In my last post, I reviewed a number of proposals to reform the Electronic Communications Privacy Act (ECPA). These proposals are aimed at delimiting law enforcement access to data in two very different contexts: The first deals with US law enforcement seeking US-held data, while the second deals with foreign law enforcement seeking US-held data. Below is a quick summary of my preliminary proposal to address the second problem.
In its current form, ECPA acts as a blocking statute: It stops firms from complying directly with foreign law enforcement requests for their US-held data. In order to obtain this data, foreign law enforcement agents must ask the US government for mutual legal assistance, which typically takes months or years. Additionally, these foreign law enforcement requests are presented to a US judge and must satisfy an American due process standard. This understandably angers foreign states, who say they ought to be able to enforce their laws without satisfying an American legal standard before an American judge. As a result of frustration with this regime, foreign law enforcement agents have resorted to a number of problematic tactics, including snooping, mandating data localization, and more.
The solution to this problem is to fix ECPA. Specifically, ECPA should be reformed to allow US data holders to comply voluntarily with foreign government requests for US-stored electronic content where: 1) the suspect is someone with no Fourth Amendment rights, 2) whom the state suspects of committing a crime, 3) the effects of which are felt on the requesting state’s soil, 4) where an independent third party (judge, magistrate, commission, etc.) has approved the request, and 5) the US data holder is satisfied that the request meets international standards of due process and will not violate the suspect’s human rights.
I’ll touch on each of these elements in turn.
1. Suspect Has No Fourth Amendment Rights
This is relatively straightforward: If the person whose data is being sought is a US citizen or that person is physically in the US, they may enjoy Fourth Amendment protections. Where this is the case, law enforcement must convince a judge that they have probable cause to seek the data. Where this is not the case, however, the US should not require foreign law enforcement to satisfy an American due process standard. This is not to say, of course, that the US need not care about the rights of the people whose data is managed by US firms — only that the US need not insist on its own standards in those cases. Congress can still take steps to ensure the rights of the suspect by only allowing compliance where the data holder is satisfied that the request does not violate international standards of due process and human rights (item number 5 below).
What if the data holder does not know the user’s nationality? In some cases, law enforcement agents will know the suspect’s nationality and can provide proof to the data holder. But if neither law enforcement nor the data holder know the suspect’s nationality, the user’s location could be used as a proxy for nationality until the suspect’s nationality is identified. (This could be the user’s last known location, their location at signup, or their most common location.) Without a system for identifying the nationality of every user, this is a challenge with no easy answers — one that others have grappled with before.
2. Person Suspected of a Crime
American data holders should only comply directly with foreign law enforcement requests where the request relates to a specific and tailored law enforcement need. There are many ways to define such a need, but I am inclined to think that a narrower approach — something like the Title III standard that requires several elements beyond just probable cause of wrongdoing on the part of the surveillance target — is better than the broad standard in the FISA Amendments Act, which does not require any such wrongdoing. A narrower approach may be especially justified given the possibility of error in determining the suspect’s citizenship. This element is critical in order to ensure that law enforcement requests are not used to conduct dragnet style data collection.
3. Local Effects
In order to narrow things further, I would require some showing that the person being investigated is thought to have committed a crime that affects the requesting state — not just any crime anywhere. The aim of such a clause would be to limit a state’s ability to trump up charges against someone without showing any real harm. This is also consistent with background jurisdictional rules: States have a legitimate interest in regulating affairs that affect their soil and their citizens, but not in regulating the conduct of noncitizens abroad, if that conduct has no local effects.
4. Review by an Independent Third Party
When foreign law enforcement agents attempt to gain access to private data, their request should be verified by an independent party — meaning someone outside of the command of the requesting law enforcement agency — whether a judge, magistrate, or a commission or committee set up especially for such requests. This is critical so that police cannot simply assert, without proving, that the data in question is in fact necessary to a legitimate law enforcement operation. (In some states, these requests could be handled by the national human rights commission if not the courts.) This requirement is also important so that data holders — typically Internet companies — are not the only ones making the decision about when to comply with local law enforcement requests. This is not to say that company review should not play a role in these requests; to the contrary, this review is absolutely critical (as the next element shows).
5. Due Process and Human Rights
Finally, foreign law enforcement requests for US-held data should accord with international standards of due process and should not lead to the violation of the suspect’s human rights. I do not have the space to flesh out the content of those standards here — and indeed, there is likely to be some disagreement about what these standards are. But for now, I simply want to make the point that a) Congress can still hold American technology firms to a standard that ensures the privacy of their users while b) getting out of the business of demanding that the entire world live up to American standards.
Technology firms can play a critical role in evaluating the legitimacy of the foreign law enforcement request before them. Firms must ensure that international standards of due process are met, and even when they are satisfied with the adequacy of the process, they should refuse to comply if they think there is more than an even chance that a human rights abuse will occur as a result of sharing the requested data. This is not to say that companies should be the arbiters of law enforcement requests for data, but some discretion is unavoidable: Everywhere companies operate, they make decisions about whether and how to comply with the law.
* * *
I can imagine two sorts of objections to this proposal. First, some privacy hardliners will insist that all foreign law enforcement requests should have to meet a Fourth Amendment standard, which many view as the gold standard for due process. In my view, this is myopic. While insisting on a Fourth Amendment standard may enhance user privacy in the short term, it will undermine it over the medium and long term because states will take increasingly drastic steps — all of them serious threats to user privacy — to get the data they need in order to enforce their laws.
Second, some foreign states may argue that this proposal still allows the US government to dictate the terms under which large technology firms comply with foreign laws. The response to this argument is that the US government has a legitimate interest in ensuring that its corporations do not violate international norms of human rights and that interest must be weighed against the local state’s interest in enforcing its laws.
As I noted in my last post, this proposal has a number of benefits over the existing regime and over competing proposals, such as the one put forward by Swire and Hemmings: It relies on international standards, rather than American ones; it frees companies to comply directly with local law enforcement requests, rather than routing all requests through the DOJ’s Office of International Affairs; and it does not articulate a “club” of pre-selected countries for inclusion in the regime, which would anger those countries excluded from the club and likely inspire ITU-style political debates.
That said, this is a first draft — one that will be detailed further in my forthcoming Stanford Law Review article, Against Data Exceptionalism. In the meantime, I am eager for feedback on the proposal, so if you have any thoughts about any aspect of this, please be in touch.