DOJ’s Data-Sharing Proposal Threatens Privacy of Americans and Citizens Around the World

On Friday, the Department of Justice introduced legislation that would make it easier for foreign governments to acquire electronic data stored by U.S. companies. This legislation represents a serious threat to privacy, and Congress should reject it.

Under the proposed legislation, the U.S. government would be able to enter into agreements with foreign countries that would allow those countries to obtain stored data and real-time communications directly from U.S. companies without satisfying a probable cause standard and without the authorization of an independent judge, tribunal, or other impartial body. Such agreements would make it easier for foreign governments to obtain the communications of U.S. persons without a warrant. In order to facilitate such agreements, the legislation weakens several U.S. privacy laws—in particular, the Electronic Communications Privacy Act (ECPA) and the Wiretap Act—which prohibit U.S. companies from disclosing their users’ communications directly to foreign governments. The U.S. government is already negotiating one such agreement with the United Kingdom, which is expected to serve as a template for similar agreements with other countries.

The DOJ’s legislative proposal, and the bilateral agreements that the Administration envisions, would roll back existing privacy protections for both Americans and individuals abroad. The proposal has at least four fatal flaws:

1. The legislation would not adequately protect the rights of U.S. persons. The proposed legislation would allow foreign governments to access the communications between U.S. persons and the targets of foreign investigations, without a U.S. judicial warrant supported by probable cause and without meeting the standards in the Wiretap Act. Moreover, nothing in the agreement would prevent the foreign governments from voluntarily passing this information back to the U.S. government to be used in criminal proceedings in the United States. The deal thus weakens the protections currently in place for U.S. persons and creates a substantial end-run around them.
2. The legislation would permit foreign governments to request that U.S. companies assist in real-time surveillance for the first time and without necessary protections. Currently, ECPA does not permit any government—including ours—to request that providers to disclose communications in real time. Instead, when the U.S. government wants to conduct real-time surveillance, it must comply with the federal wiretap statute, known as Title III, which imposes higher standards than ECPA. For example, Title III requires the government to demonstrate probable cause to believe that its target has committed a serious crime and that normal investigative procedures have failed. Title III also requires the U.S. government to eventually notify targets of their surveillance and to minimize the interception of irrelevant communications. But the proposed legislation would allow foreign governments to compel a U.S. provider to assist in real-time surveillance for the first time and to do so without satisfying the heightened requirements of Title III or anything like them.
3. The legislation does not satisfy human rights law. Human rights law permits governments to conduct surveillance only if it is authorized by an independent and impartial tribunal, necessary and proportionate, and minimally intrusive on privacy rights. Under existing data-sharing arrangements, a “neutral and detached” U.S. magistrate serves as the impartial decisionmaker. While the proposed legislation requires a foreign government to conduct independent oversight over its data requests, an after-the-fact “review” is no substitute for prior authorization by an independent body. Importantly, the legislative proposal is silent about who may authorize such a search, which suggests that an entity like Britain’s Home Secretary—a law enforcement official who is neither independent nor impartial—could approve such searches (as is the current practice in Britain). Moreover, the proposed legislation ignores other key human-rights protections, including the requirements that individuals receive notice of the intrusion and access to meaningful remedies when violations occur.
4. The legislation does not require individualized review of requests for data. Under the Administration’s proposal, the executive branch would certify periodically that a foreign country’s laws permit electronic searches only on a showing of “reasonable justification,” “particularity,” “legality,” and “severity,” and that the requesting country’s laws and practices meet certain baseline standards related to the rule of law and human rights. But a country-wide assessment of that sort would inevitably be toothless. Before our government permits tech companies to hand over sensitive and private data to foreign countries, it should ensure that each request is lawful and consistent with basic human-rights protections. It is not enough that a country, as a whole, generally complies with human-rights standards. The Attorney General and Secretary of State might conclude that India, for example, satisfies human-standards in some broad and nebulous sense; yet an investigation conducted while an Indian suspect is held in “preventive detention” might violate the suspect’s fair trial rights.

The Administration’s proposed legislation would largely supplant the existing process for cross-border data requests and, in doing so, jettison the heightened human-rights protections they offer. Currently for example, when the U.K. government is investigating a domestic crime and wants the contents of a suspect’s Gmail, it generally follows a process laid out in an agreement between the United States and United Kingdom, called a “mutual legal assistance treaty” (MLAT). Under the MLAT, the U.K. government may submit its request to the U.S. Department of Justice, which—after reviewing the request and ensuring it complies with the MLAT’s requirements—would then seek an order from a U.S. court for the content. The United States has similar arrangements with other foreign governments.

There have been complaints that the DOJ office that handles MLAT requests is underfunded and inefficient. Foreign governments have expressed frustration at the time-consuming MLAT process and at having to meet U.S. legal standards when seeking evidence of domestic crimes. This bottleneck has stoked fears that countries will introduce data localization mandates to avoid the cumbersome MLAT process. American tech companies are also under pressure—sometimes forced to decide whether to abide by U.S. law or to comply with foreign data requests made in conformity with foreign domestic law.

In spite of the problems with their implementation, MLATs have played a critical role in safeguarding privacy rights across the world, particularly for those living under regimes that are less respectful of human-rights laws than ours. In many cases, in order to comply with its MLAT, a foreign government requesting data from a U.S. company must meet higher legal standards than would otherwise apply under its domestic law. MLATs thus help to raise the global bar for privacy. With this in mind, members of Congress have introduced various bills designed to streamline and provide more resources for MLAT processing.

In contrast to these bills, the Administration’s data-sharing proposal would weaken privacy protections for both Americans and individuals abroad. Fortunately, the executive branch can’t unilaterally supersede ECPA or Title III. Congress should reject the DOJ’s proposal, and any other legislation that would downgrade global privacy.