May 15, 2017

House Judiciary Committee: Data Stored Abroad – Ensuring Lawful Access and Privacy Protection in the Digital Age

 

Key Topics & Takeaways

  • Data Localization: The Department of Justice’s Richard Downing explained that Congressional action is needed to enable law enforcement officials access to data stored overseas. He maintained that a legislative solution would help multinational technology companies avoid conflicts of law, and reduce the incentive for foreign governments to impose data localization requirements. Similarly, the UK’s Paddy McGuinness warned about the “pernicious effect” of data localization policies, cautioning that it “limit[s] the value” of commerce in the digital age.
  • Data Privacy: McGuinness explained that the UK has “equivalent high standards” as the U.S. regarding protection of data and a “high bar” for enabling law enforcement to gain access to data only out of necessity.

 

Witnesses

  • Richard Downing, Acting Deputy Assistant Attorney General, Department of Justice
  • Paddy McGuinness, Deputy National Security Adviser, UK
  • Richard Salgado, Director, Law Enforcement and Information Security, Google
  • Richard Littlehale, Special Agent in Charge, Technical Services Unit, Tennessee Bureau of Investigation
  • Chris Calabrese, Vice President, Policy, Center for Democracy & Technology
  • Andrew Woods, Assistant Professor of Law, Assistant Professor of Law University of Kentucky College of Law

 

Panel I: Opening Remarks

Bob Goodlatte (R-Va.), Chairman, House Judiciary Committee

In his opening statement, Goodlatte noted the growing tension between U.S. law and foreign law on data storage and transmission practices, acquisition methods, and privacy protections. He noted that some countries are resorting to data localization policies and prohibitions on data transferred across borders, and lamented that technology companies often have to comply with “either” U.S. or foreign law, which he said is an “untenable situation.” Goodlatte highlighted compliance challenges facing companies that are served warrants for data requests when data is held in servers located outside of the U.S. He indicated his intent to find a legislative solution to address the way that data is “stored and acquired” overseas and other “conflicts of law” issues. He noted that these issues may be addressed through a multilateral treaty, bilateral agreements, or a legislative solution; and he noted that the Committee will explore “all of these” options. Still, Goodlatte clarified that any amendment to current practice should not violate U.S. citizens’ privacy.

 

John Conyers (D-Mich.), Ranking Member, House Judiciary Committee

Conyers argued that the current law governing digital issues is outdated and in “urgent need of an overhaul.” He noted various challenges to the overseas application of the Electronic Communications Privacy Act (ECPA), and stated that policymakers should “achieve a better balance” between privacy and security issues. Conyers added that bilateral agreements are “full of promise” if implemented correctly to counter data localization policies and incent foreign governments to “set better standards for data protection.”

 

Richard Downing, Acting Deputy Assistant Attorney General, Department of Justice

In his testimony, Downing emphasized the importance of access to data held overseas for criminal investigations and national security. He criticized the Second Circuit Court of Appeals decision on a case involving Microsoft on the basis that it “undermin[es] public safety in the U.S.” and was “wrongly” decided. Downing explained that the court decision will prevent companies from complying with a warrant even in cases when a crime, victim and the suspect are all located in the U.S.

 

Accordingly, Downing urged “swift action by Congress,” such as a clarifying amendment to require companies to disclose data to law enforcement officials regardless of where the provider chose to store such data. Downing also recommended that restrictions be lifted on sharing data where bilateral agreements exist, such as with the UK, which he claimed would respect the rule of law and ensure “robust” privacy safeguards.

 

Paddy McGuinness, Deputy National Security Adviser, UK

McGuinness suggested that Congress amend U.S. law to allow access to evidence held across borders. He noted that drug traffickers, money launderers, terrorists, and other criminals do not “respect national borders.” McGuinness also highlighted the shared “extraordinary legal heritage” that protects freedom of speech, rule of law, privacy rights, and civil liberties in both the UK and U.S., and asked Congress to make a “technical adjustment” to U.S. law to lift restrictions on companies in “tightly defined circumstances.” McGuinness cautioned that the “present conflict of laws is unsustainable” and urged Congressional action to set the international standard for transparency and legality in cross-border data transmission and acquisition.

 

Question and Answer

Data Localization

Downing explained that Congressional action would have several benefits, including helping allies solve their domestic security problems and companies avoid conflicts of law. He added that robust protections would reduce the incentive for governments to impose data localization requirements and incent them to raise their own standards protecting data, privacy and civil liberties. Downing noted that a bilateral executive agreement is a more “effective and efficient” way to achieve desired goals (as opposed to a treaty).

 

McGuinness warned about the “pernicious effect” of data localization policies. He explained that the UK opposes data localization, because it “slow[s] down functioning of the Internet” and “limit[s] the value” of commerce in the digital age. He encouraged support for the UK-U.S. framework, stating that it would help counter the proliferation of data localization policies by providing an alternative through cooperation to ensure access to data without forcing data localization.

 

Data Privacy

McGuinness explained that the UK-U.S. agreement specifically excludes American citizens and anybody physically located in the U.S. He added that the UK has “equivalent high standards” as the U.S. regarding protection of data and a “high bar” for enabling law enforcement to gain access to data out of necessity.

 

Second Circuit Decision

Downing urged a “clean” reversal of the Second Circuit decision in the Microsoft case. While he noted that litigation is ongoing, he explained that the Justice Department is seeking “every means” available to resolve this issue.

 

Rule of Law

Rep. Darrell Issa (R-Calif.) explained that he is “deeply concerned” about an agreement with countries that do not have a comparable standard for the protection of rule of law.

 

General Data Protection Regulation

Downing assured the Committee that concerns raised about the impact of the European Union’s General Data Protection Regulation (GDPR) are “inaccurate and overstated.”

 

Industry Input

McGuinness underscored the importance of technology companies as “vital partners” in establishing the UK-U.S. agreement. He explained that companies have asked for this solution to avoid conflicts of laws.

 

Panel 2: Opening Remarks

Richard Salgado, Director, Law Enforcement and Information Security, Google

In his testimony, Salgado called on Congress to modernize ECPA to facilitate law enforcement requests for data stored abroad. He noted that warrants issued under ECPA cannot compel companies to release data stored overseas to law enforcement officials, which induces governments to seek alternative means to obtain necessary data (including data localization and security reviews).

 

Richard Littlehale, Special Agent in Charge, Technical Services Unit, Tennessee Bureau of Investigation

Littlehale’s statement referenced the Second Circuit decision as a “growing problem for the local law enforcement community.” He explained that it creates a “blind spot” for law enforcement authorities, and urged Congress to modernize the law to “avoid unnecessary barriers to investigations.”

 

Chris Calabrese, Vice President, Policy, Center for Democracy & Technology

Calabrese maintained that a combination of the International Communications Privacy Act (ICPA), Email Privacy Act, and bilateral agreement that protects privacy is the best path forward for addressing the problems with ECPA.

 

Professor Andrew Woods, Assistant Professor of Law, Assistant Professor of Law University of Kentucky College of Law

Woods cited ECPA as the “single leading cause” of conflicts of law for multinational technology companies. He urged Congress to: 1) lift blocking features; 2) reverse the Second Circuit decision; and 3) allow U.S. firms to “voluntarily comply” with foreign law enforcement requests.

 

Question and Answer

Data Localization & National Security

Woods explained that it is “considerably harder” for U.S. law enforcement officials to get access to data stored overseas when it is subject to a forced localization requirement abroad.

 

Additional information on this hearing can be accessed here.