A consensus is emerging among technology companies, civil society, judges, law enforcement officials and other stakeholders on the need to modernize our country’s antiquated digital data laws. The Electronic Communications Privacy Act (ECPA) – enacted nearly 31 years ago – was written at a time when American industry’s technology, customer base and infrastructure were largely domestic. Congress never contemplated the need to establish rules for law enforcement to access data belonging to non-U.S. persons located abroad, or where technology companies are subject to conflicting legal obligations in another country.
As a result, technology companies, law enforcement and, ultimately, the courts are forced to choose between competing interpretations of an outdated statute. In the end, only Congress has the flexibility to chart a new path – one that ensures law enforcement can access critical evidence in a timely manner, protects individual privacy, respects the laws of other countries, fosters technological innovation, preserves the competitiveness of the American technology industry and sets an example that the rest of the world can emulate.
Today’s hearing in the U.S. House Judiciary Committee, which follows similar hearings held by the U.S. House Judiciary Committee last year and the U.S. Senate Judiciary Crime Subcommittee, provides an important opportunity to put Congress on a path toward doing just that. I commend Chairman Bob Goodlatte, Ranking Member John Conyers Jr., and the members of this committee for their continued leadership on this critical issue.
There are two important issues Congress needs to address.
First, how can U.S. law enforcement access information that belongs to non-U.S. persons located overseas? This question is central to a lawsuit we filed in December 2013. In that case, the U.S. Court of Appeals for the Second Circuit ruled that the Electronic Communications Privacy Act (ECPA) does not authorize U.S. law enforcement unilaterally to obtain a warrant for certain communications content stored overseas by Microsoft. Since the beginning, we have taken the position that the courts were not going to be the last – or even the most appropriate – branch to answer this question. Instead, Congress needs to act.
The second issue concerns allied governments who face their own security threats and need a modern, timely mechanism to obtain digital evidence located in the United States. We have long advocated for the development of an international framework that provides reciprocal rights and protections to governments investigating serious criminal activity, recognizing that any modern legal framework must work in both directions.
Over the course of the past 12 months, we have been encouraged by the Department of Justice’s (DOJ) broadening work on these issues, including with other governments, starting with the United Kingdom. This has resulted in an important new agreement between our two countries that establishes a clear and accepted international framework when requesting data from American technology companies. In recent testimony, the DOJ articulated several principles that should guide congressional action on rules governing U.S. law enforcement’s cross-border access to digital evidence. The key to a successful formula, however, is that the U.S. be willing to adhere to the same standards and processes that are imposed on other allied governments.
As Congress explores options for modernizing the ability of U.S. law enforcement to access digital evidence across borders, there are a number of important considerations.
First, global technology companies can face conflicting legal obligations in other jurisdictions, in some cases resulting in significant fines or even imprisonment. These conflicts put technology companies in the impossible position of deciding whose law they will break.
Second, as these issues are debated in capitals around the world, it is important to remember that whatever Congress does will serve as a model for other countries to follow. In other words, the U.S. must be comfortable with other countries applying the same rules to Americans’ most sensitive digital information.
Finally, customer confidence in American technology overseas is dependent, in part, on their confidence that their data is protected by their country’s laws. Failing to respect other countries’ laws will weaken customer confidence and in turn undermine the industry’s global competitiveness by driving foreign customers to foreign products.
While important details remain to be worked out, we believe a solution is at hand that can serve the interests of law enforcement, the technology industry and, equally important, our customers.
Last year, the International Communications Privacy Act (ICPA) was introduced by Reps. Tom Marino and Suzan DelBene and Sens. Orrin Hatch, Chris Coons and Dean Heller to create a more durable legal framework, building on a previous proposal from the same sponsors. We understand the sponsors, including Rep. Hakeem Jeffries, are seeking to reintroduce the bill after incorporating input from a range of stakeholders, including the DOJ.
We need a modern framework, like ICPA, that allows international law enforcement agencies to do their jobs while respecting borders and the timeless values cherished by people around the world. We look forward to continuing to work with the ICPA sponsors in Congress and other members, companies, stakeholders and the DOJ in moving toward a solution.