Opinion: How the Justice Department data-sharing plan defends privacy
The proposal updates an antiquated law so that countries can exchange electronic data as part of investigations while safeguarding Americans' privacy and promoting security.
The Digital Age has created tough questions for international police who don't always have the jurisdiction to search the necessary data. Here, a German police officer carries a computer server from a mosque as part of an investigation into Islamic extremism.
Hannibal Hanschke/Reuters
Earlier this month, the Justice Department unveiled a legislative proposal to facilitate cross-border data sharing for law enforcement purposes. While critics called it a "threat to privacy," that characterization reflects a fundamental misunderstanding of the plan. To the contrary, it's an approach that would promote privacy, security, and innovation. It should be applauded, not decried.
The draft legislation responds to significant law enforcement problems that result from the rise of the global reach of the Internet, and the peculiarities of US law.
Until recently, law enforcement officials could find most of the evidence needed to investigate local crimes within their own countries. There were, of course, times when evidence was moved across borders or agents were tracking multinational criminals and gangs. In those situations, law enforcement officers either opened joint investigations with foreign counterparts or employed the mutual legal assistance process and made diplomatic requests for sought-after evidence.
Today, however, evidence is routinely located in other jurisdictions, often in the US. Much of the world's communications are digitized and held by American companies such as Google or Microsoft. A 30-year-old US law called the Electronic Communications Privacy Act prohibits these firms from turning over the contents of US-held communications to foreign governments, even if the requesting government is investigating its own citizens with respect to a local crime.
Now, imagine if British police investigating a murder in London seek the suspect's emails. If the perpetrator used a British internet provider, investigators would have the emails in days. But if the email provider is an American company, police must initiate the Mutual Legal Assistance Treaty (MLAT) process, which requires a US judge to approve the request. And that takes an average of 10 months to complete. Meanwhile, the murder goes unsolved.
Frustrated by this situation, foreign governments are responding in a number of concerning ways. These include imposing mandatory data localization requirements, which force companies to store data (or copies thereof) locally. Such measures open the door to domestic surveillance – but without any of the human rights and privacy-protective safeguards included in the Justice Department's draft legislation.
They also impose added costs on US businesses, making it increasingly hard for startups to compete globally; undermine the internet’s efficiency and growth potential; and hinder US government access to data necessary for law enforcement investigations. Other concerning responses include the unilateral assertion of extraterritorial jurisdiction and resorting to other surreptitious means of accessing sought-after data.
Now, the Justice Department is seeking the authority to enter into bilateral agreements with Britain – and other yet-to-be-designated nations – that would permit the partner governments to bypass the laborious MLAT process and directly request sought-after emails and other communications from providers.
Importantly, the proposal would put limits on those agreements. First, the executive branch must certify that the partner government adheres to its human rights obligations, demonstrates a respect for the rule of law and principles of nondiscrimination, and has accountability mechanisms regarding the government’s collection and use of electronic data. Requests made under this expedited process also must be targeted, limited in duration, and reviewed by a judge or other independent authority.
The plan also prohibits partner governments from from relying on the expedited process to intentionally gather the data of anyone in the US – and of US citizens or permanent residents wherever located. Governments still need to employ the MLAT process to get that data.
In other words, even with an agreement in place, foreign governments need a US judge approval to target Americans' data. There will, of course, be times when partners targets a noncitizen and nonetheless acquires the communications of a US citizen (such as when the noncitizen is emailing with a citizen), but the proposed legislation anticipates that: It prohibits the foreign partner from sharing that information with US authorities unless it is of relevance to serious crime and relates to a significant harm against America or Americans. And it requires the destruction of all non-relevant information, whether involving a US person or not.
The most controversial piece of the Justice Department's proposal is that it covers real-time communications in addition to stored communications. Real-time intercepts have long been subject to enhanced protections under US law – including strict time limits on their use, a determination that other investigative techniques are insufficient, and notice to the targets.
The existing MLAT process does not provide a mechanism for foreign governments to gain access to such real-time communications – so this would give foreign governments access to data not otherwise available. That said, real-time monitoring often is critical in the investigation of terrorist plots and other active crimes. Moreover, a time-limited interception arguably poses less of a privacy threat than a longer-term collection of the same stored data.
In sum, this is a much-needed piece of legislation. If adopted, it would allow the US government to set the rules governing cross-border access to data – rules that promote privacy, human rights, and the rule of law. Without it, countries increasingly can be expected to resort to data localization mandates or surreptitious means of accessing sought-after data in ways in which the US has no say, even if the target is an American citizen.
Melanie Teplinsky teaches information privacy law at the American University Washington College of Law as an adjunct professor. She started her career in cybersecurity in 1991 as an analyst at the National Security Agency.
Jennifer Daskal is an assistant professor at American University Washington College of Law, where she teaches and writes in the fields of criminal, constitutional, and national security law. She was formerly counsel to the assistant attorney general for national security at the Department of Justice, and previously senior counterterrorism counsel at Human Rights Watch. Follow her on Twitter @jendaskal.