Putting Principles into Action

Governments should codify sensible limitations on their ability to compel service providers to disclose user data. These limitations should balance their need for the data in limited circumstances, users’ reasonable privacy interests, and the impact on trust in the Internet. In addition, governments should limit surveillance to specific, known users for lawful purposes, and should not undertake bulk collection of data or communications.

Governments seeking to collect or compel the production of information should do so under a clear legal framework in which executive powers are subject to strong checks and balances. Reviewing courts should be independent and include an adversarial process, and governments should allow important rulings of law to be made public in a timely manner so that the courts are accountable to an informed citizenry.

Transparency is essential to an informed evaluation of governments’ surveillance powers and the scope of programs that are administered under those powers. Governments should allow companies to publish the number and nature of government demands for user information. In addition, governments should also promptly disclose this data publicly.

The ability of data to flow or be accessed across borders is essential to a robust 21st century global economy. Governments should permit the transfer of data and should not inhibit access by companies or individuals to lawfully available information that is stored outside of the country. Governments should not require service providers to locate infrastructure within a country’s borders or operate locally.

In order to avoid conflicting laws, there should be a robust, principled, and transparent framework to govern lawful requests for data across jurisdictions, such as bilateral agreements and improved mutual legal assistance treaty (MLAT) processes. Where the laws of one jurisdiction conflict with the laws of another, it is incumbent upon governments to work together to resolve the conflict.

Strong encryption of devices and services protects the sensitive data of our users – including individuals, corporations, and governments. Strong encryption also promotes free expression and the free flow of information around the world. Requiring technology companies to engineer vulnerabilities into their products and services would undermine the security and privacy of our users, as well as the world’s information technology infrastructure. Governments should avoid any action that would require companies to create any security vulnerabilities in their products and services.