Cross-Border Data Access Reform: A Primer on the Proposed U.S.-U.K. Agreement
13 Pages Posted: 15 Sep 2017
Date Written: September 2017
Cross-border data access reform may be on the legislative agenda in late 2017, with recent House and Senate judiciary committee hearings revisiting the topic. In light of this increasing interest, we thought it would be helpful to provide a brief primer on how cross-border data access requests currently work, options for reform, and major challenges to reform ahead. This document presents a short, high-level background review of the debate as it currently stands, particularly focusing on the DOJ’s 2016 proposal for reform.
Governments need evidence to investigate and prosecute crimes, but increasingly that evidence takes the form of data stored on the servers of U.S. tech companies. In July 2016, the U.S. Department of Justice (DOJ) released draft legislation that would address some of the challenges foreign governments face when seeking data related to criminal investigations from U.S. companies. Interest in making such changes continues to grow, with relevant laws, including the Electronic Communications Privacy Act (ECPA), maybe seeing Congressional attention in late 2017, especially as the Foreign Intelligence Surveillance Act (FISA) comes up for renewal.
To access electronic content – including email, social media messages, and more – held by U.S. companies, a foreign country currently relies primarily on the processes set out in agreements called Mutual Legal Assistance Treaties (MLATs), if that country has negotiated one with the U.S. MLATs with the U.S. require countries to meet U.S. legal standards when making requests for electronic content data, with less strict standards for metadata. Countries have grown frustrated with both the normative implications of the MLAT process and its typical lengthiness.
After substantial debate, and with many proposed ideas from civil society, industry, and academia, the Department of Justice (DOJ) in July 2016 released draft legislation intended to address these concerns. The proposal moves away from the treaty-based system currently underpinning the mutual legal assistance process. Instead, the new legislation would require “lighter touch” bilateral agreements on this issue between the United States and participating countries. Once countries are approved for these bilateral agreements, the legislation would allow them to submit requests for data, made pursuant to the requesting countries’ laws and stipulations in the legislation, directly to U.S. electronic service providers, instead of first going through U.S. courts. The U.K. would likely be the first country approved to make requests under this new legislation, but the legislation would also pave the way for agreements with other qualifying countries. This legislation advances a legal solution for crossborder data access that proponents hope is sufficiently appealing to foreign governments to forestall more damaging alternative responses to data access concerns, including country-wide service bans, mandated data localization, or forcing companies to make decisions in the face of a conflict of laws.
Suggested Citation: Suggested Citation