The Department of Justice recently published a white paper, mounting a defense of the CLOUD Act and proposing to answer frequently asked questions (FAQs). However, one point repeatedly made by the DOJ in this paper (and other DOJ statements) in support of the Act is a matter of significant international debate. The DOJ contends that the Council of Europe Cybercrime Convention requires that parties to the Convention adopt legislation mirroring Section 103 of the CLOUD Act. This section of the Act requires providers to produce stored data within their possession, custody. or control regardless of where in the world that information is stored. This provision is also generating the most controversy abroad, and contrary to the DOJ’s assertion, it is far from clear that international law requires the U.S. or any other state to adopt such measures.
There are currently many developing related policies for cross-border law enforcement access to data: (1) U.S. negotiations with the U.K. and the EU for CLOUD Act executive agreements, (2) the drafting of a Second Additional Protocol to the Council of Europe Convention on Cybercrime to address transborder access, and (3) European institutions’ debate over the E-Evidence proposal currently before the European Parliament’s LIBE committee. Because each of these efforts have overlapping policy implications for the negotiating parties, the outcome any one is likely to influence the others. As a result, teasing out the obligations of the Cybercrime Convention takes on special significance, since agreement on the background principles sets a baseline for future negotiations.
Digging deeper into the text of the Cybercrime Convention, supporting documents of the Convention Committee, and the express views of parties and stakeholders clarifies that the interpretation of the Cybercrime Convention the DOJ is advancing is highly contested. In fact, the interpretation of the Convention was an issue of the dispute among the parties in the United States v. Microsoft case. Multiple amicus briefs filed in the case contested the DOJ’s interpretation. Because the case was mooted by the passage of the CLOUD Act and there was no opinion on the merits, the Court never settled the issue.
The DOJ argues in the that the Cybercrime Convention Article 18 requires that party nations have legislation enabling the production of content data located abroad. As the DOJ’s recent white paper puts it, the CLOUD Act requirement for providers to produce data to U.S. law enforcement regardless of storage location:
ensured consistency with U.S. obligations under Article 18(1) of the Budapest Cybercrime Convention, aligning the United States with the more than 60 other parties to the Convention…. Article 18(1)(a) of the Budapest Convention requires each party to the convention to adopt national laws under which relevant authorities can compel providers in their territory to disclose electronic data in their possession or control… After the Microsoft case, the CLOUD Act clarified U.S. law in a manner that ensures that the United States complies with its obligations under the Convention.
However, the DOJ’s analysis is strained when the text of 18.1(a) is read in connection with provisions dedicated to transborder access in the Convention¾Chapter III, and specifically Article 32. Article 18 “Production order” is a part of Chapter II of the Convention on “Measures to be taken at the national level.” Article 18.1(a) states:
Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order:… a person in its territory to submit specified computer data in that person’s possession or control, which is stored in a computer system or a computer-data storage medium.
“Computer data” is defined in Article 1(b) as “any representation of facts, information or concepts in a form suitable for processing in a computer system,” and includes communications content. Article 18.1(a) is contrasted with 18.1(b), which both more broadly covers providers “offering its services in the territory of the Party” and more narrowly covers only subscriber data and not traffic or content data.
Similarly, Chapter III on “International Cooperation” establishes detailed principles of mutual assistance in nearly a dozen Articles of the Convention. The first Article of that Chapter, Article 23, requires as a “general principle” cooperation to the “widest extent possible” between parties on cybercrime and the collection of electronic evidence. This cooperation “shall” occur through “the application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws,” according to that Article.
Critically, Article 32 of Chapter III lays out narrow exceptions to the mutual assistance regime where a party to the Convention is entitled to access stored computer data across borders. Article 32 states that a party to the Convention may, without the authorization of another party:
(a) access publicly available (open source) stored computer data, regardless of where the data is located geographically; or
(b) access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.
Article 32(b) is strictly limited by multiple qualifiers: 1) it applies only to stored computer data, 2) the data must be accessible through a computer on the accessing party’s territory, 3) access is permissible only to data in the territory of another party to the Convention, and 4) meaningful consent of the user. For instance, though this provision is sometimes used to support a regime of voluntary disclosures to foreign governments by providers, even this use is controversial given the clear questions as to whether the provider can consent to disclose the data of a user.
The generous reading of Article 18.1(b) by the DOJ is difficult to square with the focus on mutual assistance in the Convention and the narrow permissions for transborder access without authorization of another party. The DOJ reply brief in United States v. Microsoft sought to resolve the conflict between Article 32 and its reading of Article 18.1(a). The DOJ contended that Article 18 addresses compelled production from persons while Article 32 addresses direct access by a party to the Convention, presenting no conflict between the two.
But there are also reasons beyond the four corners of the Convention to read Article 32 as providing narrow exceptions to the mutual assistance regime, in conflict with a broad reading of Article 18.1(a) authorizing cross border access. As noted by an amicus brief of international and extraterritorial law scholars, the Explanatory Report for the Convention suggests the issue “when a Party is permitted to unilaterally access computer data stored in another Party without seeking mutual assistance” was contentious among the drafters. The drafters decided against “a comprehensive, legally binding regime regulating this area,” and instead made a choice only to establish the two narrow exceptions in Article 32. Guidance Note 3 also calls Article 32(b) “an exception to the principle of territoriality and permits unilateral transborder access without the need for mutual assistance under limited circumstances.” And while “direct access” ordinarily refers to law enforcement data without the help of an intermediary, practice under Article 32(b) includes cooperation between law enforcement and providers¾voluntary cross-border disclosure of subscriber data by providers. Guidance Note 3 also speaks in terms that appear broader than “direct access”, noting general concerns about “access to data stored in foreign jurisdictions or ‘in the cloud’” with respect to Article 32. Finally, the drafting of a Second Additional Protocol to the Convention to better address transborder access also suggests that the text is at least unclear, if not in conflict with the DOJ interpretation.
The DOJ has also relied on a non-binding Guidance Note 10 of the Convention Committee to support their conclusion that 18.1(a) requires the U.S. empower authorities to compel production of content within providers’ possession or control. However, as its title—“Production orders for subscriber information”—suggests, the Note addresses production orders for subscriber data, not orders for content as under the CLOUD Act. The Cybercrime Convention Committee’s endorsement included in the Note’s text confirms the same, stating: “The T-CY agrees that the above represents the common understanding of the Parties as to the scope and elements of Article 18 Budapest Convention with respect to the production of subscriber information.” The specific language from Guidance Note 10 relied on by the DOJ also pertained to subscriber information; the DOJ’s opening brief in Microsoft quoted from the Note: “The storage of subscriber information in another jurisdiction does not prevent the application of Article 18 Budapest Convention as long as such data is in the possession or control of the service provider” (emphasis added). The international and extraterritorial law scholars made similar points in the Microsoft case. Production orders for traffic data and content raise greater privacy considerations than subscriber data, and logic applied to subscriber data under 18.1(b) cannot be applied by default to orders for content and traffic data permitted under 18.1(a).
It is worth noting that officials in Europe also historically read the Convention in conflict with the DOJ’s interpretation. When a DOJ representative presented the Department’s view of Article 18 at a recent conference in Brussels, a representative of the French data protection authority noted the longstanding dispute in interpretations of the Budapest Convention. In 2013, the Article 29 Working Party, a key European data protection advisory group, issued a letter to the Convention Committee stating that it “is imperative that data transfers have a specific and legitimate legal basis in the law of the requested Party (e.g. judicial authorisation/warrant).” [T]o provide for access to data stored on computers abroad by applying the law (or the definitions of consent) of the searching party” would be contrary to EU law, the Article 29 said. Far from suggesting that mechanisms for cross-border content demands might already be or required by in the Convention, recent opinions of the European Data Protection Board on the E-Evidence proposal and of the European Data Protection Supervisor on negotiations toward a Second Additional Protocol to the Budapest Convention turned a critical eye on new cross-border tools.
In short, the DOJ’s argument that the Cybercrime Convention requires the CLOUD Act’s obligation for providers to respond to production orders regardless of data storage location is a matter of significant and ongoing controversy. A particular weakness of that argument is that the DOJ relies on a reading of Article 18(a)(1) for its view that the Convention requires access to content and traffic data, while the official guidance to that provision applies only to subscriber information.
The analysis here does not claim that the Cybercrime Convention prohibits Section 103 of the CLOUD Act. It does show, however, the weakness of DOJ’s view that the Convention supports, let alone requires, that CLOUD Act-like provisions be passed into law. This corrected understanding of the Convention should underlie any ongoing negotiations over new cross-border mechanisms.
Eleni Kyriakides is International Counsel at the Electronic Privacy Information Center (EPIC).
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.