In the era of globalization, the flow of data across borders has become a significant aspect of modern business operations.
As organizations expand their reach globally, they must also navigate the complexities of complying with various legal requirements related to data disclosure, especially when it involves law enforcement access requests from foreign governments.
The intricacies of such requests necessitate a nuanced approach, balancing legal obligations, ethical considerations, and potential risks to individuals involved.
Domestic vs. cross-border data requests
When a law enforcement authority within a country requests data, organizations typically have a legal obligation to comply — provided the request meets certain legal standards. In many countries, for instance, laws mandate companies disclose data if a valid court order is presented. This process is relatively straightforward because it operates within the framework of the country's legal system.
However, the situation becomes more complex when the request comes from a foreign government. Unlike domestic requests, organizations are not always legally bound to comply with foreign government requests for data. This lack of legal obligation raises critical questions about whether organizations should comply and under what circumstances.
Legal considerations and geopolitical tensions
Organizations must consider the legal framework of both the requesting country and the country where the data is held. This involves assessing whether there are mutual legal assistance treaties in place, which facilitate cooperation between countries in legal matters. MLATs provide a legal basis for cross-border data requests, as the request will be coming from the home country's law enforcement authorities. Consequently, the organization will have a straightforward legal obligation to disclose the requested data.
Where not via MLATs, cross-border data requests, if not handled carefully, can lead to significant geopolitical tensions. Disclosing the requested data may not only cause a breach in law but could potentially be seen as a threat to national security.
For example, the executive order issued by U.S. President Joe Biden restricts access by countries of concern to Americans' bulk sensitive personal data. Biden also signed the infamous TikTok ban bill citing concerns over the Chinese government having access to Americans' data. That said, if your organization is based in the U.S., it is likely that disclosing personal data to the Chinese government will be seen as a national threat.
Similarly, the "Schrems II" case highlighted the suggestion of the Edward Snowden revelations that EU data protection rights could be infringed by U.S. intelligence authorities. The Court of Justice of the European Union held that the legal bases of U.S. surveillance programs, such as PRISM and UPSTREAM, are not limited to what is strictly necessary, and would be considered a disproportionate interference with the rights to data protection and privacy. It emphasized that data transfers to non-EU countries must ensure protections equivalent to EU standards, revealing significant tensions between differing national surveillance practices and data protection requirements.
When conducting legal assessments for cross-border law enforcement requests, it is essential to evaluate not only relevant laws but also the geopolitical relationships between the countries involved. This comprehensive approach ensures data transfers comply with legal obligations while mitigating risks related to national security and international relations.
Ethical considerations and data privacy
Beyond legal obligations, ethical considerations play a crucial role in deciding whether to comply with cross-border data requests. Organizations have a duty to protect individuals' privacy and personal data. Disclosing data to foreign authorities can sometimes result in harm to the data subject, especially if the requesting country's legal system does not provide adequate protections for personal data.
For instance, countries like China and Russia have broad security laws that may conflict with privacy provisions in other jurisdictions. Requests from such countries need to be scrutinized to ensure compliance does not lead to human rights violations or other adverse outcomes for the individuals whose data is being disclosed. The ethical duty to protect individuals' privacy rights must be balanced against the potential benefits of disclosing the data for law enforcement purposes.
On the other hand, the need to disclose data must be carefully balanced against situations where it could prevent immediate physical harm to an individual, such as in cases of suspected kidnapping. Numerous factors must be considered when disclosing information to foreign law enforcement authorities.
Ultimately, it is the organization's responsibility to ensure any disclosure is thoroughly assessed and weighed. In all cases, being able to substantiate the reason for data disclosure with proper legal assessments will be viewed favorably by regulators.
Practical implications and risk management
When faced with a cross-border law enforcement request, organizations must take several practical steps to ensure compliance with applicable laws and to mitigate risks.
Ensure written requests. The request for data disclosure must be in official writing, detailing the identity of the requestor, the reason for the request, and the nature and urgency of the request.
Hold data. Organizations may need to immediately store the requested data while the request is being assessed, to ensure the data will be available if the result of the legal assessment is to disclose.
Assess legal basis. The organization's legal team must assess whether there is a legal basis for the request, considering both domestic and international laws. This includes analyzing the necessity and proportionality of the request.
Obtain approval and document. Before disclosing any data, organizations should obtain approval from relevant internal authorities, such as the data privacy officer. All decisions and the rationale behind them should be documented thoroughly.
Report and maintain records. It is crucial to report the request to the organization's privacy team and maintain records of the decision-making process and the data disclosed.
Extreme emergency requests
In cases of extreme emergency, such as suspected crimes of the highest level, organizations might face urgent requests for data disclosure. These situations require a rapid response but still necessitate a careful assessment to ensure the disclosure is justified, necessary and proportionate. Even in emergencies, organizations must strive to balance the need for immediate action with the protection of individuals' rights.
A delicate balance
Navigating cross-border data disclosure requests involves a delicate balance of legal, ethical and practical considerations. Organizations must carefully assess each request, considering the legal obligations in both the requesting and responding countries, the potential risks to individuals, and the broader geopolitical implications. By following a structured procedure and maintaining a commitment to data privacy and ethical standards, organizations can manage cross-border data requests effectively, ensuring compliance with the law while safeguarding the rights and interests of data subjects.
Li-Rou Jane Foong, CIPP/E, CIPM, FIP, is a global privacy specialist at Rakuten Group Inc. in Tokyo, a dual-qualified lawyer, and a New York Bar candidate.