Governments must avoid conflicts of laws to ensure people’s data is protected and avoid a race to the bottom for everyone’s rights; we are encouraged by discussions between the US and UK. A strengthened legal framework must value privacy and human rights while ensuring law enforcement can do its important work. We look forward to continuing discussions with all stakeholders on such a framework.
Governments have increasingly adopted the position that they can get people’s data regardless of the law in affected countries or international norms and treaties. This new reality is weakening trust in technology among business and consumers, and undermining national privacy laws enacted by democratic governments. At the same time, law enforcement agencies around the world need mechanisms to lawfully obtain data for investigations and to protect their citizens. The Mutual Legal Assistance Treaty (MLAT) process remains an important tool for this and should be modernized, but a complementary modern process is needed to respond to the increased demand for cross-border requests for digital information that allows new innovations to flourish, enables governments to protect their citizens, and provides a coherent legal framework that ensures human rights and individual privacy are protected.
In developing a complementary process that address this issue, the following principles are important:
A strong and principled process. Providers in one jurisdiction should be allowed to respond directly to a request for content from a government where it does business provided there are agreements in place between governments that ensure privacy rights and legal processes are protected. The requests should be limited to cases where the information is sought in connection with an investigation of a serious crime, and the process should not be used for bulk collection, general intelligence gathering, or where the need is not proportionate to the request.
Strong human rights standards. Countries should only get the benefit of this new process when their laws and practices meet international standards on human rights and privacy. These standards include providing basic fair trial rights, prohibiting torture, and ensuring that surveillance laws afford adequate privacy protections to individuals whose data they are seeking. Whether a country’s laws and practices meet those standards must be determined through an objective, transparent, and credible process. And, the request should be authorized by an independent and impartial process on a showing that there is a strong factual basis demonstrating the need for the information, and that the request is narrowly tailored.
Strong transparency and accountability requirements. The framework should promote accountability through transparency. There should be periodic reviews to ensure that countries are using the process and the information they obtain appropriately. Similarly, there should be an independent oversight mechanism to regularly ensure that they meet the basic requirements. This can, of course, be reinforced through public information about the requests submitted to providers under the agreement. Requesting countries should publish annual reports regarding the number, type, and temporal scope of the data requests they issue under this framework. Providers also should be allowed to publish the same information on the requests they receive.
The need for such a framework has been discussed by a range of stakeholders. For example, the proposal by law professors Jennifer Daskal and Andrew Woods contemplates a mechanism to govern cross-border requests. We look forward to working on implementing these principles with stakeholders around the world.