WASHINGTON— Outdated laws, court decisions, and treaties make it unnecessarily difficult for law enforcement to access data as part of lawful investigations that traverse borders, according to a report released today by the Information Technology and Innovation Foundation (ITIF), the leading U.S. think tank for science and technology policy. These gaps not only present barriers to solving crimes and preventing terrorism, but they also have led to policies that put U.S. companies at a competitive disadvantage. To address this problem, ITIF proposes a new framework for how law enforcement can successfully navigate cross-border jurisdictional disputes without disadvantaging U.S. companies and urges the U.S. government to take a global leadership role in promoting this framework among its key economic partners.
“The system we have for international law enforcement cooperation may have worked before the Internet, but it does not work in 2017,” said Daniel Castro, ITIF’s vice president and co-author of the report. “Because data can now be duplicated, moved, and stored across servers in different countries, treaties written in the era of typewriters are making it practically impossible to prosecute criminals on today’s digital networks.”
ITIF’s report argues that the current framework for how law enforcement agencies can access data outside their own borders is broken. The report analyzes three theoretical approaches to resolving which country has jurisdiction over data: where the data is located, where the company holding the data is located, and where the data subject (e.g., a criminal suspect) is located. While each of these approaches to cross-border data access for law enforcement has disadvantages—for example, an approach based on the location of the company would allow for multinational companies to be caught in the crosshairs of conflicting laws from different countries—none of the approaches is without its merits.
By combining various aspects of each approach, the report proposes a novel framework that maximizes lawful access to data stored abroad while minimizing market distortions and protecting national sovereignty. The proposed framework involves a four-tiered decision tree based on the location of the data, the laws of the country where the data is stored, the location of the business, and the residency of the data subject. Implementing the proposal will require that nations modernize their mutual legal assistance treaties (MLATs)—the agreements that commit countries to providing assistance to the law enforcement agencies of their foreign counterparts—to make this process more efficient. ITIF proposes that the United States work with other nations to develop a model “MLAT 2.0” that would create a standardized and reliable method for enabling lawful government access to data stored abroad.
The ITIF report proposes six recommendations for U.S. policymakers:
- Modernize the internal processes for responding to foreign requests for legal assistance;
- Work with other governments to draft and adopt model MLAT 2.0 language;
- Push back against foreign data localization requirements;
- Update the Electronic Communications Privacy Act (ECPA) to protect domestic digital communications;
- Restrict companies from storing data in countries with conflicting laws that limit law enforcement;
- Engage with other nations to develop a “Geneva Convention on the Status of Data.”
“The world created maritime law to govern a global shipping industry and international space law to govern space exploration,” said Alan McQuinn, the report’s co-author. “Ultimately, no one nation can solve this problem alone. It is time for the United States to lead the international community in constructing a framework to govern how law enforcement agencies can work together to solve crimes in the global data economy.”