Foreign Government Response Is Wild Card With ECPA Update Bill
Legislation alone won’t solve international data flow and privacy issues, said stakeholders in interviews and at events Friday. A bill introduced Thursday would require U.S. authorities to get a warrant before obtaining data stored abroad on non-U.S. citizens. Microsoft -- and many technology companies -- have been seeking such a law. Privacy and civil liberties advocates heralded the bill as a significant step in their campaign to update the Electronic Communications Privacy Act (ECPA).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
But those same privacy advocates were not totally enthusiastic. The bill legalizes long-term warrants for U.S. citizens’ overseas-stored data and could lead to government-imposed balkanization of data storage, said Greg Nojeim, director of the Center for Democracy & Technology’s Freedom, Security and Technology Project. “We are concerned about how the provision authorizing long-arm warrants for the accounts of U.S. persons would be administered, and whether we could reasonably expect reciprocity from other nations on such an approach,” he said in a statement.
Sens. Chris Coons, D-Del., Orrin Hatch, R-Utah, and Dean Heller, R-Nev., introduced the Law Enforcement Access to Data Stored Abroad (Leads) Act Thursday (http://1.usa.gov/1r7YOrs). Like similar House and Senate bills before it (HR-1852 and S-607), the proposal would require law enforcement officials to seek a warrant before accessing stored email and other electronic content. Unlike those much-discussed proposals, the Leads Act contains the international component, addressing an issue Microsoft has been seeking through courts and with the bully pulpit (CD June 25 p15). Other major communications companies, such as AT&T (http://bit.ly/1BUFzXb) and Verizon (http://vz.to/1qhOJEs), also voiced support Thursday. The bill will “strengthen the protection of Constitutional due process rights and limit the extraterritorial reach of search warrants,” said Microsoft General Counsel Brad Smith in a blog post (http://bit.ly/Zsqnmq). “It also creates an important model that will help advance the international conversation that is so critically needed.”
International conversation is critical, but the Leads Act could stifle or limit that conversation, said Nojeim and international industry and policy experts. “Law is going to be crucial, but you have to be very careful to keep the dialogue going and keep flexible the types of instruments we use,” said Joseph Nye, Harvard University professor and member of the Global Commission on Internet Governance, speaking at New America Foundation’s Open Technology Institute event Friday. “Sometimes regulation is needed and that’s how social contracts are expressed,” said Carolina Rossini, vice president-international policy at Public Knowledge. But she said legislation “will never catch up” with digital technology.
Privacy companies’ decisions have more impact on data privacy than any law, said Ansgar Baums, director-government relations for Hewlett Packard in Germany. “We're in desperate need of policy innovation,” he said. “Rather than add another law,” Baums said, governments could consider ways to encourage companies to design products with privacy in mind. Apple recently said its iOS 8 would prohibit it from complying with government data requests -- domestic or foreign. The FTC has for years promulgated its “privacy by design” concept, which promotes limited retention of data, but doesn’t address government warrant standards to obtain data (http://1.usa.gov/1cPhLc0). Lawmakers and ECPA update advocates have blamed the SEC for stymieing efforts to pass a warrant-for-email ECPA update.
The Leads Act also would rely on the mutual legal assistance treaty (MLAT) or informal intergovernmental cooperation, Nojeim said in a follow-up post. “It is widely admitted that the MLAT process for trans-border access does not work very well now,” he said. “Basically, it is under-resourced and too slow.” While the bill provides some “sensible improvements” for MLAT -- for instance, an online intake form through which foreign governments could request mutual legal assistance -- there’s no guarantee of foreign government compliance, he said.
"Trust for me is one of the main issues,” said Neelie Kroes, European Commission commissioner for the digital agenda, at a Progressive Policy Institute and Lisbon Council event Friday. Kroes opposes local data storage, but said she has been frustrated by lawmakers dragging their feet on bills to bring transparency to how the U.S. government can access data. “I'm against protectionism, but we have to protect the consumers, the citizens,” she said.
"There is also a risk that the Leads Act will increase the pressure for data localization mandates,” Nojeim said. “The bill includes language that puts the Senate on record as opposing data localization, but it may not be enough.”