Solutions for law enforcement to access data across borders

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

The session focused on requests by law enforcement to access users’ personal data online, in the context of criminal investigations. Recent developments in this field make this discussion timely. Several countries and regions are considering the approval of new legislations focused on cross-border data, these include:

• The Council of Europe (CoE), which is discussing a second protocol to its Convention on Cybercrime (e.g. Budapest Convention);
• The European Union, which is proposing regulations on e-evidence;
• The United States, which is discussing bilateral agreements under its Cloud Act; and
• Brazil, which is discussing a law to empower law enforcement authorities to request access to data.

Historically, in analogue crimes, law enforcement authorities predominantly dealt with evidence that was available locally. Nowadays, the investigation of most crimes requires access to digital data. This data, however, may be held by foreign providers or hosted abroad. Therefore, there is a need to balance the sovereign rights of states to investigate, and to protect the rights of users, including their privacy.

When national legislations are approved without a co-ordinated approach, they may create extraterritorial consequences for other countries, which have a duty to protect their citizens’ privacy. There are also consequences for the business community, who are the custodians of user data, because the extent of a company’s liability when it receives law enforcement requests is uncertain.

Ms Fernanda Teixeira Souza Domingos (Federal Prosecutor at Federal Prosecutor’s Office of Brazil) highlighted that Mutual Legal Assistance Treaties (MLATs) are not suited for digital evidence. Although all the panellists agreed with this evaluation, Mr Alexander Seger (Council of Europe), speaking from the human rights perspective, said that MLATs bring important safeguards, therefore there should be efforts to render them more efficient, not disregard them.

To address the challenges related to jurisdiction, Ms Ludmila Georgieva (Manager, Public Policy & Government Relations, Google) suggested the harmonisation of legal approaches. She welcomed the US Cloud Act and the European e-evidence proposal. She highlighted that whenever there is a request for information, the subsequent notification of users is important because it serves as a way to safeguard users’ fundamental rights.

Mr Bertrand de La Chapelle (Director of the Internet Jurisdiction Project) mentioned that although both provide legal harmonisation, the US Cloud Act and the EU e-evidence proposal have different architectures. First, the e-evidence proposal is a mechanism that establishes the capacity of EU law enforcement to issue binding orders to operators that are located on EU territory. Ms Jennifer Daskal (Civil Society) explained that the Cloud Act has two parts, the second of which authorises the USA to enter into direct bilateral agreements with foreign partners so that they can have easier access to information hosted by companies in the USA. In order to comply, these partners need to observe several requirements, such as to follow the rule of law, be human rights compliant, protect free speech, and have due oversight of legal decisions, among others. Nevertheless, it is worth noticing that if the requested personal data refers to a US citizen or resident, the traditional regime of the MLATs (and not the Cloud Act agreement) applies to the request.

The first part of the Cloud Act is more controversial. The act clarifies that if the US government issues a request for information to a US service provider in a case involving a US citizen or resident, the location of data is irrelevant. This is a direct response to Microsoft’s refusal to comply when the US Department of Justice issued a warrant requesting that Microsoft hand over the details and content of an e-mail account – related to a suspected drug trafficker ­– stored in Ireland. It should be noted, however, that under the Cloud Act, companies (service providers) can contest the request if US authorities provide information on a foreign citizen located abroad. So far, there is just one bilateral agreement celebrated under the Cloud Act between the US and the UK. It remains to be seen which countries will manage to fulfil the requirements to be granted an agreement, and how effective this agreement will be.

Interoperability between legal systems is key. It encompasses legal interoperability among national laws and also among procedures, such as the format of the request for information, so these requests are mutually understandable. de La Chapelle also mentioned that the project tackles these two types of interoperability, and recently published the document ‘Concrete Proposals for Operational Norms, Criteria and Mechanisms: operational approaches’, which contains suggestions to tackle these issues.

Seger remarked that less than 1% of online crimes get reported to authorities, and, among these, less than 1% lead to convictions. Therefore, the impact of cybercrime on societiy is largely underestimated. He then highlighted the importance of the Budapest convention on cybercrime and invited participants to consult the outcomes of the Octopus conference, which, among other things, developed draft proposals of the second additional protocol to the Budapest Convention.

Finally, Mr Alexandre Roure (Computer & Communication Industry Associations (CCIA)), asked the speakers to reflect on the cybercrime-focused resolution backed by Russia which recently passed the Third Committee of the United Nations. Seger shared his opinion that the UN is the right venue to discuss an international cybersecurity treaty, but so far, there is no consensus amongst the member states on how to approach the topic, so the discussions could be divisive, further exacerbating geopolitical tensions. The resolution will be voted in the UN General Assembly in December.

By Marilla Maciel