The global nature of the Internet means that police agencies all around the world facing challenges investigating crime when the data is stored in other countries. The pressure to make this process easier is mounting. To many governments, that means stripping away legal protections for privacy. Soon, police in other countries could get their hands on data from abroad based on an international agreement or other legal initiative. Under new cross-border authorities, police elsewhere can obtain evidence to investigate things that might not even be a crime in your country—and their demands for data might not be reviewed by a judge, or by anyone from your own government. (In the U.S., foreign agencies can't use the new CLOUD Act methods to get access to data of Americans, and companies are supposed to actively remove Americans' data from their responses, but proposals elsewhere mostly don't have an analogous restriction.)
This year EFF and our colleagues have been fighting over access mechanisms like the CLOUD Act in the United States, the US-UK CLOUD Act Agreement, the upcoming US-Australia CLOUD Act Agreement, proposals for a US-EU agreement, the European e-evidence proposal, and cross-border data exchange systems proposed in amendments to the Council of Europe’s Budapest Convention (which we commented on in February and November). Some of these are bilateral deals involving just two countries, but others—especially the European and Budapest Convention mechanisms—could potentially involve dozens of countries, rapidly ushering in legal changes that allow officials in any one of them to get personal information from companies in any other.
The Internet has no borders, but countries and jurisdictions do. We don’t want to lose the many benefits of a borderless Internet: that individuals can speak as equals quickly and easily to others on the other side of the world, that businesses can trade at the speed of light, and that those faced with repression in one jurisdiction can sometimes use the global Internet to route around it. But laws are enforced by states. Every country wants to see its own laws enforced, and sometimes they believe that this requires acting beyond their borders. Internet jurisdiction questions crop up in all different contexts and touch on many different aspects of human rights. But today they are especially visible in the context of cross-border data access negotiations. Like us, privacy authorities are worried that these deals fail to protect the public’s rights; the EU’s privacy watchdog, for instance, offered its own warnings on the US-EU negotiations and on the Budapest convention amendment process.
The Principle of Territoriality and Differences Between Legal Systems
By default, countries can only enforce their laws within their own territory. All these initiatives to some extent bargain away this principle of territoriality and the privacy safeguards that accompany it: the U.S. CLOUD Act, for instance, will allow qualifying countries to ignore U.S. privacy protections for non-U.S. persons' communications content, while the EU e-evidence proposal, if passed, will allow law enforcement of one country to make data requests that ignore the privacy laws of the other country.
But the laws of different countries are quite different. That includes what kinds of things are or could be a crime in the first place, what law enforcement has to prove before accessing personal data, and whether different kinds of personal data are legally protected at all. The trend in cross-border access proposals, unfortunately, is to try to ignore most of these differences, often by adopting the less-protective rule.
In surveillance law, we see countries racing one another towards an unfortunate finish-line: weaker privacy protections for everyone. For instance, in the United States, we enjoy strong protections against government access to the content of communications—the government needs to show at least “probable cause,” and higher standards for real-time interception. Elsewhere, for instance in Canada, we see strong protections for subscriber data. And Brazil (unlike the United States) requires a court order for most data, whether content or metadata. When negotiations begin between countries over how law enforcement should obtain data, these differences can be swept aside.
- For example, authorities have called for getting rid of “blocking statutes,” which include the U.S. protections we mentioned above. They propose immunizing companies that share data with authorities, even in jurisdictions where this is currently banned.
- The U.S. CLOUD Act will allow U.S. officials to ignore foreign privacy protections in requesting data from other countries, while qualifying foreign governments that enter into an agreement with the U.S. will in turn be able to avoid U.S. privacy protections by using their own law on U.S. soil.
In some cases, a foreign country’s law may not be in compliance with international human rights standards.
- For example, data retention mandates (requiring retention of metadata about users even when they’re not under suspicion of a crime) have been declared illegal in Europe by the European Court of Justice. But many European data retention laws remain on the books and continue to be enforced.
We fear that countries can effectively export their bad practices or weak human rights protections through extraterritoriality in these agreements; when two nations negotiate over their differences, the weakest human rights protections may win, and bad local law can prevail over international standards of human rights.
Don’t Race to the Bottom
Official international legal cooperation has existed for centuries, including things like extradition, and cooperation on criminal investigations. It can be useful and appropriate. We agree that some forms of cooperation ought to be made faster and more predictable than they are today. Valid legal requests between countries should be dealt with promptly, and shouldn’t languish in bureaucratic limbo. But this shouldn’t be an excuse to undermine either side’s legal system and the protections it offers. Let’s not make the weakest privacy protections into the de facto global standard.