provider’s service or whether it has been opened.  Rep. Conyers noted the difficulties of foreign law enforcement officials in obtaining data stored in the U.S.  “We can achieve a better balance here,” he said.

Mr. Downing said that “U.S. providers want to be able to comply with foreign law enforcement requests without violating U.S. law.”

Paddy McGuinness, U.K. deputy national security adviser, told the committee that the British are “resilient” in the face of recent terrorist attacks in London and Manchester, “but our returned prime minister has caught the mood when she said, ‘Enough is enough.’”

U.K. Prime Minister Theresa May, whose Conservative Party won a plurality of seats in the U.K. elections earlier this month, announced with French President Emmanuel Macron earlier this week a joint effort to hold Internet companies responsible if they don’t remove terrorist content on their social platforms and websites (TR Daily, June 14).

Mr. McGuinness emphasized that the data-sharing framework he and Mr. Downing advocated is “not compulsory,” but instead merely “removes a legal bar to company cooperation.”  It is also “not one-sided,” would not be used to obtain bulk data, is “encryption-neutral,” and doesn’t enable U.K. agencies to obtain access to the data of U.S. citizens.

Chairman Goodlatte asked whether a formal, multilateral treaty would be a better mechanism than the bilateral agreements proposed by the government witnesses.

Mr. Downing said it was “an interesting question” and that “we have to think about how it would be most efficient to be able to build out to other countries.”  He added that the proposal contemplates “a strong role for Congress in setting up the base rules” and an “important role for Congress on the back-end to be notified of extensions” of the framework to other countries.

Rep. Conyers raised concerns that the U.K.’s standard for issuing a warrant is not the U.S. standard of “probable cause.”

Mr. McGuinness said, “We have very high standards in the U.K.” and “the same legal tradition as you.”

Rep. Darrell Issa (R., Calif.) also asked whether a treaty approach would be “more appropriate.”  He added, “Is there any reason for not doing a treaty other than this is quicker?”

Rep. Zoe Lofgren (D., Calif.) said that with the European Union’s General Data Protection Rule slated to go into effect in May 2018, data that is stored in the E.U. “can only be transferred to a non-E.U. country … through a process that is ratified in a treaty.”  Adopting the non-treaty framework advocated by Mr. Downing and Mr. McGuinness would create “a situation next year where American companies are going to violate the law no matter what they do.  I don’t think it’s fair to set up a situation where great American companies” are in that position, she said.

Mr. McGuinness disputed that interpretation of the GDPR, and that Article 48 of the GDPR is “nuanced” and “would allow transfers of the kind we consider here.”

Mr. Downing said, “We agree.”  He added that “the concerns that have been raised are inaccurate and overstated.”

Rep. Lofgren said, “I would like a statement that’s definitive on that, that companies could take to a court as a shield that they’ve relied on in good faith.”

Rep. Issa said he joined Rep. Lofgren on the need for it to be “crystal clear” that the proposed data-exchange framework would create “a damned-if-you-do, damned-if-you don’t situation.”

A dozen entities— most of them tech-focused trade associations — sent a letter to the committee today calling for congressional action “to reflect today’s modern technology rather than continue enforcing legal rules stuck in the past that don’t reflect the global nature of data.”

“We need a new framework that accounts for law enforcement’s needs, the realities of today’s technology, and the way people and businesses rely on that technology — now and into the future.  Rules to access and protect global data require a solution with a global focus,” the groups said.

Signing the letter were the app developer trade association ACT, BSA (formerly the Business Software Alliance), the Computer & Communications Industry Association, the Computing Technology Industry Association, the Entertainment Software Association, the Information Technology Industry Council (ITI), the Internet Association, the National Association of Manufacturers, NetChoice, Reform Government Surveillance, TechNet, and the U.S. Chamber of Commerce. —Lynn Stanton, lynn.stanton@wolterskluwer.com

Courtesy TRDaily