Governments around the world have started to modernize the processes by which law enforcement accesses digital evidence across borders. In the United States, passage of the CLOUD Act created the foundation for a new generation of international agreements that allows governments to engage with each other to create lasting rules to protect privacy and facilitate legitimate law enforcement access to evidence. In Europe last week, the European Commission presented its proposed e-Evidence legislation to the European Parliament. Many other governments are similarly seeking to update their laws to protect privacy, promote digital security and address the challenge of an increasingly borderless world.
As a global company entrusted by millions of users, we believe it is important for Microsoft to make clear how governments should address these issues. For that reason, we are sharing six principles that have driven, and will continue to drive, our advocacy as governments reform their laws and negotiate international agreements.
While governments engage with their citizens and with each other to address the challenges we face in our digital age, it is more important than ever for policymakers to confront critical questions about how to protect privacy and give law enforcement the tools they need to keep us safe. When and how should law enforcement be able to access digital evidence? What minimum legal requirements should apply to government demands? What rights and protections should be afforded to those whose data is disclosed? What should the public know about the number and nature of these investigatory demands?
The following principles will guide our advocacy as governments shape international legal frameworks that address these critical questions. These principles also build on our ongoing efforts to protect our customers’ data and enhance their privacy.
- The universal right to notice – Absent narrow circumstances, users have a right to know when the government accesses their data, and cloud providers must have a right to tell them.
- Prior independent judicial authorization and required minimum showing – Law enforcement demands for content and other sensitive user data must be reviewed and approved by an independent judicial authority prior to enforcement of the order, and only after a meaningful minimum legal and factual showing.
- Specific and complete legal process and clear grounds to challenge – Cloud providers must receive detailed legal process from law enforcement to allow for thorough review of the demand for user data, and must also have clear mechanisms to challenge unlawful and inappropriate demands for user data.
- Mechanisms to resolve and raise conflicts with third-country laws – International agreements must avoid conflicts of law with third countries and include mechanisms to resolve conflicts in case they do arise.
- Modernizing rules for seeking enterprise data – Enterprises have a right to control their data and should receive law enforcement requests directly.
- Transparency – The public has a right to know how and when governments seek access to digital evidence, and about the protections that apply to their data.
We explain these principles in more detail here.
We firmly believe that our customers have a right to be protected by their own laws. We also believe that the principles we are articulating represent universal rights and baseline minimum requirements that should govern law enforcement access to data in our modern era. Application of these principles may differ from country to country, but the underlying tenets of checks and balances, accountability and transparency should remain true.
The progress we’re seeing around updating the laws governing how data is stored, used and shared online is long overdue. We’re committed to continuing to work with governments around the world, civil society groups and our customers to advocate for new laws that effectively address the challenges raised by our digital age.