When can law enforcement access data stored abroad? Only Congress can tell

On Thursday, the House Judiciary Committee will hold a hearing on lawful access to data stored abroad. This is a timely hearing about an issue that will have significant impact on the future of cloud technology and jobs in the United States – and it’s time for Congress to take the lead.

Data drives the U.S. economy – the software that generates and powers that data contributes $1 trillion to the U.S. GDP and supports almost 10 million U.S. jobs (and counting). But data isn’t confined within U.S. borders. As the global digital economy continues to grow, data storage, analytics, security, and other services are often provided here in the U.S. by American workers to customers overseas.

ADVERTISEMENT

Those customers expect to be able to access their content seamlessly anywhere in the world, at any time. Cloud computing makes that possible, but it also means that data is frequently stored in different locations around the world. 

The current U.S. law that governs law enforcement’s access to data was written before the dawn of cloud computing and only focuses on the domestic side of the issue. It’s outdated and needs to be modernized to account for new technology and new circumstances. 

When should U.S. law enforcement be able to access the content of a foreign citizen stored abroad? And when should foreign law enforcement agencies be allowed to access content belonging to U.S. citizens stored in the United States? Whatever is written into U.S. law will likely be replicated by foreign governments. Without clear rules, how can cloud service providers explain to their customers the circumstances under which different law enforcement agencies will get access to their data? How can law enforcement reliably pursue evidence in criminal investigations? Under current law there aren't clear answers to any of these questions. 

Many U.S. companies are already feeling the impact of the lack of guidance on this issue – and multiple ones, including BSA member Microsoft, have gone to court over U.S. law enforcement requests for data located in their servers abroad. The court orders in these cases have been inconsistent. Further, differing U.S. and foreign laws puts U.S. companies in a no-win position of choosing between conflicting legal obligations. This is not sustainable.

Working through this problem using litigation (in other words, on a case-by-case basis) is not a long-term solution. This is an issue in desperate need of legislation. As a judge in the Microsoft case noted, the current statute “became law at a time when there was no reason [for Congress to consider its international implications]. But there is reason now, and it is up to Congress to decide ....”

Congress seems ready to take up this issue. At the end of May, the Senate Judiciary Committee held a similar hearing on accessing data stored across borders. Last year, Reps. Tom Marino (R-Pa.) and Suzan DelBeneSuzan Kay DelBeneDemocrats worry diversity furor could spill into 2020 election House Democrats inch toward majority support for impeachment Wave of Washington state lawmakers call for impeachment proceedings against Trump MORE (D-Wash.) introduced the International Communications Privacy Act (ICPA) to modernize U.S. law to address this problem, and Sens. Orrin HatchOrrin Grant HatchTrump to award racing legend Roger Penske with Presidential Medal of Freedom Trump awards Presidential Medal of Freedom to economist, former Reagan adviser Arthur Laffer Second ex-Senate staffer charged in aiding doxxing of GOP senators MORE (R-Utah) and Chris CoonsChristopher (Chris) Andrew CoonsThe United States broken patent system is getting worse Biden faces scrutiny for his age from other Democrats Democrats press FBI for details on Kavanaugh investigation MORE (D-Del.) introduced a Senate companion bill. This is an excellent starting point for the committee. 

Businesses and customers need clear and predictable rules for their data’s privacy. And law enforcement needs to have the necessary tools to stop criminals and keep us safe. The United States needs laws for accessing data stored overseas that takes all sides into account. We hope the committee’s hearing helps lay groundwork for Congress to act on legislation as soon as possible. 

Craig Albright is the Vice President of Legislative Strategy at BSA | The Software Alliance. 


The views expressed by this author are their own and are not the views of The Hill.