Testimony as prepared for delivery
Good morning, Chairman [Bob] Goodlatte, Ranking Member [John] Conyers and members of the committee. Thank you for the opportunity to testify on behalf of the Department of Justice concerning international conflicts of law, cross border data flow and law enforcement requests.
The department recognizes that issues concerning cross-border law enforcement access to data, while vitally important, can be complex and require balancing several, sometimes competing goals. Most importantly, we must fulfill the responsibility Congress and the American people have entrusted to us by taking lawful steps to protect Americans from threats to their safety and security. But we must also do our best to meet the legitimate public safety needs of other countries that require access to evidence that happens to be stored in the United States, without compromising users’ privacy interests. And we must recognize that U.S. service providers seeking to compete in a global marketplace may, in some instances, face conflicting legal obligations from the nations in which they choose to do business and we should seek to minimize those conflicts where possible. Finding solutions that satisfy all of these goals will be difficult, and we welcome this hearing as part of an important discussion about how to do so.
I will focus on two issues this morning. First, I will discuss the increasingly important role that cross-border access to data plays in the protection of the public, for both the United States and our foreign partners. Second, I will discuss a potential opportunity to build a new framework for cross-border access to data that would facilitate legitimate law enforcement requests for electronic information, help alleviate conflicts of laws faced by service providers and protect privacy and civil liberties.
Two related trends have significantly increased the need for U.S. law enforcement to be able to access electronic data that may be stored overseas. First, the rapid growth of Internet use has meant that law enforcement increasingly relies on electronic data, such as the content of email or text messages, in identifying perpetrators and bringing them to justice.
Second, while much of this type of information is stored in the United States, providers are increasingly storing such information outside the United States as well. United States law generally does not require providers to store data here and U.S. providers increasingly face tax or other business incentives, as well as pressure by foreign governments, to store data outside the United States. In fact, many of the largest American providers now operate data centers abroad and it is unusual for a major provider to store all of its data within a single country. For these reasons, although law enforcement access to data stored abroad is already a key issue for the United States, its importance is likely to grow over time.
Under United States law, when a provider is subject to the jurisdiction of U.S. courts, U.S. law enforcement may use the Stored Communications Act, or SCA, to obtain this data. The SCA’s efficient and privacy-protecting process is critical to successful investigations. When SCA process is unavailable, U.S. law enforcement may attempt to obtain information stored abroad through international cooperation mechanisms, such as Mutual Legal Assistance Treaty (or MLAT) requests, but the MLAT system can be cumbersome and is overburdened, and the United States does not even have MLAT treaties with half of the countries in the world. As a result, criminals may remain free to commit serious crimes against Americans.
The United States is, of course, not alone in confronting these challenges. Many of our foreign partners, including close allies such as the United Kingdom, find themselves in an even more difficult situation, reliant on evidence stored outside their borders—often within the United States—to protect public safety and national security. The difficulty arises, in part, because the SCA not only serves as a mechanism for U.S. law enforcement to require a provider to disclose information—but also precludes providers from disclosing the contents of communications unless certain exceptions are met. And the SCA contains no exception permitting a provider to disclose the contents of communications in response to a foreign production order.
Thus, when a foreign country makes a request under its own law for an American provider to disclose data stored in the United States, the provider may face conflicting legal demands: compulsion to disclose under foreign law and simultaneous preclusion of that disclosure under American law. This is so even if, for example, the order relates solely to a crime committed by the country’s national within its own territory. The result may be to stymie legitimate investigations, motivate foreign countries to require data to be stored within their own borders and expose American companies and their employees to potential enforcement actions abroad.
There is widespread acknowledgement that this status quo is untenable. To address these problems, the administration is currently considering a framework under which U.S. providers could disclose data directly to the United Kingdom in response to a lawful U.K. order. The agreement would not permit the targeting of U.S. persons or persons within the United States, and would not be used for bulk collection. The agreement would also secure reciprocal access for the U.S. to data located in the U.K.
We recognize that any such agreement would require legislation, both to lift conflicts of laws in carefully specified circumstances and also to set forth baseline standards to protect privacy and civil liberties. We look forward to working with Congress as we continue to explore this approach. Should the approach prove successful, we would consider it for other, like-minded governments as well.
We believe the framework I’ve described—rather than legislation that would unilaterally restrict U.S. law enforcement authority—offers a path forward to efficient and privacy-protecting cross-border law enforcement access to data. Thank you, and I look forward to answering your questions.