Passage of the Cloud Act in the U.S. coupled with the newly adopted E-evidence Regulation in the EU offer real hope for a not-too-distant future where the rules for cross-border data demands by governments are more rational, proportionate, predictable, and transparent. Unfortunately, the path forward towards this vision has been complicated by myths painting these developments as a massive expansion of governmental authorities. The reality is that neither the Cloud Act nor the E-evidence Regulation represent a grant of sweeping new powers establishing new authorities to reach data stored abroad. These laws actually have the effect of putting legal authorities governments long claimed—and courts have long upheld—inside of a framework that can be observed, audited, and adjusted over time. Significant effort will be required by and between national governments to reconcile differences in their laws with an eye towards fundamental human rights and civil liberties are protected while law enforcement gain accelerated processes to obtain data necessary to fight crime in an increasingly digital world. Ultimately, however, having this level of visibility into how cross-border data demands are made and processed will prove a boon for both data protection and security.
It is claimed by some that the Cloud Act makes U.S. law more sweeping in its reach. The answer is no, for three reasons.
- First, except for the period while Microsoft’s case was pending, U.S. courts have for decades held that the government may demand data in the custody or control of any person or entity subject to its jurisdiction — regardless of where those records are stored. Along with Microsoft and many other leading technology companies, Cisco asked the U.S. Supreme Court to limit the government’s ability to demand contents of communications from third-parties when stored abroad. While we still believe that would have been a favorable outcome, passage of the new law simply clarified that the authority challenged by Microsoft remained in place.
- Second, there is nothing specific in either the language of the Cloud Act or the leading decisions preceding its passage treating U.S. companies differently than companies headquartered abroad. U.S. courts have long held that any organization validly served with compulsory process by the government has to retrieve data within its custody or control. This is true for any company doing business in the U.S. — foreign or domestic. The governing law before the “Ireland Warrant” case actually stems from litigation between the U.S. government and the Bank of Nova Scotia in the 1980s. As the bank’s name suggests, the case did not involve a U.S. company at all. The government demanded bank records from a Canadian bank that were stored in Caribbean nations based on compulsory process served at an American branch—albeit using subpoenas and not warrants. The logic of that case would similarly enable the U.S. government to demand records of data stored abroad in the hands of any entity—provided only that the corporation served is subject to personal jurisdiction in U.S. courts due to its business contacts in the country. That is to say, any company doing business in the U.S. is subject to the same laws when it comes to the rules regulating government access to customer data.
- Third, the language in the Cloud Act, and the case law that preceded it does not make the U.S. in any way unique. It is increasingly common for governments around the world to assert that they can reach across borders to demand data from companies doing business with their citizens in order to enforce criminal laws. For example, in 2015, Brazilian authorities detained a Microsoft employee over a demand that the company turn over Skype data of Brazilian customer. However, complying with that demand would have caused Microsoft to violate US law. And in the EU, the draft E-evidence Regulation will allow judicial authorities to ask for electronic evidence directly from a provider offering services in the EU, regardless of the location of data.
This debate highlights the possibility that companies may find themselves in the untenable position of being required under one country’s laws to produce data — and prohibited from doing so by the laws of another. In the U.S., the Department of Justice long ago adopted a policy requiring that federal prosecutors coordinate with headquarters before issuing so-called “Bank of Nova Scotia” demands. However, Cisco firmly believes that governments around the world should go further and spell out the specific criteria upon which a cross-border demand will be premised, how such determinations are made, who has the authority to authorize them, and how often such approvals occur.
This brings us to the second major point — we hope that these new laws and regulations will lend clarity, predictability, and rationality to requirements for cross-border data demands between like-minded governments. To the extent authorities around the world spell out the circumstances under which they will directly compel providers to produce data stored beyond their borders, it is essential that they also address the potential conflicts of law with third countries. This should include adopting meaningful safeguards for fundamental rights of individuals, which will benefit from more transparency around cross-border demands for data.
We also believe that transparency is a two-way street. Cisco publishes a transparency report where we provide aggregate data about the nature and types of law enforcement demands we receive seeking customer data. Given recent changes in the law adopted in the U.S., and pending in the EU, Cisco will update our transparency reporting accordingly. We commit on a going-forward basis to track and report cross-border demands for data in our transparency report found at trust.cisco.com.
There is a role for each of us — governments, technology providers, and customers — in balancing the needs of enterprise data security with the need to support law enforcement efforts aimed at fighting crime. At Cisco, we are doing our part by evolving the scope of our transparency reporting. Governments need to step up by rationalizing their systems for cross-border data demands. Customers should look for providers that deliver transparency around their processes and also demand more clarity and coordination from governments about their policies for cross-border data demands.
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.