How Law Enforcement Should Access Data Across Borders

In late 2013, U.S. federal law enforcement officials obtained a warrant as part of an anti-narcotics investigation to seize the contents of an email account belonging to a Microsoft customer whose data the company stored in Dublin, Ireland. Microsoft refused to comply with the order, arguing that the U.S. government cannot force a private party to do what U.S. law enforcement has no authority to do itself: use a warrant to conduct a search and seizure operation on foreign soil. This case exposed the cracks in the foundation of the current framework used by law enforcement agencies to access digital information and determine jurisdiction on the Internet. Moreover, attempts to resolve this dispute risk either hamstringing law enforcement efforts or distorting the global marketplace for digital services. This report explains the problems with the status quo, describes the limitations of existing proposals, and offers an alternative framework to resolve these issues along with a set of recommendations to operationalize this framework not just within the United States, but globally.

No matter how the courts ultimately decide the Microsoft case or related ones, there are potentially negative implications for U.S. technology competitiveness and the U.S. economy overall. If the court rules for the government and declares that U.S. companies must provide access to data stored abroad, it will create two problems. First, it could hurt the competitiveness of U.S. providers selling services abroad, given the perceived risk of U.S. government access. Data stored abroad by U.S. companies would be treated differently than data stored abroad by foreign providers since foreign providers with no U.S. presence would not be subject to U.S. warrants. As a result, some foreign customers might decide to switch to foreign providers not in the United States, or even be encouraged or required to do so by their government. Second, it would set a concerning precedent, and other governments might similarly require companies operating in their borders, or subsidiaries of these companies, to produce data stored outside of their borders, including that of U.S. citizens and residents stored in the United States. This situation could be at odds with U.S. protections against unreasonable search and seizure—setting up international conflicts over sovereignty.

Conversely, if U.S. courts rule that search warrants cannot be used to obtain data stored overseas from U.S. providers, foreign governments may try to force U.S. companies to store data within their country’s borders to make it impossible for U.S. law enforcement to execute a lawful search and seizure. Such data localization policies would raise costs for businesses and consumers, especially those adopting cloud-based technologies and services. In addition, data localization policies would make it more difficult for U.S. companies to compete abroad as they would have to build more data centers in every market they want to enter. This outcome could also violate the Budapest Convention on Cybercrime, an international treaty signed by the United States and 51 other parties, which requires signatories to maintain compulsory access to all data stored by domestic companies.

Either alternative would make it more difficult for U.S. law enforcement agencies to get access to data in the long run, as it would create incentives for data service providers to keep or move data outside of the United States.

U.S. policymakers should ensure law enforcement agencies can gain lawful access to information to protect their citizens and uphold U.S. laws, but without disadvantaging U.S. companies and workers facing global competition. Achieving this will require modernizing the process by which governments around the world obtain data stored outside their borders. Existing legal processes and treaties are woefully out of date and needlessly complex. Countries have mismatched legal assistance treaties, conflicting laws, and differing norms. Indeed, there is currently no comprehensive framework for how to successfully navigate cross-border jurisdictional disputes, especially those involving the digital economy. Such a patchwork of laws and rules may have been somewhat acceptable before the advent of the digitally-integrated global economy. Now they are not.

No one nation can solve this problem alone. Settling questions of jurisdiction over data will require global reforms. However, the United States can and should lead the way on these reforms, and this report offers a path forward.

This report builds from a previous ITIF report offering a framework on how nations should engage in Internet policymaking given the global nature of the Internet. It makes specific recommendations for how governments can use this framework to establish policies for law enforcement to access data. This report also assesses theoretical approaches to establish jurisdiction over that data, focusing on cross-border law enforcement requests, and not clandestine intelligence gathering for national security purposes. The framework herein is not intended for law enforcement requests for metadata (data that describes information about a communication).

To operationalize the proposed framework, policymakers should pursue the following actions:

• Modernize the internal processes for responding to foreign requests for legal assistance;
• Work with other governments to draft and adopt model MLAT 2.0 language;
• Push back against foreign data-localization requirements;
• Update the Electronic Communications Privacy Act (ECPA) to protect domestic digital communications;
• Restrict companies from storing data in countries with conflicting laws that limit law enforcement;
• Engage with other nations to develop a “Geneva Convention on the Status of Data”.