How to make an MLAT “safe harbor” safe for users

Note: This is the final post in a series on the MLAT system and human rights. See part one: We need to fix the broken system for cross-border access to data, part two: What’s wrong with the system for cross-border access to data, part three: A diagnosis: why current proposals to fix the MLAT system won’t work, and part four: How to fix MLATs — and a path toward resolving jurisdictional issues.

We previously addressed the flaws in the current system to grant law enforcement access to data across borders — the Mutual Legal Assistance Treaties (MLATs) — as well as the problems with current proposals to reform that system. We then identified the goals for reform and discussed how making changes to MLATs can be part of that reform process. However, it is unlikely that any single reform effort will accomplish everything we need from reform, such as relieving the strain of the requests made to the United States (where a disproportionate number of technology companies are based).

Even though there are flaws with current reform proposals, implementing a limited mechanism designed to supplement MLATs could make the situation better, so long as it is built from the ground up with necessary human rights protections and strictly limited to situations where the use of extraordinary process is justifiable. In other words, if we are to introduce a way to bypass the MLAT system, it has to be done carefully to achieve at least some of the goals of comprehensive MLAT reform, while protecting human rights. Here, we’ll examine essential elements of such a system.

Any “safe harbor” must increase protections for human rights

The basic premise of an MLAT bypass system, framed typically as a type of “safe harbor” agreement, would be to permit law enforcement to go directly to companies for access to data, instead of through a foreign government via MLAT request. Nothing about this idea inherently violates human rights, so long as there are adequate protections in place. However, since an MLAT bypass system would provide government officials with extraordinary access to data, it must improve upon the human rights protections that currently exist in the MLAT system.

  1. The system should not center upon or favor the political interests of any one country

A system to bypass MLATs should not be centered upon the political interests of a single country, such as the U.S. While many of the world’s largest internet companies are located in the U.S., if a system is too firmly structured around U.S. political interests, other governments might reject it as a vehicle for U.S. power to negotiate agreements and veto requests. Instead, the mechanism should be built through a process based on discussions between countries, civil society, companies, and users, and countries should be granted participation for meeting objective standards, such as for agreeing to limitations including human rights protections and interest requirements (such as those we map out below). Even under such a system, each country would remain otherwise accountable for their obligations under existing MLATs and other international agreements beyond the scope of the mechanism.

  1. The country making the request must demonstrate its interest in the data

In lieu of an MLAT, the country making the determination should have to affirmatively demonstrate its interest in the data. Since the MLAT bypass will be an extraordinary tool, not normal process, it should be limited to instances where the victim or data subjects are known residents or citizens of the country making the request. There is otherwise too great a risk of countries disregarding the rights of foreigners, who often do not get adequate human rights protections. If a country fails to identify the victim or data subjects as persons of the country making the request, then the entity holding the data should have grounds to dispute the request and recommend it for an MLAT instead.

  1. Requests should be limited to particular crimes that depend on a speedy investigation and individual requests must justify the use of the “safe harbor”

The new mechanism should include a limited list of specifically identified “serious” crimes that depend on speedy investigation. In each use of the mechanism, law enforcement should demonstrate the necessity of using the expedited process. An example would be a criminal investigation in which the perpetrator has not yet been apprehended and is likely to commit additional crimes. The U.S. draft implementing legislation for the U.S.-U.K. agreement, a formula for a proposed MLAT bypass agreement that we discussed earlier in this series, includes a requirement that the system be used for “serious crime, including terrorism,” but without clarifying what serious crimes would be included. For example, intellectual property and speech-based crimes are often listed as relevant to processes intended to harmonize national laws, like the Budapest Convention. However, those crimes rarely depend on speedy investigation and therefore the normal MLAT process should not be overly burdensome.

  1. Any system for exchanging data for law enforcement purposes must be based on existing international human rights standards

It must be required that requests made under an MLAT bypass agreement for data exchange protect human rights. The standard that every request has to satisfy in the exchange of data must be based on countries’ human rights obligations, as codified in instruments like the United Nations Declaration of Human Rights and the International Covenant on Civil and Political Rights, and established norms. Those obligations as they relate to government access to data are articulated by the International Principles on the Application of Human Rights to Communication Surveillance and Access Now’s Implementation Guide, including:

  • Legality Any cross border request that limits the right to privacy must conform to the law of the country making the request.
  • Legitimate Aim Any request must be made by specified State authorities to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society.
  • Necessity Any request must be strictly and demonstrably necessary to achieve a Legitimate Aim.
  • Adequacy Any request authorised by law must be appropriate to fulfill the specific Legitimate Aim identified and effective in doing so.
  • Proportionality Decisions about cross border requests must consider the sensitivity of the information accessed and the severity of the infringement on human rights and other competing interests.
  • Competent Judicial Authority Determinations related to cross border data requests must be made by a competent judicial authority that is impartial and independent.
  • Due Process States must respect and guarantee individuals’ human rights by ensuring that lawful procedures that govern cross border requests that interfere with human rights are properly enumerated in law, consistently practiced, and available to the general public.

In addition, countries that participate in cross border requests should ensure they are satisfying other Principles, including User Notification, Transparency (specifically by indicating the number of requests made via other countries), and Public Oversight.  

  1. Any agreement must be coupled with data protection and digital security standards

Any agreement that enables countries to request data across borders should be coupled with requirements to implement protections to ensure basic, but adequate, data protection standards. Those protections include the right to access and modify data, effective right to remedy, limitations on retention, appropriate security measures for transit and during storage, and deletion within a reasonable amount of time after transfer or once the data is no longer useful for the original purpose. The E.U.-U.S. Umbrella Agreement has been in place officially since the end of 2016 ostensibly to establish data protection standards for the exchange of data for criminal investigations. The agreement does not explicitly permit the exchange of data, but rather sets (inadequate) minimum rules that should be in place if such exchange is to take place for law enforcement purposes. Any agreement must be coupled with protections stronger than those found in the E.U.-U.S. Umbrella Agreement.

  1. Exchange of data outside official law enforcement processes, such as MLATs or the new “safe harbor” mechanism itself, must be prohibited

Finally, when countries reach an arrangement to bypass safe harbor there should be prohibitions against using methods for obtaining data other than through lawful process, such as the arrangement itself and the MLAT system. One example of this would be law enforcement agencies pressing data holders to disclose data stored abroad “voluntarily” under permissive disclosure carve-outs in privacy laws. As countries begin to remove barriers to extraterritorial access to data, there is a risk that new agreements will be a pretext for otherwise easing access to data. That must be prohibited.

A safer “safe harbor”

Together, reform and “bypass” alternatives to the MLAT system can foster a functional and sustainable system for cross border data requests, but they must protect human rights. Our recommendations for an MLAT “safe harbor” are not drastically different from reforms that would improve the MLAT system overall, as outlined in our previous posts. An MLAT-safe harbor system could improve speed and efficiency for lawful government requests. But the underlying system has to be structured appropriately to ensure its legitimacy and efficacy.

A decentralized system would promote inclusivity in the program and thus reduce the incentives for governments control over data. A requirement that a country demonstrate its interests in the data, be limited to particular crime and the need for speedy investigation, and work in a mechanism based on human rights standards, would help maintain and promote vital human rights protections. Data protection and digital security standards, including retention and use limits, along with prohibition of using other methods to transfer data, will similarly help promote users’ rights, while providing better clarity for users and other stakeholders.