Cross-Border Data Access Primer
“Bad for public safety, bad for companies, and bad for privacy,” declared Paddy McGuinness, the United Kingdom’s deputy national security advisor about the current U.S.-U.K. cross-border data access system at a recent congressional hearing. Joining in his view, in June, Google called for major changes to U.S.
Published by The Lawfare Institute
in Cooperation With
“Bad for public safety, bad for companies, and bad for privacy,” declared Paddy McGuinness, the United Kingdom’s deputy national security advisor about the current U.S.-U.K. cross-border data access system at a recent congressional hearing. Joining in his view, in June, Google called for major changes to U.S. cross-border data access rules. Civil society groups also tend to agree that the system is flawed, but a satisfying fix remains elusive. Human rights groups oppose the U.S. legislative fix proposed in 2016 that would enable a realignment of these rules. Recent Senate and House hearings have relaunched the proposal into the Congressional consciousness.
This debate has been going on for a long time. To help clarify and refresh the details, we recently published a brief primer on the proposal to fix it.
Our document concisely describes how the current Mutual Legal Assistance Treaty (MLAT) system works. We lay out the common criticisms of the agreements. And we summarize the details, shortcomings, and benefits of the Justice Department’s proposed legislative fix–including some helpful diagrams.
The proposed reform would allow countries that the attorney general, with concurrence from the secretary of state, selects based on adherence to a set of legal and normative standards to send law enforcement requests for data directly to U.S. companies. Countries make requests according to their own national legal standards and the standards set out in the agreement.
That system departs from the status quo, which requires country requests to comply with U.S. legal standards, such as probable cause, and pass through the DOJ, judicial branch, and other government entities before being sent to companies. Thus, a key change in the new process is that it no longer requires requests to meet the U.S. probable cause standard; instead, it would require meeting only their own country’s legal requirements and additional standards set out in the legislation. That could mean some requests experience much less scrutiny. (Many members of civil society believe that an expedited process is not worth the reduced evidentiary standards.)
The potential politicization of the process for approving countries also provokes controversy, given that the executive branch would have sole approval authority. What happens to politically important countries that don’t meet the standards, but could meaningfully retaliate if not granted expedited access? That uncertainty is further complicated by the fact that the U.S. is also seeking to clarify its own law enforcement ability to seek data abroad, as in the Microsoft Ireland case; reciprocal access is at stake.
We hope that this debate can reach a thoughtful and helpful conclusion, and we hope our primer brings a better understanding of an important, if seemingly opaque, facet of law enforcement.