With cloud computing, law enforcement investigations increasingly seek evidence that is held across borders, in a different country. As we describe in a separate IAPP post, this globalization of criminal evidence is prompting major legislative change and proposals. In 2018 alone, the United States passed the Clarifying Lawful Overseas Use of Data Act to address cross-border issues, and the European Union has proposed its new eEvidence regulation and directive.
To date, there has not been one forum for consideration of these rapidly developing issues. The Cross-Border Data Forum aims to create a more informed public debate to protect the multiple values at stake. We are pleased to be working with the new forum to address these important emerging challenges.
The CBDF provides a venue for well-researched and well-written discussion of cross-border data issues, which are highly complex. Good policy on these issues requires expertise in how technology and markets are developing, or else the law will be mis-matched to the underlying reality. Privacy and the protection of fundamental rights, with adequate safeguards and remedies, are essential to creating the new legal rules and procedures; otherwise, authoritarian and other nation states may seek to access evidence without necessary safeguards. Assessment of new legal proposals calls for a sophisticated understanding both of international law and of criminal procedure approaches in nations such as the United States, the 28 member states of the EU, Switzerland, Canada, Australia, India, and Japan — not to mention the rest of the nearly 200 nations in the world — an assessment that demands broad-based input, dialogue, and outreach.
In considering these issues, the CBDF has announced four goals to guide its work:
- Fulfill legitimate law enforcement requests for data relevant to the investigation of serious crimes. Where a clear factual basis exists to issue a court order, for instance, then the goal is to create effective procedures to supply the evidence to law enforcement.
- Protect and promote privacy and human rights as essential to new legal approaches. Law enforcement requests have been governed by national safeguards, such as the Fourth Amendment and the Electronic Communications Privacy Act in the United States. The emerging regimes must continue to ensure privacy and human rights protections.
- Provide a workable regime for the companies holding data of interest to law enforcement. Service providers have sometimes been ordered to provide evidence by one country in ways that would violate another country’s laws. The new approaches should minimize legal conflict and provide clear rules for resolving conflicts that do emerge.
- Safeguard the internet by resisting calls to localize data and splinter the internet. A range of countries are pursuing data localization rules, as a means of ensuring local law enforcement access. As explained elsewhere, these kinds of data localization rules are costly to comply with, can threaten in some cases data privacy and security and could also undercut some of the key benefits of a global internet.
The CBDF, since becoming incorporated as a non-profit this summer, has created an expert and international team to address these global issues. A majority of the board of directors is based outside of the U.S. The officers are Dale Skivington and Sandra Hughes, who are formerly the top global privacy officials at Dell and Proctor & Gamble, respectively. The global law firm of Alston & Bird provides legal counsel. The initial members are major global actors who have direct experience with the relevant legal, technological and practical issues: Amazon, Apple, Facebook, Google, Intel and Microsoft.
The three authors of this article are the initial academic fellows. Each of us brings to the table experience thinking about, working on, and writing about the globalization of data and the challenges this poses. Christakis prepared a legal opinion on “Data, Extraterritoriality and International Solutions to Transatlantic Problems of Access to Digital Evidence” within the context of the Microsoft Ireland case and has been involved to various projects concerning issues of surveillance and intelligence sharing, data protection, the CLOUD Act and E-Evidence. Daskal has written about these issues in the Yale Law Journal, Vanderbilt Law Review, The New York Times, and elsewhere. Swire worked on reforming the Mutual Legal Assistance system in 2013 as part of President Obama’s Review Group on Intelligence and Communications Technology, and then created the Georgia Tech Project on Cross-Border Requests for Data.
Moving forward, a large portion of our research and writing will be devoted to accurate description and analysis of these complex issues. For example, we are currently developing a side-by-side analysis of the CLOUD Act and the proposed eEvidence Regulation. Looking ahead, the CBDF encourages publishable material from different perspectives and on different national and international developments. Importantly, the forum seeks to encourage contributions and expertise from a wide array of perspectives. Thus, posts on the forum’s blog are attributable only to the authors. Publication on the blog does not require the author to endorse the forum’s work. Nor does it signify endorsement by CBDF or any participating individuals or organizations of the ideas presented.
Although the organization is in its early stages, we also are exploring ways to create an advisory board or otherwise have a broader range of authors analyze these pressing issues.
Initial topics CBDF is addressing
Initial and in-process writing by the authors and others illustrates the sorts of topics that require careful legal and policy analysis related to cross-border government access to data:
- An introduction for privacy professionals of what the CLOUD Act will mean in practice.
- Nine suggestions to the Department of Justice in negotiating and implementing CLOUD Act executive agreements.
- A European view of the CLOUD Act and a possible executive agreement with the U.S.
- Analysis of the role of the member states, compared with the EU, in creating any such executive agreement.
- Analysis of the proposed U.K. legislation that would form the basis for a U.S.-U.K. executive agreement, including recommendations to protect privacy and fundamental rights.
- Analysis of the CLOUD Act’s (modest) change to pre-existing rules for U.S. Department of Justice access to data held outside of the U.S.
- Discussion of how the Cloud Act does not (as some have asserted) authorize expanded wiretapping abroad by the U.S. Department of Justice.
- Explanation of proposed revisions to eEvidence, which would reduce the ability of one EU member state to object to requests from a different state, and recommendations in order to enhance the protections and the reviewing mechanism in the interest of all stakeholders involved.
- Discussion of concerns expressed in Europe that the CLOUD Act would enable U.S. theft of trade secrets and explanations of reasons why it does not.
- Analysis of the existing human rights protections in eEvidence and the CLOUD Act, and recommendations in order to improve the safeguards and protections during the EU eEvidence legislative process and during the drafting of other relevant laws and international treaties.
As mentioned above, our experience is that these cross-border issues are complex both legally and as a practical matter. The four goals of the CBDF show the need for input from those knowledgeable about law enforcement, privacy, business operations and vision for a better internet overall. Hopefully, it creates a more informed public debate to protect the multiple values at stake.
Along with their academic and other affiliations, Peter Swire is Research Director and Théodore Christakis and Jennifer Daskal are Senior Fellows of the Cross-Border Data Forum.
If you want to comment on this post, you need to login.