A new law could change the U.S. approach to cross-border access to data — for better and worse

The U.S. Congress is considering a legislative proposal to address the problems with law enforcement access to data across borders. The bill, the International Communications Privacy Act (ICPA), is aimed at resolving uncertainty about when and how the U.S. can get access to user data stored abroad. This proposal falls short of protecting human rights on its own. However, when combined with another proposal, the two together could significantly improve upon the status quo for cross-border access, while providing sufficient safeguards for human rights.

Status quo

The preferred way for the U.S. government to access data stored abroad is via mutual legal assistance treaties, or MLATs, which allow law enforcement in one country to access data stored in another country. To make an MLAT request, law enforcement first issues a data request under domestic process, then sends the request to the foreign government to effectuate it. MLATs are based on cooperation, comity, and respect for the domestic protections of both countries involved, but they are not perfect. We’ve written about the problems with the MLAT system before; in short, while MLATs are based on international cooperation and provide protections, the current inefficiencies in the system are leading to human rights abuses and interferences with the free flow of information.

Domestically, the 1986 Stored Communications Act (SCA) — introduced as Title II of the Electronic Communications Privacy Act (ECPA) — plays a significant role in the MLAT system. It governs when and how U.S. law enforcement can obtain stored electronic communications content and metadata from internet service providers. The law also requires those companies not to disclose communications content under most other circumstances, including in response to requests from foreign governments. Unfortunately, the law is vague about jurisdiction as it does not specify whether U.S. law enforcement can obtain data stored overseas.

A U.S. court case which began in 2013 has highlighted problems with the SCA and the more general need for cross-border data sharing reform. In the case, known colloquially as “Microsoft Ireland,” U.S. law enforcement ordered Microsoft to turn over a user’s communications content stored in its system based on a warrant issued under the SCA. However, some of the data sought were stored on a server in Ireland, and Microsoft appealed the judge’s authority to issue a warrant for an extraterritorial search, meaning that law enforcement officials would have to go through the MLAT process instead. The government, in turn, argued that it had jurisdiction based on Microsoft’s identity as a U.S. provider and its control over the data sought. The U.S. Second Circuit Court of Appeals decided in Microsoft’s favor in 2016 and the government has appealed to the Supreme Court, which has accepted the case.

In part due to long-identified problems with the MLAT system and in part to respond to the questions raised by Microsoft Ireland and other, related cases, Congress is currently considering two proposals for cross-border data sharing reform. Here we will analyze both.

U.S. jurisdiction over company Location of data Status quo
Yes U.S. SCA: warrant for unopened email stored 180 days or less; subpoena for unopened mail stored more than 180 days, opened mail, other remotely stored content, and basic subscriber information; 2703(d) order for other non-content records
Non-U.S. MLAT process, pursuant to Microsoft-Ireland
No Non-U.S. MLAT process

Table 2.1 U.S. law enforcement access to user data

The International Computer Privacy Act (H.R. 3718)

The International Computer Privacy Act (ICPA) is a bipartisan effort by Senators Hatch (R) and Coons (D). It’s one of many proposals to update the SCA, although it would have wide-ranging effects on MLAT infrastructure as well. On the positive side, it would revamp the generally outdated framework for law enforcement access to stored data and add protections for foreign data stored in the United States. Unfortunately, it would also expand law enforcement access to data stored abroad without proper protections, granting U.S. courts more power than appropriate.

Under ICPA, U.S. authority to access communications content held by U.S. companies would be based on the nationality and location of the people in whose accounts the data were held, not where data were physically stored (as endorsed by the court in Microsoft Ireland). Currently, the SCA does not take the location of the person whose data would be searched into account. In addition, ICPA would get rid of the outdated 180-day limit on warrant protection for emails and remove other confusing distinctions that no longer make sense.

The more significant changes may be those involving U.S. access to communications of non-U.S. persons. Under the bill, the Justice Department could designate “qualifying countries” whose residents would receive special protections (designated governments must show, in turn, that they provide similar protections for U.S. persons). U.S. courts could issue warrants for content data for citizens or residents of these countries. In an improvement to the status quo, their governments would then have a chance to challenge these warrants, even for data stored in the U.S. — though the challenge could ultimately be overridden by a U.S. court. Unfortunately this improvement comes at a cost: it would grant U.S. courts power to issue SCA warrants for the communications contents of persons in non-”qualifying” countries and persons whose nationality cannot “reasonably” be determined. These warrants would be issued without the opportunity for a foreign government challenge and, by extension, without respect for the law in the country where the targeted persons were located.

These changes would be a trade-off. On the one hand, ICPA would codify the requirement that the high-level SCA warrant protections extend to non-U.S. persons, at least for those in qualifying countries, regardless of where the data were stored. On the other, it would limit foreign involvement and recourse in cases where the MLAT process would currently be used, particularly if the U.S. overrules a challenge or the data subject is not in a “qualifying” country. MLATs, flawed as they are, result from negotiations between the governments of two or more sovereign countries. With ICPA, the U.S. would unilaterally set the terms on which it could access non-U.S. persons’ communications content, making MLATs largely unnecessary for U.S. law enforcement and potentially exacerbating conflicts with foreign laws. Furthermore, it would set a dangerous precedent. The United States’ warrant standard provides a high level of protection, but other countries with lower levels of protection might seek similar unilateral authority. The U.S. should instead try to support systems that promote global protections for human rights.

U.S. jurisdiction over company Location of data Location/nationality of data subject Status quo ICPA
Yes U.S. U.S., non-qualifying country, or unknown SCA: warrant for unopened email stored 180 days or less; subpoena for opened mail and unopened mail stored more than 180 days SCA warrant
Qualifying country SCA warrant; government of target country may object
Non-U.S. U.S., non-qualifying country, or unknown MLAT process, pursuant to Microsoft-Ireland SCA warrant
Qualifying country SCA warrant; government of target country may object
No Non-U.S. N/A MLAT process MLAT process

Table 2.2 Changes to law enforcement access to user data under ICPA

On its own, ICPA is too flawed for us to endorse. However, the positive parts of ICPA, when combined with the strengths of another draft proposal on direct access, may make real progress toward fixing law enforcement access to data across borders.

Broader legislative conversation: direct access proposal

At the same time that ICPA is making its way through Congress, another proposal is being considered. That draft legislation would let the U.S. enter into data-access agreements with other countries, the first of which would be the United Kingdom. Because the bill was conceived with the U.K. partnership in mind, the bill and the corresponding treaty are commonly referred to as the U.S.-U.K. agreement. The bill would not reform the MLAT system directly, but would allow law enforcement in approved countries to bypass MLATs and U.S. legal protections and request data straight from U.S. service providers; U.S. law enforcement would have the same power in those countries. Unfortunately, this draft legislation doesn’t provide adequate protections for the people it would affect.

We’ve addressed the proposal’s flaws before. While the text of the U.S.-U.K. treaty has never been released, the framework established by the proposed legislation would be ineffective and would fail to protect human rights. It would enable wiretap requests without the heightened protection required by U.S. law. The first agreement being discussed under the legislation would also significantly extend the reach of the U.K. surveillance apparatus, which is already one of the most expansive in the world. And it would allow the U.S. executive branch to make future agreements with countries that have even worse human rights records.

We are in favor of MLAT reform. Improving the system for cross-border sharing could help prevent policies that seek to limit encryption or require that data are stored domestically. As proposed, however, the direct access draft legislation is not the right solution.

A way forward: the best of both worlds

The direct access legislation component of the U.S.-U.K. agreement is based on mutuality and maintains the system of international agreement for data access. It would streamline the MLAT process and set the stage for more consistent data-sharing treaties in the future. However, it does not contain strong enough human rights standards, nor does it ensure sufficient oversight. ICPA would codify protections for foreign citizens whose data are stored in the U.S. but it would undermine the existing MLAT system and grant too much new authority to domestic law enforcement.

Congress should combine the best ideas from both proposals to create a solution that allows other countries to opt-in and strictly improves human rights protections. As described in our post on making MLAT bypasses work for users, any proposal should honor the Necessary and Proportionate principles. That means:

  1. The system should not center upon or favor the political interests of any one country
  2. The country making the request must demonstrate its interest in the data
  3. Requests should be limited to particular crimes that depend on a speedy investigation and individual requests must justify the use of the “safe harbor”
  4. Any system for exchanging data for law enforcement purposes must be based on existing international human rights standards
  5. Any agreement must be coupled with data protection and digital security standards
  6. Exchange of data outside official law enforcement processes, such as MLATs or the new “safe harbor” mechanism itself, must be prohibited

By choosing a solution that honors mutuality and protects human rights, Congress can remove roadblocks that harm human rights and justify interference with the flow of data. and establish a positive precedent for data sharing in the rest of the world.