The Simplest Cross-Border Fix: Removing ECPA’s Blocking Features

The House Judiciary Committee is holding a hearing at 10am this morning on cross-border data requests, featuring testimony from the Department of Justice, the U.K. government, Google, the Center for Democracy and Technology, state law enforcement, and yours truly. The hearing will be livestreamed here, where you can also find the written testimony.

My testimony boils down to this: Congress should (1) reverse the Second Circuit’s recent decision so that production orders under the Electronic Communications Privacy Act (ECPA) compel U.S. firms to comply regardless of where they choose to store customer data; and (2) revise ECPA so that U.S. firms can voluntarily comply with foreign law enforcement requests wherever they operate.

The first point is relatively straightforward. As I note in my testimony, this view is:

[C]onsistent with longstanding doctrine in other sorts of cross-border cases where courts regularly compel banks and other intermediaries to provide records held abroad—even where doing so would potentially place the intermediary in jeopardy of violating another country’s laws. This is helpful to keep in mind because one objection to the above proposals is that they will create conflicts of laws—that these proposals allow the U.S. government to compel a provider to deliver data held in another jurisdiction thereby putting the intermediary in jeopardy of violating that jurisdiction’s laws. In fact, production orders that call for the retrieval of data held in foreign servers rarely produce a direct conflict of laws. Consider the dispute that gave rise to the Second Circuit’s decision regarding Microsoft’s Irish-held data. Although Ireland filed a brief asserting a vague interest in the case, in fact there was no conflict between Irish laws and the U.S. production order—Microsoft could have complied with the order without violating any Irish laws.

The second point is a bit more extreme, and it parts ways with nearly everyone—including my friends in civil society, the Department of Justice, and many technology firms—so I want to offer a note of explanation here. Here is the nub of the concern:

If the British police are investigating a crime that occurred in London, and they procure a lawful order to investigate the suspect’s possessions and communications, U.S. law does not prohibit Bank of America from complying with a request for records. But U.S. law does prevent Google from complying. This is oddly inconsistent and foreign governments resent it; many now are poised to retaliate.

I fear that any solution that has Congress specify which countries can enjoy the privilege of enforcing their own laws on their own soil will backfire, leading those countries to create policies that are bad for users and bad for business. Anti-encryption mandates, data localization, and other desperate measures are the obvious responses by states when they cannot get access to criminal evidence through legitimate channels. Either the laws bend to recognize legitimate state interests, or the technology will.