It’s been almost a year since the Second Circuit issued its decision in the Microsoft Ireland case, ruling that U.S. warrant authority pursuant to the Electronic Communications Privacy Act (ECPA) only extends to data that is physically located in the United States. The problems with this ruling are now apparent – and accelerating. U.S. law enforcement is increasingly being told by a range of U.S.-based providers, such as Google, Microsoft, and Yahoo, that sought-after data is located outside the territorial boundaries of the United States and can’t be turned over. The U.S. government can no longer access that data even with a warrant issued by a neutral magistrate based on a finding of probable cause that the sought-after emails or photos are evidence of a crime. This is so even if the FBI is investigating a U.S.-based crime involving U.S. citizen victims, perpetrators and witnesses. No matter how serious the crime.
Instead, the U.S. government must make a diplomatic request for the data directed at the country where the data is located. But sometimes the U.S. government does not know where the data is located, and thus has no way to know where to direct the request. (Google, for example, will tell the U.S. government whether data is located within or outside the United States, but doesn’t currently have the capability to identify where outside the United States certain data is located.) Sometimes the government knows, but there is no workable mutual assistance process in place and thus no mechanism for the United States to access sought-after data. Sometimes there is a mutual legal assistance treaty in place, but the process is so slow that it still takes a year or more for the data to be ultimately accessed and turned over.
Just about everyone, including the judge who wrote the Second Circuit opinion, agree that this is an unsatisfactory state of affairs and that Congress should weigh in. And now at least three magistrate judges—from the Eastern District of Pennsylvania, Eastern District of Wisconsin, and Middle District of Florida —have rejected the Second Circuit’s approach and concluding that the warrant authority under ECPA reaches all data controlled by a U.S.-based provider, regardless of the data’s physical location. But in at least some of the cases the relevant provider (Google) is appealing, leaving law enforcement unable to access the sought-after data as the case proceeds. And while an eventual Circuit split seems like, leading to possible Supreme Court review, years of litigation and uncertainty will pass before that happens.
Meanwhile, the claimed privacy benefits that result from the ruling are not only overstated, but illusory. As a result of the ruling, the government is, instead of accessing sought-after data pursuant to a warrant based on probable cause, told that it must seek the data from a foreign government, according to the foreign governments’ standards and procedures. But foreign government standards and procedures are generally less protective of privacy than that imposed by the warrant requirement. Hence, a reduction in applicable privacy protections. In fact, the only way that the ruling is good for privacy is in the way it generally makes it harder for the government to access sought-after data. But this is so even in those situations where the government is investigating a serious and ongoing crime (to trot out the government’s favorite talking points: think child exploitation) and demonstrated to an independent judge a legitimate basis for accessing it. This is a “privacy benefit” that even the most ardent privacy advocates are not likely to squarely defend.
So what should Congress do?
As is usual, it is easy to diagnose the problem and much harder to propose actual solutions. Here I suggest three possible options, designed to address the relevant security, privacy, and economic interests at stake. They could be combined and adopted jointly or Congress could pick and choose.
(i) Required Comity Analysis: When there is a conflict between what U.S. law and applicable foreign law requires in a given case courts will often engage in what is known as comity analysis – taking into account the interests of the foreign state in deciding whose law to apply. In a range of cases, the executive branch often does the same – working with foreign counterparts to structure its demand for evidence in ways that avoid conflict with foreign legal obligations.
Congress could take what is routinely done as a matter of discretion and make it mandatory. Specifically it could clarify that the U.S. warrant authority extends to U.S. controlled data, regardless of location. But it also should require that if the United States’ efforts to seek the data of a non-citizen or legal permanent resident located outside the United States conflict with foreign law, the reviewing court engage in a comity analysis, taking into account factors such as the location of and nationality of the target, the location of the crime, the seriousness of the crime, the importance of the sought-after data to the investigation, the possibility of accessing the data via other means (i.e. with the assistance of the foreign government).
This sets up a presumption that the United States can access, via a warrant, sought-after communications content from U.S.-based providers, without regard to the location of the data. But it also ensures that the interests of foreign governments in controlling access to the data of their own residents and nationals located outside the United States are taken into account. This is important for at least three reasons. First, it sets a precedent that we would want and expect with respect to foreign governments’ efforts to access the data of U.S. residents and U.S. citizens. Second, it provides a mechanism for providers to protect themselves against being caught between two conflicting legal obligations – ensuring that there is a mechanism for requiring that courts take those concerns into account. And third, it respects the interests of foreign government in setting rules governing the access to their citizens and residents data, but without creating a foreign government veto. This is particularly important in cases in which the United States government is investigating state-sponsored or state-facilitated crime; a foreign government veto would grind such investigations to a halt.
(2) Notice requirement: This would ensure that the United States could, via a warrant, compel from a U.S.-based provider sought-after communications content regardless of where the data is physically held. But it would also require the United States government to provide notice to a foreign government if it were seeking access to the data of one of its residents or citizens located outside the United States. Such a provision should also be coupled with an exception for cases in which notice would reasonably be deemed to undermine the investigation, such as, for example, instances in which U.S. law enforcement were investigating state-sponsored criminal activity.
This also has a number of benefits. It respects foreign governments’ interest in controlling access to their own residents’ and citizens’ data, ensuring that the foreign government has notice and thus an opportunity to raise, via diplomatic channels, any concerns with the United States. It thus sets a standard that the United States would presumably want and expect other governments to follow if they sought access to U.S. citizens and residents data. Particularly if coupled with a required comity analysis, it helps to ensure that any applicable conflict of laws is identified and considered by an independent court.
(3) Reciprocal Notice/Control: This provision would again set the default presumption that the United States could, via a warrant, access the communications content held by a U.S. based provider regardless of the location of the underlying data. At the same time, however, it would explicitly endorse reciprocal agreements pursuant to which the United States would agree to provide a foreign government notice and an opportunity to object if the United States were seeking access to the data of that foreign government’s residents or citizens located outside the United States. The foreign government would likewise agree to provide notice and an opportunity to object to the United States if it were to seek the data of U.S.-based residents or citizens located outside its territorial jurisdiction.
There are various ways these could be structured. One option would be to give each government up to 30 days to either consent to or object to such access; if there is no response at the end of 30 days, then the government would be deemed to have consented. This too would need to be coupled with some sort of emergency authorization procedure for particularly serious crimes in which a delay of 30 days would significantly hinder the investigation.
Unlike the notice provision describe above, this approach gives foreign governments veto power, but only if that foreign government grants the same veto power to U.S. authorities, and only pursuant to mutually agreed upon provisions. This thus gives the executive control over who would be eligible for such agreements.
Each of these provisions respond to the security concerns presented by the inability of law enforcement to access sought-after data pursuant to a warrant based simply on the happenstance of where it happens to be held. They respect privacy interests in that they demand, as a default, a warrant based on probable cause before the government can compel the production of communications content. At the same time, they protect against the risk that the United States will compel – or will be perceived as compelling – production of foreign-held data without regard to the legitimate interests of foreign states in setting the rules governing access to their own residents and citizens’ data. As a self-interested matter, it thus helps to ensure that foreign governments take into account the United States’ interests when they are seeking access to data of U.S. residents and citizens.
Finally, it is critically important Congress consider this issue in connection with the separate, but related problems faced by foreign law enforcement seeking access to U.S.-held data. This, too, is a growing problem – with costs to security, privacy, and our economy. The problem stems from another provision of the same Electronic Communications Privacy Act at issue in the Microsoft Ireland case. Specifically, the law precludes U.S.-based providers from turning over data to foreign governments, in all cases, without regard to the relevant equities at stake. This is true even if the foreign government is investigating its own national in connection with a a local crime only U.S. nexus to the data is that it happens to be held by a U.S.-based company. The foreign government is instead told instead to seek the data via the mutual legal assistance process – a process that takes multiple months if not years.
Foreign governments are increasingly frustrated by this state of affairs. The UK, for example, has made fixing this problem – and hence ensuring easier access to sought-after data – one of its top diplomatic priorities vis-à-vis the United States. And in the absence of a fix, we are likely to see increased toward data localization mandates as an alternative, and costly, way for foreign governments to ensure access; increased exercise of unilateral extraterritorial jurisdiction in ways that put U.S. companies in the cross-hairs of two competing legal obligations; and other surreptitious means of accessing sought-after data that have negative implications for both network security and privacy. I, along with several others, have written extensively about this problem previously, and there is a lot to say about both the problem and need for a solution. Suffice it to say that I think legislation proposed by the Department of Justice last spring is a good place to start. And that any fix should solve both the Microsoft Ireland problem and the converse problem of foreign governments seeking access to U.S.-held data.
* * *
No proposal will fully satisfy all of the various interests – or interest groups – at stake. And I don’t hold out the false hope that this one will either. But there is also an almost universal consensus that the status quo is both unworkable and normatively unsound. It is bad for security. It is bad for privacy. And it bad for the U.S. companies that manage our data – and hence for a big part of our economy. So rather than just talking about what won’t work, it’s time to talk about what might. Here’s my best attempt to do so. My hope is that this becomes a starting point for further discussion.