In this excerpt from our new Digital Privacy initiative, Jennifer Daskal from American University Washington College of Law explores the challenges posed by data mobility and considers how best to resolve cross-border data disputes.
You can read the full text of Daskal’s white paper at our special section, A Twenty-First Century Framework for Digital Privacy, at https://constitutioncenter.org/digital-privacy
UK law enforcement agents are summoned to the scene of what appears to be the murder of a well-loved schoolteacher from the outskirts of London. It is not thought to be terrorism-related or high profile in any significant way. But it matters enormously to the community, her family, and the many current and former students who adored her. The victim’s ex-husband, John, is the prime suspect. Law enforcement authorities act quickly and get a warrant for John’s stored emails. They serve the warrant on Google, the provider of his Gmail account, but are told: “Sorry, we are prohibited by U.S. law from turning over the content of communications to foreign governments. You need to make your request directly to the U.S. government.” They do, employing what is known as the Mutual Legal Assistance (MLA) process. It takes an average of ten months to get a response. Were John using Virgin Media, or any other U.K.-based email service provider, the authorities would be able to access the data within days, if not sooner.
Around the same time, U.S. law enforcement officials receive a credible tip that an American and two French men living in Brooklyn, New York, are plotting an attack on the Empire State Building. The two French men have Microsoft Outlook accounts. The FBI obtains a warrant to access those accounts, but soon learns that the emails are stored in a datacenter in Ireland. As a result, the U.S. warrant has no force, and the FBI must make a diplomatic request for the data to the Irish government—also waiting months, if not longer, for a response.
In both of these situations, law enforcement’s ability to access digitalized evidence turns on where the data is held, or presumed to be held. Many other potentially relevant facts—including the location of the target of the investigation, the location of the victim, or the location of the crime—are deemed irrelevant.
It is an approach that reflects a straightforward, and misguided, application of the rules that apply to data’s tangible counterparts. If the investigation of a transnational drug crime generates U.S. law enforcement interest in an alleged drug lord across the Mexican border, U.S. agents cannot unilaterally go and search the drug lord’s Oaxaca home—even if they were to somehow convince a U.S. court to issue a warrant to do so. Rather, they must either enter into a joint investigation with Mexican agents or ask Mexican law enforcement to do the search for them. This makes intuitive sense. Consider a world in which foreign law enforcement officials were given free rein to unilaterally enter into the country and rifle through our homes. Most of us would deem that creepy—and a violation of both U.S. sovereignty and our individual privacy.
But there are several reasons why the simple translation of the traditional rules governing searches and seizures to the world of digital evidence does not make good sense. There are, after all, key—and highly relevant—distinctions between digitalized evidence and its more tangible counterparts. Our failure to adequately account for these differences is having increasingly negative consequences for our security, our privacy, and our economy.
The following highlights the unique features of data, explains why they matter, and suggests a new approach to law enforcement jurisdiction that turns on factors other than the location of the sought. It reflects the understanding that the location of data often is totally unrelated to the key sovereign interests at stake—interests such as setting privacy protections for and controlling access to their own citizens’ and residents’ data; accessing data critical to the investigation of serious crime; and regulating the corporations that do business in their territory. And it suggests a jurisdictional rule that more closely hews to the relevant interest at stake.
The good news is that a growing number of governments, including the United States, United Kingdom, European Union, and E.U. Parliament, are already recognizing the negative—and ultimately privacy- and security-reducing—effects of the status quo. These governments are seeking new, and cooperative, ways to access data across borders. This should be encouraged.