Cloud act & e-evidence: Implications for the Global South

Event report

[Read more session reports and live updates from the 13th Internet Governance Forum]

Summary: Recent developments in the US and Europe have raised the stakes in discussions on cross-border access to data and communications by law enforcement authorities around the world. If these initiatives stem from developed countries, they will also have tremendous impacts on small and developing nations in terms of access to justice, protection of human rights, and legal certainty for businesses.

The session, moderated by Mr Thiago Tavares, Director, Safernet Brazil, featured discussion on the implications of recent developments in the field of cross-border access to data for countries of the Global South. In recent months, the adoption of the CLOUD Act in the United States, negotiations at EU level on e-Evidence regulation, and discussions of a new additional protocol to the Budapest Convention, have raised the stakes regarding the currently valid MLAT agreements, and the political consequences of legal provisions that expand the reach of one country’s jurisdiction and law enforcement prerogatives.

In the keynote speech, Mr Bertrand de la Chappelle, Founder, Internet and Jurisdiction, detailed these three recent developments in Europe and the US, and explained the functioning and challenges brought about by them. All three are intended to provide modalities for direct requests by investigating authorities from one country, to private actors in another country. The difficulty is to reconcile diverging needs: fighting crime, while respecting human rights, and without putting excessive burden on the digital economy. One of the main differences between the Cloud Act and the EU e-evidence proposal is that the European proposal considers the possibility of binding production orders for foreign companies providing services in the Union. However, with the Cloud Act, judicial authorities of third countries can have access to data stored by companies in the US, on the basis of executive bilateral agreements, unilaterally adopted by US authorities. Overall, the interoperability of these regimes, and their scalability, is very challenging. These issues are currently being discussed in the context of a contact group of the Internet and Jurisdiction policy network, which will propose concrete solutions on these issues next April.

Ms Lani Cossette, Director, EU Government Affairs, Microsoft, recalled the role of the US vs Microsoft case in accelerating the debate around cross-border access to data, and insisted on the legal challenges for companies, trapped between competing jurisdictions. Cossette suggested the main criteria to be met for ensuring cross-border access to data between states: notice to users, independent judicial authorisation, specific legal process, provisions in case of conflict, and transparency. She indicated that the first executive bilateral agreement deriving from the Cloud Act will be adopted between the US and the UK by the end of the year. This will constitute an important step, though it is clear that not all agreements will be the same.

Ms Fernanda Domingos, Federal Prosecutor’s Office, State of São Paulo, Brazil, gave the perspective of law enforcement agencies in Brazil, focusing in particular on the Cloud Act. For Domingos, the Cloud Act is very problematic for Brazil since entering into a Cloud Act agreement means recognising US jurisdiction over all data controlled by American providers, even if the data was collected in a third country.

Ms Monica Rosina, Public Policy Manager, Facebook, presented the position of Facebook on the issue of cross-border access. Facebook has been working with law enforcement agencies to better enable them to protect the public without impacting the privacy of users. The company has teams on the ground in every region of the world that work with law enforcement, and has developed a portal specially designed to directly request access to data. Because Facebook Inc. is the controller of the data and American law blocks Facebook from providing content to third countries in most cases, conflicts of law are very regular. The Cloud Act has changed US law to enable foreign governments to enter bilateral agreements, and this could tremendously speed up the process and remove legal barriers, but there have to be concerns over data protection taken into consideration, as well as due process of law.

For Ms Luiza Brandao, Director, Instituto de Referência em Internet e Sociedade, Brazil, an uncoordinated increase of agreements and regulations by different countries could mean deeper conflicts of law and a risk of fragmentation on different standards. The bilateral approach, followed by the Cloud Act for instance, could also marginalise other stakeholders, especially from the Global South, where decision-making is not as easily influenced by civil society or academia as in developed countries. The development of new institutional solutions should include not just the Global South’s point of view, but also ensure the preservation of the Internet’s global nature.

By Clement Perarnaud