DOJ鈥檚 Data-Sharing Proposal Threatens Privacy of Americans and Citizens Around the World
On Friday, the Department of Justice introduced legislation that would make it easier for foreign governments to acquire electronic data stored by U.S. companies. This legislation represents a serious threat to privacy, and Congress should reject it.
Under the proposed legislation, the U.S. government would be able to enter into agreements with foreign countries that would allow those countries to obtain stored data and real-time communications directly from U.S. companies without satisfying a probable cause standard and without the authorization of an independent judge, tribunal, or other impartial body. Such agreements would make it easier for foreign governments to obtain the communications of U.S. persons without a warrant. In order to facilitate such agreements, the legislation weakens several U.S. privacy laws鈥攊n particular, the Electronic Communications Privacy Act (ECPA) and the Wiretap Act鈥攚hich prohibit U.S. companies from disclosing their users鈥 communications directly to foreign governments. The U.S. government is already negotiating one such agreement with the United Kingdom, which is expected to serve as a template for similar agreements with other countries.
The DOJ鈥檚 legislative proposal, and the bilateral agreements that the Administration envisions, would roll back existing privacy protections for both Americans and individuals abroad. The proposal has at least four fatal flaws:
- The legislation would not adequately protect the rights of U.S. persons. The proposed legislation would allow foreign governments to access the communications between U.S. persons and the targets of foreign investigations, without a U.S. judicial warrant supported by probable cause and without meeting the standards in the Wiretap Act. Moreover, nothing in the agreement would prevent the foreign governments from voluntarily passing this information back to the U.S. government to be used in criminal proceedings in the United States. The deal thus weakens the protections currently in place for U.S. persons and creates a substantial end-run around them.
- The legislation would permit foreign governments to request that U.S. companies assist in real-time surveillance for the first time and without necessary protections. Currently, ECPA does not permit any government鈥攊ncluding ours鈥攖o request that providers to disclose communications in real time. Instead, when the U.S. government wants to conduct real-time surveillance, it must comply with the federal wiretap statute, known as Title III, which imposes higher standards than ECPA. For example, Title III requires the government to demonstrate probable cause to believe that its target has committed a serious crime and that normal investigative procedures have failed. Title III also requires the U.S. government to eventually notify targets of their surveillance and to minimize the interception of irrelevant communications. But the proposed legislation would allow foreign governments to compel a U.S. provider to assist in real-time surveillance for the first time and to do so without satisfying the heightened requirements of Title III or anything like them.
- The legislation does not satisfy human rights law. Human rights law permits governments to conduct surveillance only if it is authorized by an independent and impartial tribunal, necessary and proportionate, and minimally intrusive on privacy rights. Under existing data-sharing arrangements, a 鈥渘eutral and detached鈥 U.S. magistrate serves as the impartial decisionmaker. While the proposed legislation requires a foreign government to conduct independent oversight over its data requests, an after-the-fact 鈥渞eview鈥 is no substitute for prior authorization by an independent body. Importantly, the legislative proposal is silent about who may authorize such a search, which suggests that an entity like Britain鈥檚 Home Secretary鈥攁 law enforcement official who is neither independent nor impartial鈥攃ould approve such searches (as is the current practice in Britain). Moreover, the proposed legislation ignores other key human-rights protections, including the requirements that individuals receive notice of the intrusion and access to meaningful remedies when violations occur.
- The legislation does not require individualized review of requests for data. Under the Administration鈥檚 proposal, the executive branch would certify periodically that a foreign country鈥檚 laws permit electronic searches only on a showing of 鈥渞easonable justification,鈥 鈥減articularity,鈥 鈥渓egality,鈥 and 鈥渟everity,鈥 and that the requesting country鈥檚 laws and practices meet certain baseline standards related to the rule of law and human rights. But a country-wide assessment of that sort would inevitably be toothless. Before our government permits tech companies to hand over sensitive and private data to foreign countries, it should ensure that each request is lawful and consistent with basic human-rights protections. It is not enough that a country, as a whole, generally complies with human-rights standards. The Attorney General and Secretary of State might conclude that India, for example, satisfies human-standards in some broad and nebulous sense; yet an investigation conducted while an Indian suspect is held in 鈥減reventive detention鈥 might violate the suspect鈥檚 fair trial rights.
The Administration鈥檚 proposed legislation would largely supplant the existing process for cross-border data requests and, in doing so, jettison the heightened human-rights protections they offer. Currently for example, when the U.K. government is investigating a domestic crime and wants the contents of a suspect鈥檚 Gmail, it generally follows a process laid out in an agreement between the United States and United Kingdom, called a 鈥渕utual legal assistance treaty鈥 (MLAT). Under the MLAT, the U.K. government may submit its request to the U.S. Department of Justice, which鈥攁fter reviewing the request and ensuring it complies with the MLAT鈥檚 requirements鈥攚ould then seek an order from a U.S. court for the content. The United States has similar arrangements with other foreign governments.
There have been complaints that the DOJ office that handles MLAT requests is underfunded and inefficient. Foreign governments have expressed frustration at the time-consuming MLAT process and at having to meet U.S. legal standards when seeking evidence of domestic crimes. This bottleneck has stoked fears that countries will introduce data localization mandates to avoid the cumbersome MLAT process. American tech companies are also under pressure鈥攕ometimes forced to decide whether to abide by U.S. law or to comply with foreign data requests made in conformity with foreign domestic law.
In spite of the problems with their implementation, MLATs have played a critical role in safeguarding privacy rights across the world, particularly for those living under regimes that are less respectful of human-rights laws than ours. In many cases, in order to comply with its MLAT, a foreign government requesting data from a U.S. company must meet higher legal standards than would otherwise apply under its domestic law. MLATs thus help to raise the global bar for privacy. With this in mind, members of Congress have introduced various bills designed to streamline and provide more resources for MLAT processing.
In contrast to these bills, the Administration鈥檚 data-sharing proposal would weaken privacy protections for both Americans and individuals abroad. Fortunately, the executive branch can鈥檛 unilaterally supersede ECPA or Title III. Congress should reject the DOJ鈥檚 proposal, and any other legislation that would downgrade global privacy.