Munich, Germany - Deputy Assistant Attorney General Richard W. Downing Delivers Remarks at the 5th German-American Data Protection Day on “What the U.S. Cloud Act Does and Does Not Do”:
Thank you for the gracious introduction. It is wonderful to be here in Munich on German-American Data Protection Day with such a distinguished audience.
At the U.S. Department of Justice, I serve as the Deputy Assistant Attorney General in the Criminal Division overseeing cybercrime and child exploitation issues. In this role, I have seen up close how far-flung criminals can, with a few keystrokes, inflict devastating harm across the globe, and how criminal investigations today increasingly entail cross-border evidence and witnesses. Working efficiently and collaboratively with foreign law enforcement partners has proven to be an absolute necessity. Dismantling major criminal networks cannot be accomplished by one country; it depends increasingly on intensive joint operations by our police and our prosecutors.
Europe and the United States, perhaps more than the rest of the world, together face unprecedented challenges to combat crime in the 21st Century. These are challenges that are compounded by dramatic advances in technology and the exponential rise of electronic evidence. And such challenges are compounded still further by the unprecedented proliferation of platforms and the globalization of companies, which are increasingly storing their data in other countries. From text messages between plotters of a terrorist attack, to cell phone location records of a murderer, to chat sessions capturing the sexual exploitation of a child – virtually every serious threat we investigate today requires access to electronic evidence.
Consider a case where a gruesome homicide takes place here in Munich. German police begin an investigation. They identify a German suspect. They gather physical evidence. They interview witnesses. They search his house. They seize his cell phone. They get his computer. Maybe they obtain an order to wiretap his landline.
But if they want to get the social media communications between that same German suspect and his German victim, the investigation suddenly hits a wall. If those communications happen to be held by a U.S.-based communications service provider – as is frequently the case – the German authorities may have no choice but to go through the formal Mutual Legal Assistance Treaty (MLA) process to request that electronic evidence through the U.S. government. It may be months, if not longer, before they set eyes on those communications tying the suspect to the crime. And in the meantime, the ever-present risk is that the suspect flees, or worse still, claims another victim.
It was precisely these kinds of situations that prompted the U.S. Congress to pass the Clarifying Lawful Overseas Use of Data Act – the CLOUD Act. The CLOUD Act is an important step in our efforts to minimize the challenges we all face in obtaining access to electronic evidence stored outside our borders.
Let me say this: I understand that the CLOUD Act is viewed by some with suspicion. It has, unfortunately, been the subject of some misinformation. My goal today is to dispel some of the misunderstandings and to explain more precisely, what the CLOUD Act does and does not do.
With a full and unvarnished picture of what the CLOUD Act achieves, I hope you will agree that the Act is not simply a solution to an urgent law enforcement problem, but also a solution that is privacy-enhancing and carefully designed to safeguard the very civil liberties that all of us in this room hold dear. The imperatives of law enforcement and data protection are not inherently at odds; there is no zero-sum tradeoff between public safety and privacy. The two can both be advanced – and in fact are advanced – by the CLOUD Act.
The CLOUD Act as a Respite from Conflicts
It is important at the outset to contrast the CLOUD Act model with the status quo. We all can agree that our collective safety and security depends on our ability to maintain lawful and efficient cross-border access to electronic evidence.
There is also widespread understanding that countries need the domestic authority to compel providers within their jurisdiction to produce electronic evidence within the providers’ possession, custody, or control, regardless of where the providers might choose to store that data. Absent this authority, law enforcement investigations could be thwarted merely by domestic companies renting server space abroad or using cloud-based services that store data outside the country. Other countries freely admit that they reach out well beyond their borders to seek access to data in the cloud, even when they could obtain the same information through the MLA process. Indeed, the United States and virtually all our close partners routinely exercise domestic authorities to obtain cross-border access to electronic evidence from providers subject to their jurisdiction.
At the same time, even as so many countries reach out beyond their borders for evidence vital to their criminal investigations, they also, perhaps instinctively, are wary when other countries reach in to their jurisdictions. And so the natural impulse is for national governments to try to protect the privacy of their citizens – to pass “blocking statutes.” There is a very real temptation to impose restrictions on other countries’ access to data controlled within one’s own borders. The United States is no different; our laws can impose potential restrictions on disclosure of data by U.S.-based providers that can frustrate our international partners’ ability to access vital evidence controlled by those providers.
The outcome of this legal landscape is that we live in a world of conflicting cross-currents – the simultaneous need to reach out for data stored abroad and concern about limiting the ability of others to reach in. And these contradictory pressures create a global landscape rife with potential conflicts of law. The global technology companies that hold electronic evidence are frequently subject to more than one country’s laws. All too often, one country may order them to disclose data needed for an investigation, while another country’s laws may “block” disclosure of that same data. It is a constant push and pull.
All these legal conflicts create recurring challenges to governments’ ability to acquire electronic evidence. And these challenges have a direct impact on public safety.
The CLOUD Act offers privacy-protective nations that respect the rule of law a path out of this predicament. The U.S. Congress enacted the CLOUD Act as a way that we can reduce conflicts of law. Rather than a race to raise barriers, we can agree with trusted partners to lower our respective barriers that might otherwise stand in the way of providers complying with lawful orders from the other country. Both countries can agree to eliminate the conflicts of law so that both countries can more efficiently obtain the information needed to protect their citizens.
And we can do this in a way that assures the protection of privacy and civil liberties of our citizens.
This is a solution through subtraction, not addition – one that eliminates existing obstacles to compliance, rather than creating new obligations.
The CLOUD Act’s Authorization of Bilateral Agreements
What exactly does the CLOUD Act do?
First, it authorized the United States to enter into bilateral agreements to facilitate the ability of law enforcement partners overseas to get electronic evidence. American providers generally do not disclose certain electronic data directly to foreign law enforcement authorities for fear of running afoul of U.S. restrictions on disclosure. However, under a CLOUD Act agreement, the United States and its partner country would each agree to lower their respective restrictions. Each country would then be free to serve covered orders directly on providers in the other country, without having to go through the other government or the MLA process, or having to notify the other country’s authorities in advance and to give them an opportunity to object. The only law governing the disclosure would be the law of the country issuing the order.
CLOUD Act agreements will provide both more access – and more direct access – to the providers holding electronic evidence that is paramount in today’s investigations. But they would not impose any new affirmative obligation either on other countries’ providers to comply with U.S. orders, or on U.S. providers to comply with other countries’ orders. They simply remove, on both ends, the conflicts of law.
This is a win-win: For our law enforcement partners overseas, the availability of an additional channel to the MLA process will pay dividends in fast-moving criminal investigations. Indeed, our overseas partners stand to gain the most from CLOUD Act agreements. Today the vast majority of major service providers are already in the jurisdiction of the United States, and the United States receives far more requests for electronic data from other countries than it sends. The U.S. government has thus heard repeatedly from our overseas partners that the rise in demand for electronic evidence has overburdened the existing MLA process, and that the production of evidence held by U.S. providers must be sped up.
And for the United States, currently hard-pressed to keep up with the tremendous volume of incoming requests, this alternative mechanism for foreign countries to get data – in this case directly from providers – would ease pressures on the MLA process. It would also mean that we can process the MLA requests that we receive more expeditiously.
There are some who ask why we don’t just recalibrate the MLA channel, rather than construct an alternative channel. To be sure, virtually every country’s MLA process could stand to be better resourced. But fixes to that long-apparent issue have been elusive for many countries, and even if accomplished, will not solve the problem. The rapid growth in electronic evidence held by providers located overseas is projected to continue to increase even more in the future. The accelerating flow of requests will outpace the ability of any government to better staff and resource its MLA infrastructure. And since data often moves from one jurisdiction to another for legitimate business purposes, such requests are increasingly impractical. At bottom, there should be broad recognition that an alternative channel is needed – freeing us up to have a more productive debate about what safeguards this alternative channel should contain.
I want to underscore, moreover, that this alternative channel is not available to countries that do not value privacy or human rights as we do.
To be sure, the CLOUD Act does not seek to export U.S. legal standards to other countries. In my country, each and every search warrant is tethered to a demanding probable-cause determination; reviewed by an independent judge; and subjected to stringent requirements as to scope and established constitutional limits as to jurisdiction. The requirements to intercept real-time content are even stricter. Because U.S. law has some of the highest evidentiary thresholds for investigators to obtain evidence, I suspect that there are few, if any, countries that today would qualify if the CLOUD Act had required other countries to adhere to the exact same standards.
But even as the CLOUD Act does not require other countries to replicate U.S. standards, bilateral agreements are still conditioned on the foreign party adhering to certain baseline commitments to privacy and civil liberties. In this sense, the CLOUD Act is privacy- and liberty-enhancing. For countries to even be eligible for CLOUD Act agreements, they must have a high level of checks and balances in place.
The Act requires that agreement partners have adequate substantive and procedural laws on cybercrime and electronic evidence on the books. It requires that they ensure that their orders target specific accounts, are adequately justified, and subject to meaningful independent review. It requires that they confine the use of covered orders to the prevention, detection, and investigation of serious crimes. It requires that such orders cannot infringe on free speech, or be used to conduct bulk surveillance. It requires appropriate procedures for handling, retaining, and disseminating data collected by covered orders. And it makes clear that these baseline commitments cannot be bargained away, so they may in some instances need to be accomplished through updates to domestic law.
By strictly reserving the benefits of bilateral agreements for rights-respecting countries, the CLOUD Act ensures that efficiencies will not be pursued at the expense of privacy and civil liberties. This underscores that the CLOUD Act is not merely a practical solution to a pressing challenge, but also an aspirational kind of solution. That is, it is a solution that fosters a community of like-minded, rights-respecting countries that can advance their mutual interests based on shared values. It is a solution that can simultaneously advance the imperatives of public safety and privacy protection in many countries. And it is a cooperative solution -- enacted by the United States, but driven by concerns raised by our foreign partners about the status quo -- that promises international benefits.
The United States hopes to work diligently with the European Union to reach a framework agreement that provides a cooperative path forward. I know that, at the same time, a debate is taking place within the EU regarding the proposed E-Evidence legislation and the safeguards that should accompany it. I expect that you will also have questions about the safeguards provided for in the CLOUD Act.
My priority is to establish a dialogue with all of you – the European Data Protection Board, the national data protection authorities, and other interested national authorities. We expect – given the strong privacy protections in our data protection agreements, and the high standards we require to obtain data in criminal cases – to address your concerns. But more fundamentally, we want to hear those concerns from you, answer your questions, dispel misconceptions, and ensure that you have accurate information from which to draw your conclusions. I stand ready and eager to engage, as do other U.S. government officials, including the Department of Justice’s representative to the EU, Kenneth Harris.
As part of that dialogue, we too would like to hear more from you about your laws. From our perspective, it seems that data protection laws are increasingly put forth as reasons for blocking the provision of essential information to third-party government law enforcement and regulatory agencies charged with assuring public safety and well-being. It sometimes seems that the General Data Protection Regulation – GDPR – is being interpreted so restrictively that the information exchange required to protect the public will be substantially weakened.
It simply cannot be the case that public safety and privacy protection are mutually exclusive, with one accomplished only through substantial weakening of the other. Our hope is that a productive dialogue will allow us to explore ways in which we might work together to promote both of these critical functions.
Again, CLOUD Act agreements – which will enable timely access to data under appropriate circumstances, subject to rigorous legal protections – demonstrate that there are cooperative solutions available that serve both public safety and privacy protection.
The CLOUD Act’s Clarification of Provider Obligations
Aside from its authorization of bilateral agreements, the CLOUD Act also amended an existing U.S. law – the Stored Communications Act – to make explicit the long-held legal principle that a company operating within a country’s territory can be compelled to produce stored data within its possession, custody, or control, regardless of where it stores that data.
Some critics have charged that this clarification of the obligations of providers is somehow novel or a new incursion on data that would otherwise lie beyond the government’s reach. That is not the case.
The amendment to the Stored Communications Act simply codified what had been the longstanding practice in the United States until a single 2016 decision by a court of appeals in a case involving Microsoft – the so-called “Microsoft Ireland Decision”. Just as it is well-settled that a company in our territory must produce physical records in its possession, custody, or control, it is well-settled that a provider in our jurisdiction must produce electronic evidence in its possession, custody, or control, regardless of where the provider chooses to store the evidence.
Providers today move customer data between data centers in different countries. They at times even break up a single account and store it in different countries for efficiency or to reduce latency. And because current MLA arrangements can take months to complete, requests are often sent to one country, only to find that the data has moved on in the meantime. Such problems are compounded further still by the fact that providers often lack personnel in the country where the data is stored who have the ability to comply with legal process.
Those were exactly the problems flowing from the Microsoft Ireland Decision. Providers stopped disclosing data stored outside the United States, and evidence needed to prevent cyberattacks, protect children from child exploitation, and investigate organized crime and corruption suddenly became inaccessible. The United States was even unable to fulfill certain MLA requests from other countries, as we had no legal process that could effectuate them. The data was effectively beyond the reach of any law enforcement agency.
There arose a pressing need to clarify again that a provider subject to U.S. jurisdiction should produce data, wherever stored, within its possession, custody, or control – a principle that, for decades, had been elemental in the United States.
And elemental not just to the United States: That principle has been elemental to most of our overseas partners as well. According to one recent study, the United Kingdom, France, Belgium, Spain, Ireland, Canada, and Australia have each asserted that same domestic authority over providers in their jurisdictions.
Indeed, that authority is a requirement of the nearly two-decades-old Budapest Convention on Cybercrime. The Budapest Convention is, as many of you know, an international treaty to which there are currently more than 60 parties from around the world, including 26 European Union member states. And Article 18(1)(a) of the Convention requires each of those parties to adopt national laws under which authorities can compel providers in their territory to disclose electronic data in their control, leaving no exception for data that the provider may choose to store elsewhere. The amendment to the Stored Communications Act provided just this – for without it, the United States had fallen out of compliance with its treaty obligations.
It is, therefore, alarming to hear countries that maintain exactly the same kind of domestic authority malign this amendment as a data grab by the United States – and use that misconception as grounds to distrust U.S. companies, often to the benefit of their own companies. That is antithetical to the bridge-building letter and spirit of the CLOUD Act. And it’s unacceptable coming from countries that simultaneously continue to demand U.S. assistance in helping them obtain access to electronic evidence for their public safety needs.
We are all rowing in the same boat when it comes to these challenges. And we will sooner get where we need to go by talking to one another – not past each other.
Let me be perfectly clear: Nothing in the CLOUD Act’s clarification of U.S. law expands U.S. jurisdiction over foreign companies or any other entity. Nothing in the Act expands the categories of providers subject to U.S. jurisdiction. Nothing in the Act alters who falls under the jurisdiction of U.S. courts; it merely confirms the obligations of the providers that already do.
And nothing in the Act creates any new legal authorities under U.S. law: It does not give law enforcement any new legal process to acquire data, nor does it reduce in any way the burden on a U.S. investigator seeking a warrant and the approval of an independent judge.
* * *
We must not lose sight of the bottom line: Cross-border transfers of electronic evidence are necessary and appropriate, and they are a critical component of investigating crime in the 21st century. The CLOUD Act represents a new way forward.
The U.S. Congress could not and would not have passed the Act without the pivotal voices of our overseas partners, who so ably articulated the urgency for an alternative solution just like this. And at its core, the CLOUD Act promotes both privacy and the rule of law.
I hope we can remain united in a sense of urgency as we work toward CLOUD Act agreements that advance our mutual interests. The United States stands ready to engage with all of you to help bring the vision of the CLOUD Act to fruition – a vision that will combat serious crimes more efficiently while advancing the privacy values and civil liberties that we hold dear.