Most people would likely support providing law enforcement with the necessary digital evidence to investigate and prosecute heinous crimes such as the dissemination of child sexual abuse material. Such evidence is usually obtainable through traditional legal processes, but barriers emerge when it is located abroad and especially when a non-U.S. company holds it. Despite the resolution for personal data to flow between the European Union and the U.S., there is often no expeditious way to get data for law enforcement purposes.
Leaders from around the world convened in the U.K. this fall to explore this precise topic and broader issues like the impact of emerging technology like artificial intelligence on law enforcement. The central theme was balancing law enforcement's need for electronic evidence with privacy considerations.
Attendees included industry executives, law enforcement leaders, diplomats and elected officials, and privacy practitioners and scholars. I was particularly interested in attending, given both our work on privacy and the nexus of it with law enforcement. The Ditchley Foundation convened this program as part of its ongoing Data in Democracies program.
Background and current landscape
If data was purely stored in the U.S. by U.S. companies, access by law enforcement would be less of a hurdle. But the interconnected nature of the internet and data storage means data is not always in the U.S. Therefore, there needs to be a way for U.S. law enforcement to gain access to digital evidence stored abroad and for foreign law enforcement to make legitimate requests for data in the U.S. Concerns often arise surrounding the need to balance individual privacy and ensuring legitimate uses and purposes by law enforcement.
A Mutual Legal Assistance Treaty is typically used if data is held in one country and another seeks it for law enforcement purposes. That process can take months or longer, which means the evidence or subject might be lost.
Eventually, the U.S. Clarifying Lawful Overseas Use of Data Act was passed to supplement the MLAT process, which permits select countries to enter into agreements with the U.S. to use their own legal authorities to access electronic evidence, assuming they have adequate substantive and procedural laws. Data not covered by an agreement will still resort to an MLAT. This is often critical for foreign law enforcement since so much data is held within the U.S. Currently, there are CLOUD Act agreements in place with Australia and the U.K.
However, other developments are relevant too. For example, the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities from December 2022 serves as a political commitment of 38 OECD countries and the EU on common approaches to safeguarding privacy when accessing data for law enforcement purposes. Also, the e-Evidence regulation and directive on access to electronic evidence applies within the European Union. In addition, the Council of Europe Convention on Cybercrime (commonly called the Budapest Convention and its Second Additional Protocol) provided new pathways to obtain select data between signatories.
Why this matters
A key question is whether there will be additional CLOUD Act agreements, specifically, whether there will be more bilateral agreements and/or multilateral agreements. The U.S. and EU began negotiations around an EU-U.S. agreement again in March 2023, but there is still a long path ahead to make that a reality.
At the Ditchley convening, there was a strong sentiment that it is important to enable law enforcement to have a manner to obtain data expeditiously. While the MLAT process exists, multiple attendees noted that it is time-consuming and there is a risk for evidence to be destroyed or lost. This risks victims not being aided or future crimes being committed. Examples of the CLOUD Act being used so far between the U.K. and the U.S. noted at the convening included saving hundreds of children from abuse and prosecuting multiple arms dealers.
In addition, multiple individuals noted companies would benefit from additional agreements. Currently, there is uncertainty on how to process data access requests in the context of the EU General Data Protection Regulation, along with when a company is subject to multiple sets of laws. For example, there is not always a clear category to describe the legal basis for processing and voluntary cooperation between law enforcement has become scrutinized. In addition, companies are also receiving access requests from around the world in significant quantities. This results in inconsistent requests and burdens without a more standardized process.
Looking ahead and challenges
The U.K.-U.S. agreement was progress, but this still leaves out most countries. At the convening, there was a lengthy discussion on sources of agreement, disagreement, and best practices moving forward.
Several key themes emerged. A recurring one was the need for transparency. While law enforcement cannot make all specifics public because of the sensitivity of investigations, it was encouraged for past success stories and/or general examples to be shared so the public and privacy advocates are better informed.
Relatedly, the theme of trust was noted between law enforcement and the privacy community. More dialogues between the groups could advance this to explore these types of topics and what is and is not done with the data. Related to trust is ensuring data requested by law enforcement is for legitimate purposes instead of targeting specific individuals or for political purposes. Lastly, it was highlighted that additional agreements should be considered a priority by the U.S. and countries worldwide.
Overall, I found this a productive and beneficial convening, but there is still work to be done. Like most policy matters, a balance is essential and having conversations is critical even if there is not always agreement. I commend Ditchley for its important work on this topic and the convening.