[Congressional Record Volume 163, Number 89 (Tuesday, May 23, 2017)]
[Senate]
[Pages S3082-S3083]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]



                       International Data Privacy

  Mr. HATCH. Mr. President, I rise today to discuss international data 
privacy. This is a critically important issue that has become all the 
more important over the years as we become more sophisticated. It has 
become all the more pressing in recent months as a result of court 
decisions impacting law enforcement's ability to access electronic 
communications overseas.
  I don't think it would surprise anyone to hear me say that our 
privacy laws have not kept pace with technological developments. The 
primary statute that governs law enforcement's ability to access 
electronic data, the Electronic Communications Privacy Act, or ECPA, 
was enacted over 30 years ago--long before most people had even heard 
of email or the internet. ECPA was drafted in a world in which 
electronic data was stored on personal computers or on servers located 
in offices or homes. It presumes a world where data is in one location 
and where in order to access data, a person simply goes to the relevant 
location and retrieves it. But that is not the world we live in, at 
least not today. Nowadays, much of our data is stored not on home or 
office computers but in the cloud, a network of remote servers spread 
throughout the world that allows us to access data from literally 
anywhere.
  The rise of cloud and remote network computing has transformed the 
way companies and individuals store data. No longer is data stored on 
sites or in one discrete location; rather, data pertaining to a single 
individual or even to a single document may be stored at multiple 
sites, spread across countries or even across continents. This has 
created all sorts of complications for our laws.
  ECPA requires law enforcement to obtain a warrant before it can 
access many types of electronic communications. It also prohibits 
disclosure to foreign entities. Warrants, however, traditionally have 
stopped at the water's edge. A judge here in Washington can issue a 
warrant authorizing law enforcement to search an office here in 
Washington but cannot issue a warrant for searches in London or Paris.
  So what is law enforcement to do in a world of cloud computing where 
pieces of the same electronic document might be stored in Washington, 
London, and Paris?
  One possibility is to say that as long as the data is accessible from 
the United States--that is, so long as you can retrieve it by logging 
on to a computer somewhere in the United States--that is all that 
matters; law enforcement can order its disclosure.
  This sort of maximalist approach, however, brings with it a whole 
host of problems. To begin with, it pays scant attention to the laws 
and interests of other countries, including our closest allies. Other 
countries, it turns out, have data privacy laws of their own, and just 
like ECPA, sometimes these laws prohibit disclosure to foreign 
entities, including foreign law enforcement. So to say U.S. law 
enforcement can compel disclosure and data stored anywhere in the world 
so long as that data is accessible in the United States is really to 
say that U.S. law enforcement can override the laws of other countries.
  More particularly, it is to say U.S. law enforcement can order 
individuals or companies that store data overseas to violate the 
privacy laws of other countries. This is unfair to service providers 
who may find themselves on the wrong side of the law no matter which 
side they choose and does little to help international relations. It 
also undermines trust, drives customers to foreign competitors, and 
undermines the privacy of U.S. citizens by emboldening other countries 
with less robust privacy regimes that similarly seek unlimited extra 
territorial access to data.
  Another possibility is to say that if the data is stored in the 
United States, then law enforcement may access it, but if it is stored 
outside our borders, it is off limits.
  This is essentially the current state of affairs following a decision 
last summer by the U.S. Court of Appeals for the Second Circuit that 
ECPA warrants do not reach data stored abroad. Under the Second 
Circuit's decision, U.S. law enforcement can use compulsory process to 
access data stored in the United States but must work through 
diplomatic channels to obtain data stored overseas.
  This sort of domestic storage regime has the benefit of avoiding the 
conflict-of-laws problems I have just described, but it also has very 
real drawbacks.
  To begin with, it impedes law enforcement's ability to solve and 
prevent crime in cases where the needed data is stored outside the 
United States, even when the creator of the data is an American, the 
service provider storing the data is an American, and the crime being 
investigated took place here in the United States. The mere 
happenstance that the data is stored beyond our borders, even though it 
may constantly or instantly be accessed from within our borders, places 
it off limits. Service providers' varying business practices in moving 
and holding data determine whether an investigation moves forward.
  This sort of domestic storage regime also forces U.S. law enforcement 
to work through diplomatic channels, which sometimes are slow and 
sometimes very cumbersome and in many instances less protective of 
privacy than U.S. criminal process, which requires a warrant from a 
neutral magistrate and a finding of probable cause.

[[Page S3083]]

  The upshot is that neither of these regimes is satisfactory. A 
maximalist regime that extends U.S. law enforcement jurisdiction 
worldwide creates serious conflict-of-law problems and places U.S. 
service providers in impossible positions. A more modest domestic 
storage regime, by contrast, hinders law enforcement's ability to solve 
crime and protect us from harm, based solely on where a particular 
document or piece of data happens to be stored at a given moment in 
time.
  What we need is a sensible regime with clear rules that determine 
access based on factors that actually matter to the person whose data 
is being sought. Privacy laws are meant to protect people, not 
abstractions. We ought not get bogged down with mindless formalism. 
Most people could care less whether their data is stored at site A or 
site B or country A or country B as long as it is easily accessible and 
has robust privacy protections.
  At the same time, we need to take proper account of the laws and 
interests of other countries, especially our allies. We ought to avoid, 
where possible, trampling on other nations' sovereignty or ignoring 
their own citizens' legitimate claims to privacy, whether here in the 
United States or abroad.
  For this reason, I believe the right approach to international data 
privacy is to ground the analysis on the location of the person whose 
data is being sought. It is, after all, the person who has rights and 
the person whose interests are devalued when data is obtained without 
proper process.
  Accordingly, I have proposed legislation called the International 
Communications Privacy Act, or ICPA, that sets clear rules for when and 
how U.S. law enforcement can access electronic data based on the 
location and nationality of the person whose data is being sought. I 
intend to introduce an updated version of this legislation in the very 
near future.
  Here is what the updated version of this legislation will say: If a 
person is a U.S. national or located in the United States, then law 
enforcement may compel disclosure no matter where the data is stored, 
provided the data is accessible from a U.S. computer and law 
enforcement uses proper criminal process. If a person is not a U.S. 
national, however, and is not located in the United States, then 
different rules apply.
  These rules are founded on three principles: respect, comity, and 
reciprocity.
  First, respect. If U.S. law enforcement wishes to access data 
belonging to a non-U.S. national located outside the United States, 
then law enforcement must notify the person's country of citizenship 
and provide that country an opportunity to object to the disclosure. 
This protocol shows respect to the other country and gives the country 
an opportunity to assert the privacy rights of its citizen.
  Second, comity. If, after receiving notice, the other country lodges 
an objection, the U.S. court undertakes a comity analysis to determine 
whose interests should rightfully prevail--the U.S. interests in 
obtaining the data or the foreign interests in preventing disclosure. 
As part of this analysis, the court can consider such factors as the 
location of the crime, the seriousness of the crime, the importance of 
the data to the investigation, and the possibility of accessing the 
data through other means. This analysis prevents an obstinate foreign 
power from impeding investigations without good reason or where the 
U.S. interests in disclosure are particularly strong.
  Third, reciprocity. In order to receive notice and an opportunity to 
object, the other country must provide reciprocal notice-and-objection 
rights to the United States. The country must also provide robust 
privacy protections within its own borders and satisfy international 
human rights standards. These requirements ensure that the U.S. 
provides its own citizens an equal or greater level of protection 
against foreign requests for data. They also offer incentives to 
foreign governments to properly safeguard the data of U.S. citizens 
within their jurisdiction.
  Tomorrow, the Senate Judiciary Committee Subcommittee on Crime and 
Terrorism will hold a hearing on law enforcement access to data stored 
abroad. That hearing, I hope, will elucidate many of the principles I 
just described.
  Soon after the hearing, I will reintroduce the International 
Communications Privacy Act. The bill as reintroduced will incorporate 
feedback from law enforcement and privacy groups. I intend to push very 
hard for this legislation and will seek every opportunity to do so. I 
want my colleagues to know that I will be pursuing any and all 
legislative vehicles to get it across the finish line.
  In the words of Utah businessman Jeff Hadfield, writing in the 
Deseret News, ``It's imperative that Congress quickly address the 
ambiguity within our current law. As every company becomes a software 
company, we need legislation that supports our companies' ability to 
store data overseas, protects our individual privacy rights, and helps 
U.S. law enforcement do its important job.'' I could not agree more.
  The International Communications Privacy Act provides critical 
guidance to law enforcement, while respecting the laws and interests of 
our allies. It brings a set of simple, straightforward rules to a 
chaotic area of law and creates an example for other countries to 
follow. It is a balanced approach and a smart approach, and it deserves 
this body's full support.
  Mr. President, on another matter, I wish to register my strong 
support today for the confirmation of John Sullivan to be Deputy 
Secretary of State.
  The nomination of John Sullivan is another example of President Trump 
choosing the best and brightest for national security positions in his 
administration.
  I have known John Sullivan since he was confirmed as Deputy Secretary 
of Commerce during the George Bush administration. He excelled in this 
position, which bears many similarities to the Deputy Secretary of 
State role to which he has been nominated.
  For example, as Deputy Secretary of Commerce, John was responsible 
for the day-to-day operations and management of a major Federal agency. 
As Deputy Secretary of State, he will assume the same managerial 
duties, but for a different Federal agency.
  In facilitating international trade agreements at the Department of 
Commerce, John Sullivan also honed his negotiating abilities, 
developing a diplomatic skill set that will be critical in his new role 
at the State Department.
  As the chairman of the Finance Committee, I closely followed John's 
tenure at Commerce. I was consistently impressed with his ability to 
promote American interests abroad while maintaining constructive 
relations with our trading partners. I have no doubt that he will 
continue to serve our Nation well as the Deputy Secretary of State.
  In addition to his management expertise, John Sullivan is a 
practicing attorney with the law firm of Mayer Brown LLP. There, too, 
he has developed a reputation for excellence, especially in the area of 
national security law.
  In John Sullivan we have a proven manager, a seasoned diplomat, and a 
sharp policy mind who will bring strong leadership to the State 
Department. In John Sullivan, President Trump and Secretary Tillerson 
have made an inspired choice.
  Secretary Tillerson is doing a tremendous job at the State 
Department. With John Sullivan as his Deputy, even more can be 
accomplished.
  In addition, I would like to thank John Sullivan for his willingness 
to serve. Of course, I would be remiss if I did not also thank his 
family--especially his wife of 29 years, Grace Rodriguez, who has 
provided invaluable support to John throughout his public service. It 
is unlikely John would be here today without their consent and their 
constant support.
  Few have the skills that John Sullivan possesses. Fewer still possess 
the patriotism, professionalism, and integrity he has displayed over a 
distinguished career. He is the best man for the job, which is why I 
urge my colleagues to confirm him without delay.
  I appreciate this opportunity to make these points on the floor.
  I yield the floor.
  The PRESIDING OFFICER. The Senator from New Mexico.