This post suggests concepts that may be useful for multi-lateral efforts, such as the OECD Principles for Government Access to Data Held by the Private Sector. I have written previously about the OECD process, which is one prominent example among other current work on government access rules, such as the 2d Additional Protocol to the Budapest Convention, the Global Privacy Assembly, the Council of Europe, a German Marshall Fund task force, and a proposed United Nations Convention on Cybercrime.
This post highlights the potential implications of the different scope, in countries across the globe, of “government” and “private sector.” To date, despite years of writing about government access to data, I have not seen any real discussion of this point. The simple point is that those discussing the proper procedures may be implicitly assuming different scope for the government and private sector. Those implicit assumptions, in turn, might readily lead to misunderstandings, so that language that would apply well under one set of government/private sector situations would not apply well to others. For the OECD and other discussions, attention to these implicit assumptions may help avoid misunderstandings and may contribute to better consensus on how to draft with awareness of the varying roles of “government” and “private sector.”
This post first provides factual background, spurred by a recent international workshop I attended concerning cross-border access to data for financial crimes, especially terrorist financing. The workshop prompted me to compare practices to my usual topic, on government access to communications and other non-financial records. By studying a different system, some patterns began to emerge. (I note that this post discusses the European Union and the U.S., where my experience is greater, but the analysis would seem to apply to other countries as well.)
One potentially significant pattern is that important sector-by-sector databases appear to be operated by governments in the EU, but by the private sector in the U.S. Upon reflection, that should not be too surprising, given the U.S. general tendency toward greater reliance on markets. Efforts at reform likely need to focus on appropriate safeguards for the data sought, realizing that such data could be held either by the government or the private sector – depending on the structure in a particular country.
Next, this post links that point to a difference that at least sometimes occurs in American and European views about the role of the private sector in contesting government requests for data. In the U.S., there appears to be a larger history and practice of the private sector contesting the scope of government requests. Reform efforts likely need to address procedures to deal with over-broad or otherwise inappropriate requests, recognizing that in some countries companies are tasked with making these challenges while in other countries such private-sector challenges play a smaller role.
- Factual Background
The recent workshop highlighted differences between the EU and U.S. about the role of government in operating important databases. Investigators for terrorist finance or other financial crimes routinely seek to learn who owns a particular bank account. For at least some of the Member States, national law requires that banks send that information to a government registry. National investigators thus access this government database when their investigation has a name and seeks the account number, or has the bank account number and seeks the name.
The U.S. system is quite different. The U.S. extensively regulates the financial sector, including for anti-money laundering efforts. With that said, the workshop revealed that the financial investigators in the U.S. rely considerably more on databases operated by the private sector. For instance, for a new investigation, the investigator typically uses correct procedures to get the credit history of a named individual. The credit history is often the initial source to learn about an individual’s financial relationships, including all the loans an individual has had with different banks and retailers, and much more. In addition, as part of beginning a financial crimes investigation, the investigator would typically do a full work-up, using other private-sector sources.[1]
Here is another example that I believe illustrates the greater reliance on private-sector databases for U.S. investigations. U.S. law enforcement routinely has a subscription to Lexis/Nexis and other services to assist in searching for “public records,” the records that a national, state, or local government collects. Based on my experience, there is a more extensive set of public records in the U.S. than in most EU countries, for databases that are actually available to the public. That is, historical practice, open records law, and the First Amendment have all contributed to many kinds of records being open to the public. Due to the traditionally decentralized nature of such records, however, investigators in one government agency often turn to a private-sector database such as Lexis/Nexis, instead of making direct requests to the government agency that originated the records.
- Differences Between Government and Private Databases
To the extent such differences are widespread, as I suspect based on my experience, the differences between the U.S. and EU for databases are a variation on a familiar theme – the U.S. is often more laissez-faire and market-based, while Member States often have government play a larger role. To the extent this pattern is accurate, it would be unsurprising that financial regulators in the EU create a government list of bank accounts, while the U.S. relies on market actors to link accounts with their owners.
Although both the EU and U.S. are market economies to a significant extent, Member States have a stronger tradition of state involvement in private enterprise. For example, auto manufacturers, telephone companies, and airlines in the EU have often had a significant degree of government ownership. That has not been the tradition in the U.S. Similarly, EU governments historically have played a greater role in providing health care, another sector with enormous amounts of sensitive data.
When EU investigators seek records held by such government-owned enterprises, the request goes to a government owned or controlled entity. I welcome observations from EU experts about the extent to which that changes the investigator’s task. It seems possible in practice that government owned or controlled enterprises would have a different attitude than the private sector in how they respond to government investigatory requests. The government entity making the request and the government entity receiving the request are “on the same team,” at least to a certain extent.[2]
- Relevance of These Differences for Role of Private Sector
With this background in mind, we can now address something that has puzzled me greatly in my continued work on issues of government access. For U.S. lawyers, the practice and expectation is that the private company plays a significant role in scrutinizing a government request for data, and then deciding whether and what to provide. By contrast, there have been public statements by European experts that they object to private companies playing such a role. For instance, Xavier Tracol of Eurojust objected to the EU Commission’s E-evidence proposal, saying that the proposal “grants quasi-judicial powers to service providers,” and thus “has the effect of depriving public authorities of member states of their sovereign prerogatives.” On this view, it should not be the role of service providers to assess, for instance, whether a government request “manifestly violates the Charter of Fundamental Rights of the European Union or that it is manifestly abusive”. In E-evidence debates and more generally, I have previously encountered similar skepticism in the EU about the role of private companies in scrutinizing government requests.
I suggest two, related answers to this puzzling difference in viewpoint. First, consider the name/bank account example. Suppose that a request is burdensome, overbroad, beyond the scope of legal authorization, or otherwise questionable. In Europe, the investigating agency (law enforcement) makes a request for information held in the government database. It is a government office that responds, and decides if there is a problem with the request.
By contrast, the same inquiry in the U.S. goes to credit bureaus, payment services, and other financial institutions. If the request is too broad, the company has a financial incentive to avoid over-broad requests, so that the company doesn’t have to search in numerous ways for thousands or millions of records. A company also has other business reasons to seek to narrow a request – to protect its reputation as a trusted holder of data. Since the 2013 Snowden revelations, U.S. platforms have wanted to emphasize to non-U.S. customers and regulators that the companies strictly scrutinize government requests. In the wake of data regulators’ concerns about U.S. government access to data. Consistent with guidance from the European Data Protection Board (paragraph 118), U.S. companies have publicly announced that they will challenge all government requests for data, where there is a lawful basis for doing so. U.S. companies have litigated extensively to protect customer records, such as Apple opposing FBI access to the iPhone after the 2015 San Bernardino attacks, and Microsoft litigating all the way to the U.S. Supreme Court concerning emails stored in Ireland.
The first suggested answer to the puzzle is thus that over-broad requests are more often government-government in Europe, but government-private sector in the U.S. The second suggested answer concerns the way that key U.S. statutes are drafted. Under the Electronic Communications Privacy Act, service providers are subject to civil and criminal penalties if they provide records to the government, unless the request satisfies the required legal process. The Gramm-Leach-Bliley Act in general prohibits disclosure of financial records to the government
except “to the extent specifically permitted or required under other provisions of law.” Under these statutes, the companies have a legal obligation to scrutinize government requests for sensitive information such as communications or financial records. In Europe, such private sector scrutiny can be seen as depriving member states “of their sovereign prerogatives.” Nonetheless, U.S. communications services providers and financial institutions have been required, by statute, to cast a skeptical eye on law enforcement requests for data.
- Conclusions About Multi-Lateral Discussions on Government Access to Data
Now we can return to the original task, of avoiding misunderstanding in multi-lateral discussions about government access to data held in the private sector. I offer two points to keep in mind as these efforts move forward.
First, people from different countries quite possibly have different implicit assumptions about what data is held “in the private sector.” Europeans may not be thinking of investigations where law enforcement seeks to learn the owner of a bank account, but Americans would. When a draft principle is proposed, negotiators for each country would naturally consider how the principle would apply to their own system. Where the systems are different, phrasing that works for a narrower set of government requests (Europe) may not be suitable for the U.S. system where a broader range of crucial data is held in the private sector. Put another way, the meaning of “government” and of “private sector” varies where databases are more public or private. Thus, those participating in the OECD or other processes might benefit from explicitly surfacing their assumptions about the scope of “government” and “private sector.”
Second, principles about government access should keep in mind the apparent variation in role of the private sector in contesting government requests. U.S. companies have legal and business reasons to be somewhat ornery about government requests. That is less the tradition in Europe, although EDPB guidance (paragraph 118) calls for scrutiny of third-country requests and European data controllers are governed by the usual rules in GDPR.
Speaking more broadly, the topic of government access has become far more pressing due to the “globalization of criminal evidence.” In the old days, most law enforcement investigations sought evidence in the home country. Today, that has changed. Financial, communications, retail, and other records are now routinely stored in a different country, often by a company with headquarters outside of the investigating jurisdiction. In proposing the E-Evidence Regulation, the Commission found that electronic evidence “is needed in around 85% of criminal investigations, and in two-thirds of these investigations there is a need to request evidence from online service providers based in another jurisdiction.”
In conclusion, the globalization of criminal evidence has made it far more urgent to develop projects such as the OECD process on Government Access to Data Held in the Private Sector. As governments, civil society, academics, industry and others consider these principles, this post highlights the importance of considering what is “government” in each country, what is “private sector,” and how those variations should impact the statement of principles or the legal instrument.
[1] Going in the other direction, if the investigator has an account number and name of financial institution, it is straightforward to get the name – investigators use the correct procedure to get the information from the financial institution, and the financial institution is required by the Know Your Customer laws to have authentication for ownership of the account.
[2] The differences in access to data appear to be even more pronounced in China, with its mix of official Communism with private enterprise. Although estimates vary as to their share of the economy, state-owned enterprises in China play a major role in the economy. Even for private enterprises, the Chinese government has exerted great pressure on prominent companies such as Ali-Baba and Tencent. The laws allowing government access to data in China have continued to favor the government greatly, even as China has passed the PIPL to govern privacy in commercial enterprises.
These statements are attributable only to the author, and their publication here does not necessarily reflect the views of the Cross-Border Data Forum or any participating individuals or organizations.