Academic journal article Journal of National Security Law & Policy

Law Enforcement Access to Data across Borders: The Evolving Security and Rights Issues

Academic journal article Journal of National Security Law & Policy

Law Enforcement Access to Data across Borders: The Evolving Security and Rights Issues

Article excerpt

Introduction

A revolution is underway with respect to law enforcement access to data across borders. Frustrated by delays in accessing data located across territorial borders, several nations are taking action, often unilaterally, and often in concerning ways. Several nations are considering (or have passed) mandatory data localization requirements, pursuant to which companies doing business in their jurisdiction are required to store certain data, or copies of such data, locally. Such measures facilitate domestic surveillance, increase the cost of doing business, and undercut the growth potential of the Internet by restricting the otherwise free and most efficient movement of data. Meanwhile, a range of nations - including the United States, United Kingdom, Brazil, and others - are asserting that they can unilaterally compel Internet Service Providers (ISPs) that operate in their jurisdiction to produce the emails and other private communications that are stored in other nation's jurisdictions, without regard to the location or nationality of the target. ISPs are increasingly caught in the middle - being forced to choose between the laws of a nation that seeks production of data and the laws of another nation that prohibits such production. In 2015, for example, Brazilian authorities detained a Microsoft employee for failing to turn over data sought by Brazil; U S. law prohibited Microsoft from complying with the data request.1 Governments also are increasingly incentivized to seek other means of accessing otherwise inaccessible data via, for example, use of malware or other surreptitious forms of surveillance.

The problems associated with law enforcement access to data across borders are just beginning to get the attention they deserve - overshadowed in large part by the heavy focus on intelligence collection, particularly in the aftermath of the Edward Snowden revelations. But a number of governments, corporations, and members of civil society are now focused on the issue as one of increasing importance. In February 2015, the United States House Judiciary Committee held a hearing on law enforcement access to data across borders and conflicts of laws.2 The U K. Home Office has described the creation of streamlined processes for obtaining data held by U.S.-based providers as one of their most important priorities;3 the issue is high on the agenda of a number of other foreign governments as well.4 A handful of scholars also are now exploring the complicated jurisdictional, privacy, and security questions that have arisen.5 This article seeks to add to this nascent, yet growing literature. Its aims are three-fold: to provide the key background, to highlight the need for action, and to suggest a way forward.

A caveat up front: the article is U.S.-centric, and is so for a reason. While the problem of cross-border access to data is inherently international, the United States has an outsized role to play, given a combination of the U.S.-based provider dominance of the market, blocking provisions in U S. law that prohibit the production of the content of electronic communications (such as emails) to foreign-based law enforcement, and the particular ways that companies are interpreting and applying their legal obligations. The approach taken by the United States is likely to become a model for others, thus providing the United States a unique opportunity to set the standards - standards that ideally will protect privacy, security, and the growth of an open and global Internet. The alternative is a Balkanized Internet and a race to the bottom, with every nation unilaterally seeking to access sought-after data, companies increasingly caught between conflicting laws, and privacy rights minimally protected, if at all.

I. Background : Data Across Borders

Data no longer respects international boundaries. When Jack in San Francisco, California sends an email to Jill in New York, it may take a direct route from California to New York, or it may travel through Canada, or even the United Kingdom, before arriving at its intended destination. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.