Between rocks and hard places

In the face of data requests from law enforcement agencies, conflicting legal requirements from home country and foreign jurisdictions are putting multinational tech companies in an unprecedented dilemma. How should they respond? Pan Cong, general counsel of SHAREit Group and former product legal director of ByteDance, offers some advice

IT IS UNDENIABLE THAT globalisation and informatisation have brought massive changes to the way people produce, consume and live – changes that are deemed irreversible by some. Innovations in technology and business models by global technology companies have become an important driving force behind the transformation.

Technology companies commonly hold vast quantities of personal information, including but not limited to interactive and behavioural data, and electronic data are increasingly becoming a common and even indispensable type of case evidence in criminal investigations by law enforcement agencies.

When a law enforcement official of a country makes a cross-border data request to a technology company that has such data evidence in its possession, the process involves the rights and obligations of the country where the data is stored, the technology company holding and storing the data, and the individual to whom the data refers (data subject).

Global technology companies are regularly involved in such processes as data controllers. For example, Microsoft, in its Law Enforcement Requests Report for the first six months of 2021, disclosed that it received 27,809 legal requests from law enforcement agencies during the period, only 6,392 of which were from US agencies. This means that more than 20,000 requests came from governments of other countries.

DILEMMAS AND CHALLENGES

However, when a law enforcement agency makes a direct cross-border data request to a data controller, the territorial jurisdiction of the country where the data are located still needs to be honoured.

Currently, the domestic legislation of countries still emphasises sovereignty over data stored within their borders, so it is common practice to restrict or prohibit domestic enterprises from voluntarily providing data to a country making an information request. In most cases, the country making the information request is required to secure the requisite data through a criminal judicial assistance procedure.

For example, the US Electronic Communications Privacy Act (ECPA), in principle, US network service providers from providing communications content data and subscriber records to foreign law enforcement authorities unless an administrative agreement executed pursuant to the Clarifying Lawful Overseas Use of Data Act (Cloud Act) exists between the two countries.

However, the inevitably inefficient and lengthy nature of the international criminal justice assistance procedure, the Mutual legal assistance treaty (MLAT), clearly fails to accommodate the need for efficiency in criminal investigation activities in today’s social environment.

Naturally, a country where data are located wishes to ensure that data falling within the scope of its sovereignty are not “freely” obtained by the government of a country that has made an information request so that its people’s privacy, data security, cybersecurity and even national security are fully safeguarded.

The country making an information request, on the other hand, wishes to obtain data evidence as efficiently as possible to grasp the key elements of a criminal case and thereby propel the case along and safeguard public safety.

As a data controller, a technology company finds itself stuck between two very different standpoints, making dilemmas and challenges inevitable.

Once the legal requirements of the country where the data are located conflict with the data access requirements of the country making the information request, a technology company will face local enforcement pressure from the country making the information request.

In January 2015, Brazilian police forcibly entered the home of a local Brazilian Microsoft executive and arrested him on the grounds that Microsoft had refused to provide Skype communications data relating to a Brazilian citizen stored in the US. Under the ECPA, providing the data in question directly to the Brazilian police would be illegal. Microsoft refused the local police’s information request on this basis, triggering the strong reaction by the Brazilian government.

Similarly, in February 2016, Brazilian police arrested a local senior Facebook executive due to dissatisfaction with Facebook’s refusal to provide data needed for their investigation. The investigation was intimately connected to a local narcotics smuggling case, and sources indicated that user communication data on WhatsApp, a product wholly acquired by Facebook in 2014, was pivotal to breaking the case. The securing of the information in question was also supported by an investigation order from a local court.

However, neither Facebook nor WhatsApp could provide the relevant information to the Brazilian authorities, not only because US law prohibited the direct provision of the above-mentioned information stored in the US, but also because, starting in 2014, WhatsApp has been using an end-to-end encryption technology for the information transmitted between users, making it impossible for the product and its operating company to actually access the information transmitted between users.

The legal dilemma posed by data sovereignty jurisdiction, as well as the substantive impossibility at the technical and actual operational levels, made it impossible for Facebook and WhatsApp to satisfy the requests of local law enforcement.

Another case has had even wider implications. In 2013, in a narcotics case, a US court issued a search warrant requiring Microsoft to disclose to the US government the email content and account information of users involved in the case, but the data were stored in Ireland, and Microsoft refused to provide them. Subsequently, after a long and winding road through multiple district courts and the Second Circuit, the United States v Microsoft Corp case came before the Supreme Court in February 2018.

The case once again raised an issue that has been highly controversial for many years: Does the US government have the right to obtain, by way of an executive order, data from a US company that is in the control of such a US company but stored outside the US?