On May 24, 2017, the Senate Judiciary Committee’s Subcommittee on Crime and Terrorism held a hearing on issues related to warrants for data stored abroad by U.S. entities and possible reforms of the Electronic Communications Privacy Act (“ECPA”). The hearing, titled “Law Enforcement Access to Data Stored Across Borders,” involved testimony from federal, state, and United Kingdom law enforcement representatives, as well as those from academia and industry.
The hearing stems in part from a 2016 decision by the U.S. Court of Appeals for the Second Circuit—Microsoft v. United States, 829 F.3d 197—which held that Microsoft was not required to produce email data stored on servers in Ireland in response to an U.S.-issued search warrant. Other courts, including the U.S. District Court for the Northern District of California, have reached the opposite conclusion and have ordered the production of such foreign information.
All of the witnesses (including the Chief Legal Officer of Microsoft) agreed that the ECPA, which was enacted in 1986 and governs the treatment of warrants for electronic data, is outdated, and that the overall legal framework regarding data stored internationally is chaotic and uncertain. Moreover, companies that must produce such information are subject to conflicting laws in differing jurisdictions and may be faced with warrants demanding data whose production violates the privacy laws and regulation of the nations in which the data is stored.
The witnesses also agreed that a complete ban on cross-border data warrants, as in Microsoft, places too high a burden on legitimate law enforcement and national security needs. Alternatives to the cross-border warrant process, such as direct requests to foreign authorities, are much slower and ineffective in time-sensitive investigations.
While the witnesses agreed that a comprehensive solution must involve legislative action, they disagreed on the best course of action. For example, the Department of Justice took the position that Congress should amend the ECPA to overrule Microsoft altogether, while other witnesses cautioned against any solution that failed to take conflicting international laws and regulations into account. The witnesses all seemed to agree that one possible solution was a legislative framework that allowed the U.S. government to negotiate reciprocal treaties with foreign governments that would explicitly codify the treatment of warrants under that nation’s privacy laws. The witnesses pointed to a proposed U.S.-U.K. Bilateral Agreement of Data Access, but congressional action is needed before the U.S. can enter into such an agreement.
