Earlier this year, Cisco and Apple jointly filed an amicus brief supporting Microsoft in its appeal of a U.S. Federal Court decision requiring it to hand over customer data held in an Irish data center. In our filing, we made the case that the ruling should be overturned because it leaves companies in jeopardy of violating one country’s laws in order to comply with those of another.
As we wrote in the brief:
“The Magistrate’s analysis improperly ignores the interplay of foreign and domestic laws when determining whether the government can use a warrant to require a U.S. company to produce data about a non-U.S. citizen when the data is held by a foreign subsidiary and stored in a foreign location. Rather than ignoring foreign law, courts should examine possible conflicts of law, inquire into the weight of the U.S. government’s interest in each case, and determine whether those interests are sufficiently compelling to outweigh principles of international law, comity, sovereignty, and reciprocity, such that the government may circumvent U.S. treaty obligations.”
Today, Microsoft’s case continues to wind its way through the U.S. federal courts, and we won’t know the final disposition for some time. In the interim, global cloud providers are left with unanswered questions about how to reconcile potentially conflicting laws regarding data privacy and security.
Helpfully, several members of Congress are proactively seeking to address how the U.S. government should access customer data held overseas. This is a significant first step toward meaningfully addressing the underlying issue—whether and how governments should be capable of demanding access to data stored across national borders.
Legislation proposed by Senators Orrin Hatch (R-UT), Dean Heller (R-NV), and Chris Coons (D-DE) offers a new framework for striking the balance between the government’s need to investigate crime and the Constitution’s protections against unreasonable search and seizure in the context of a globally connected world.
Here’s how it would work.
The Law Enforcement Access to Data Stored Abroad (LEADS) Act would require a warrant when the government demands customer communications from third party service providers, and these warrants would only have the power to reach data stored in the U.S., unless it is owned by a U.S. corporation, citizen, or lawful permanent resident.
Data stored outside the United States not belonging to Americans or American companies, however, would not be subject to US government warrants and would instead require a mutual legal assistance treaty (MLAT) request to the country in which they are stored. At the same time, the legislation seeks improvements in these MLAT processes so that governments can get the information they need to protect their citizens against crime and terrorism in a timely fashion.
Finally, the bill attempts to identify particular, limited circumstances where the government should be able to directly compel production of documents from outside the United States.
In offering this legislation, Senators Hatch, Heller, and Coons have attempted to tackle an important international problem. Their approach respects long held principles for obtaining information from third parties. Just as in the physical world, the government should be expected to use mutual legal assistance treaties when it wants to compel production by a third party of documents stored in another country. This will help to avoid creating unnecessary conflicts of law. And just as in the physical world, the government should be required to get a search warrant from a neutral magistrate based upon a showing of probable cause when it seeks to seize documents in the hands of a third party storage provider located in the U.S.
Their approach builds upon commonsense, bipartisan legislation with widespread support from Senators Pat Leahy (D-VT) and Mike Lee (R-UT) and Representatives Kevin Yoder (R-KS), Tom Graves (R-GA), and Jared Polis (D-CO), as well as from the tech industry and privacy advocates. Those bills would similarly require the US government to obtain a warrant when it seeks access to data stored in cloud facilities located within this country.
The security threats facing nations are real and significant, and governments need to be able to take steps to address these threats and protect their citizens against crime and terrorism. At the same time, we must update our laws so that they respect innovation and enable new technologies to grow.
Hope this step will spur a continued recurrence of similar changes in policy– this is a form of legislative form that is noticeably overdue.
This is definitely a problem that requires more attention to avoid creating conflicts of laws. Thanks!