Between rocks & hard places

Technology companies commonly hold vast quantities of personal information, including but not limited to interactive and behavioural data, and electronic data are increasingly becoming a common and even indispensable type of case evidence in criminal investigations by law enforcement agencies.

When a law enforcement official of a country makes a cross-border data request to a tech company that has such data evidence in its possession, the process involves the rights and obligations of the country where the data are stored, the tech company holding and storing the data, and the individual to whom the data refer (data subject).

Global technology companies are regularly involved in such processes as data controllers. For example, Microsoft, in its Law Enforcement Requests Report for the first six months of 2021, disclosed that it received 27,809 legal requests from law enforcement agencies during the period, only 6,392 of which were from US agencies. This means that more than 20,000 requests came from governments of other countries.

DILEMMAS AND CHALLENGES

However, when a law enforcement agency makes a direct cross-border data request to a data controller, the territorial jurisdiction of the country where the data are located still needs to be honoured.

Currently, the domestic legislation of countries still emphasises sovereignty over data stored within their borders, so it is common practice to restrict or prohibit domestic enterprises from voluntarily providing data to a country making an information request. In most cases, the country making the information request is required to secure the requisite data through a criminal judicial assistance procedure.

For example, the US Electronic Communications Privacy Act (ECPA), in principle, prevents US network service providers from providing communications content data and subscriber records to foreign law enforcement authorities unless an administrative agreement executed pursuant to the Clarifying Lawful Overseas Use of Data Act (Cloud Act) exists between the two countries.

However, the inevitably inefficient and lengthy nature of the international criminal justice assistance procedure, the mutual legal assistance treaty (MLAT), clearly fails to accommodate the need for efficiency in criminal investigation activities in today’s social environment.

Naturally, a country where data are located wishes to ensure that data falling within the scope of its sovereignty are not “freely” obtained by the government of a country that has made an information request so that its people’s privacy, data security, cybersecurity and even national security are fully safeguarded.

The country making an information request, on the other hand, wishes to obtain data evidence as efficiently as possible to grasp the key elements of a criminal case and thereby propel the case along and safeguard public safety.

As a data controller, a technology company finds itself stuck between two very different standpoints, making dilemmas and challenges inevitable.

Once the legal requirements of the country where the data are located conflict with the data access requirements of the country making the information request, a technology company will face local enforcement pressure from the country making the information request.

In January 2015, Brazilian police forcibly entered the home of a Brazilian Microsoft executive and arrested him on the grounds that Microsoft had refused to provide Skype communications data relating to a Brazilian citizen stored in the US. Under the ECPA, providing the data in question directly to the Brazilian police would be illegal. Microsoft refused the local police’s information request on this basis, triggering the strong reaction by the Brazilian government.

Similarly, in February 2016, Brazilian police arrested a local senior Facebook executive due to dissatisfaction with its refusal to provide data needed for their investigation. The investigation was intimately connected to a local narcotics smuggling case and sources indicated that user communication data on WhatsApp, a product wholly acquired by Facebook in 2014, was pivotal to breaking the case. The securing of the information in question was also supported by an investigation order from a local court.

However, neither Facebook nor WhatsApp could provide the relevant information to the Brazilian authorities, not only because US law prohibited the direct provision of the above-mentioned information stored in the US, but also because, starting in 2014, WhatsApp has been using an end-to-end encryption technology for the information transmitted between users, making it impossible for the product and its operating company to actually access the information transmitted between users.

The legal dilemma posed by data sovereignty jurisdiction, as well as the substantive impossibility at the technical and actual operational levels, made it impossible for Facebook and WhatsApp to satisfy the requests of local law enforcement.

Another case has had even wider implications. In 2013, in a narcotics case, a US court issued a search warrant requiring Microsoft to disclose to the US government the email content and account information of users involved in the case, but the data were stored in Ireland, and Microsoft refused to provide them. Subsequently, after a long and winding road through multiple district courts and the Second Circuit, the United States v Microsoft Corp case came before the Supreme Court in February 2018.

The case once again raised an issue that has been highly controversial for many years: Does the US government have the right to obtain, by way of an executive order, data from a US company that is in the control of such a US company but stored outside the US? The US government argued that if it was required in a case to obtain data on an American citizen in connection with a US criminal case, and the data were controlled by a US company, but merely by the fact that such data happened to be housed outside the country it had to make a request for the same to a foreign government, the case would be hampered by the cumbersome application process, severely impacting public safety.

Additionally, the US government argued that in some cases, it was not aware where the data were located and could only obtain them from the multinational corporation most closely linked to the case, while some foreign governments have, for many years, been less than co-operative, a point that could also be exploited by criminals to intentionally select products stored in these “non-friendly” countries to carry out the planning for, or to commit criminal acts.

Microsoft, however, challenged the government, and argued that if the government of every country could freely obtain data they were interested in without regard to the place where the data were located, merely because they have personal jurisdiction over the service provider to which the data relate, or even its subsidiaries, then serious international disputes and international conflicts of law could arise and greatly weaken the company’s protection of user privacy.

Microsoft additionally argued that the substantive law relied upon in the case was in urgent need of updating and that such change required the efforts of congress, rather than those of the Supreme Court.

The Microsoft Ireland case has drawn widespread attention from the public, academics, business organisations and government agencies around the world, particularly in the US and Europe. Before it heard the case, the EU submitted an amicus curiae brief to the Supreme Court, clearly enunciating the EU’s attitude and demands regarding the obtainment by other countries of data located in the EU – the EU considers the storage of data in data centres on its territory, and the transfer of data from the EU to the US, to be data processing acts under the General Data Protection Regulation (GDPR).

This case generated a great deal of attention from the governments of various countries. Regardless of which judgment the Supreme Court brought down, it could not resolve the conflicting issues respectively raised by the US government and Microsoft in the case.

As Microsoft’s chief legal officer, Brad Smith, said in an article he posted: “We’ve appreciated the critical need for law enforcement to retain the ability to access information quickly pursuant to the rule of law. But it is equally important that individuals and companies retain their privacy rights. Achieving the right balance in today’s world is as complicated as it is fundamental.”

The Microsoft Ireland case directly contributed to the accelerated completion of the legislative work for the US Cloud Act. On 23 March 2018, then president Donald Trump officially signed the Cloud Act and the Microsoft Ireland case was settled in the Supreme Court.

LESSONS FROM CLOUD ACT

At the legislative level, the Cloud Act embodies numerous innovations. Where the US is the country making the information request, on the one hand, the Cloud Act inherits provisions of the ECPA and further clarifies that a data controller has an obligation to disclose information to the US government regardless of whether its data are located in or outside the US. On the other hand, the act establishes that a data controller may file a motion for withdrawal or modification of an enforcement request based on the principle of comity if certain conditions are met.

These conditions include: (1) the information request potentially creating a conflict with a “qualifying” foreign government; (2) the data subject being a foreign national who is not resident in the US; and (3) the data being stored overseas.

A court will render its final determination based on the international law principle of comity and by taking into consideration the place where the data are stored, the nationality of the data subject, the importance of the data themselves to the investigation of the case, the availability or not of other means to secure the information, and the efficiency of doing so.

Additionally, where the US is the country where the data are located, on the one hand, the Cloud Act inherits the principles for cross-border information requests of the ECPA, i.e. a data controller may not provide information stored in the US directly to a country that makes an information request, but is instead required to do so through an MLAT procedure.

On the other hand, the Cloud Act makes certain innovations on the basis of the ECPA. With respect to the principle that an MLAT procedure is required, the Cloud Act directly enumerates exceptions and provides that, in the case of such an exception, a data controller may provide data stored in the US directly to a country making an information request.

Of course, the realisation of such exceptions is subject to strict conditions. First, the country making the information request is required to enter into a mutual assistance enforcement agreement with the US for the obtainment of evidence in serious crimes, which requires the counterparty to satisfy a series of substantive and formal conditions on the protection of data and privacy, secure the written support of the US, including the attorney general and secretary of state, and accord congress six months to review the agreement and decide whether to support or reject it.

Second, even if an agreement is reached, a series of conditions is additionally imposed on the obtainment of evidence, including the need for the information request to be specific, the need for supervision by a neutral body such as a court, and the need not to infringe on freedom of expression, etc.

Third, the data subject against whom the evidence is sought must be a foreign national not residing in the US. An information request against an American citizen or resident still needs to be made through an MLAT procedure.

Although the adoption of the Cloud Act has not comprehensively resolved the above-mentioned issue of balancing the efficiency of obtaining evidence and privacy security, it has at least opened up some possibilities for resolution.

This is done by attempting to improve the efficiency of the cross-border data requests to a certain extent by way of domestic legislation plus bilateral agreements on the basis of the MLAT’s cumbersome judicial assistance procedure, while still taking into account security and privacy.

The above-mentioned case additionally reflects the basic thinking of various countries on cross-border data requests at the legislative level. Although there are many differences in the legislation of these countries, the core idea is the intent to emphasise data sovereignty while additionally facilitating, to a certain extent, cross-border information requests.

When the country in question is the one making the information request, it endeavours to make the “personnel” the connection in seeking to obtain data of its citizens from an enterprise, and uses the enterprise’s entity or service in the country as a check when making an information request.

When the country in question is the country where the data are located, it endeavours to use “territorial” jurisdiction as the basis for sovereignty, requiring data subjects not to provide data directly, but to do so through an MLAT or another bilateral agreement, reinforcing sovereignty while providing a certain degree of assistance in an information request.

INDUSTRY PRACTICES

Technology companies, particularly multinationals, generally have strict procedures in place for providing data across borders to countries making requests for information, and do substantive reviews on a case-by-case basis of such requests as to whether they have a lawful basis, whether the information requested is specific enough and the scope is the minimum possible, whether the user may be notified in advance, and whether it is an urgent request where the safety of life and limb are in jeopardy.

Most technology companies have formulated dedicated law enforcement guidelines that are available to national law enforcement agencies for reference, which, from the practical level, can reduce the costs of communicating with law enforcement and enhance efficiency.

Such guidelines guide law enforcement agencies on how to fill out, in accordance with the basic requirements, an application form or send an email to the data controller and enumerate the required items so that they can be handled quickly and efficiently.

For example, TikTok’s law enforcement guidelines expressly mention that its different entities control data stored in their respective regions, and that law enforcement agencies are required to make their requests to the corresponding entity.

To varying degrees, various companies mention cross-border procedures, or that such procedures differ from those for obtaining data evidence locally.

Some companies directly mention that if the country making the information request is not the same as the country where the data are stored, the company may need to ask the government in question to carry out the evidence obtainment arrangement by such means as an MLAT, and that it cannot provide the requisite data directly to the law enforcement agency of the country that made the information request.

For example, as Apple mentions in its legal process guidelines for governments and law enforcement agencies outside the US, whenever a government or law enforcement agency outside the US makes any manner of a content request, it must comply with applicable laws, including the ECPA.

Tech companies have also added an exception on the basis of the above-mentioned, that is, “in an emergency” they can provide data to a law enforcement agency by way of an expedited procedure.

For example, Microsoft states in its principles for law enforcement requests that it will provide data to government agencies in situations where it deems that the relevant request could result in serious physical injury or death. Here, Microsoft does not make a deliberate distinction between providing data to domestic or foreign law enforcement agencies.

Other companies have also made similar arrangements to review, where the law permits, “emergency” cross-border data requests on a case-by-case basis, and to provide data assistance directly to law enforcement agencies where the conditions
are satisfied, without resorting to an MLAT or another bilateral agreement arrangement.

As to whether data subjects are notified, mainstream technology companies will, in principle, notify their customers of data request arrangements and only in exceptional circumstances will they not disclose such requests.

Such exceptional circumstances include receipt of a “non-disclosure order” from a law enforcement agency, or a determination by the company that notifying the customer could pose a serious risk of personal injury or death. As Apple states: “Apple will notify customers and account holders unless there is a non-disclosure order or applicable law prohibiting notice, or where Apple, in its sole discretion, reasonably believes that such notice may pose an immediate risk of serious injury or death to a member of the public, the case relates to a child endangerment matter, or where notice is not applicable to the underlying facts of the case.”

In summary, the common approach currently of technology companies to cross-border information requests by law enforcement agencies is to do a case-by-case review of the procedure and the substantive content so as to achieve the objective of protecting personal information, while at the same time realising a layered differentiation of “non-emergency situations” and “emergency situations” so as to differentially treat the manner in which the information is obtained in order to comply with the legal requirements of the country where the data are located and industry practice.

This approach offers, to a certain extent, a relatively time-sensitive assistance mechanism for high-risk criminal law enforcement activities, and allows the company to fulfil its corporate responsibility for public safety while, at the same time, in principle, duly safeguarding the customer’s right to know. Additionally, the setting of exceptions similarly attempts to balance the interests of public safety and user privacy.

This article has explored the longstanding, but frequently discussed topic of cross-border data requests from the perspective of multinational technology companies. Regardless of whether looked at from the perspective of the protection of personal information and state cybersecurity, the perspective of efficiency of criminal justice case handling/obtainment of evidence and public security, or determination of the value of data sovereignty, multinational technology companies shoulder unshirkable social responsibilities.

In the course of constant renewal of national legislation on the existing foundations, technology companies, while grounded on the legislation of their home countries, additionally seek bilateral or multilateral collaboration between countries, an opportunity and a challenge presented to us by the times.