[Congressional Record Volume 163, Number 89 (Tuesday, May 23, 2017)]
[Senate]
[Pages S3082-S3083]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
International Data Privacy
Mr. HATCH. Mr. President, I rise today to discuss international data
privacy. This is a critically important issue that has become all the
more important over the years as we become more sophisticated. It has
become all the more pressing in recent months as a result of court
decisions impacting law enforcement's ability to access electronic
communications overseas.
I don't think it would surprise anyone to hear me say that our
privacy laws have not kept pace with technological developments. The
primary statute that governs law enforcement's ability to access
electronic data, the Electronic Communications Privacy Act, or ECPA,
was enacted over 30 years ago--long before most people had even heard
of email or the internet. ECPA was drafted in a world in which
electronic data was stored on personal computers or on servers located
in offices or homes. It presumes a world where data is in one location
and where in order to access data, a person simply goes to the relevant
location and retrieves it. But that is not the world we live in, at
least not today. Nowadays, much of our data is stored not on home or
office computers but in the cloud, a network of remote servers spread
throughout the world that allows us to access data from literally
anywhere.
The rise of cloud and remote network computing has transformed the
way companies and individuals store data. No longer is data stored on
sites or in one discrete location; rather, data pertaining to a single
individual or even to a single document may be stored at multiple
sites, spread across countries or even across continents. This has
created all sorts of complications for our laws.
ECPA requires law enforcement to obtain a warrant before it can
access many types of electronic communications. It also prohibits
disclosure to foreign entities. Warrants, however, traditionally have
stopped at the water's edge. A judge here in Washington can issue a
warrant authorizing law enforcement to search an office here in
Washington but cannot issue a warrant for searches in London or Paris.
So what is law enforcement to do in a world of cloud computing where
pieces of the same electronic document might be stored in Washington,
London, and Paris?
One possibility is to say that as long as the data is accessible from
the United States--that is, so long as you can retrieve it by logging
on to a computer somewhere in the United States--that is all that
matters; law enforcement can order its disclosure.
This sort of maximalist approach, however, brings with it a whole
host of problems. To begin with, it pays scant attention to the laws
and interests of other countries, including our closest allies. Other
countries, it turns out, have data privacy laws of their own, and just
like ECPA, sometimes these laws prohibit disclosure to foreign
entities, including foreign law enforcement. So to say U.S. law
enforcement can compel disclosure and data stored anywhere in the world
so long as that data is accessible in the United States is really to
say that U.S. law enforcement can override the laws of other countries.
More particularly, it is to say U.S. law enforcement can order
individuals or companies that store data overseas to violate the
privacy laws of other countries. This is unfair to service providers
who may find themselves on the wrong side of the law no matter which
side they choose and does little to help international relations. It
also undermines trust, drives customers to foreign competitors, and
undermines the privacy of U.S. citizens by emboldening other countries
with less robust privacy regimes that similarly seek unlimited extra
territorial access to data.
Another possibility is to say that if the data is stored in the
United States, then law enforcement may access it, but if it is stored
outside our borders, it is off limits.
This is essentially the current state of affairs following a decision
last summer by the U.S. Court of Appeals for the Second Circuit that
ECPA warrants do not reach data stored abroad. Under the Second
Circuit's decision, U.S. law enforcement can use compulsory process to
access data stored in the United States but must work through
diplomatic channels to obtain data stored overseas.
This sort of domestic storage regime has the benefit of avoiding the
conflict-of-laws problems I have just described, but it also has very
real drawbacks.
To begin with, it impedes law enforcement's ability to solve and
prevent crime in cases where the needed data is stored outside the
United States, even when the creator of the data is an American, the
service provider storing the data is an American, and the crime being
investigated took place here in the United States. The mere
happenstance that the data is stored beyond our borders, even though it
may constantly or instantly be accessed from within our borders, places
it off limits. Service providers' varying business practices in moving
and holding data determine whether an investigation moves forward.
This sort of domestic storage regime also forces U.S. law enforcement
to work through diplomatic channels, which sometimes are slow and
sometimes very cumbersome and in many instances less protective of
privacy than U.S. criminal process, which requires a warrant from a
neutral magistrate and a finding of probable cause.
[[Page S3083]]
The upshot is that neither of these regimes is satisfactory. A
maximalist regime that extends U.S. law enforcement jurisdiction
worldwide creates serious conflict-of-law problems and places U.S.
service providers in impossible positions. A more modest domestic
storage regime, by contrast, hinders law enforcement's ability to solve
crime and protect us from harm, based solely on where a particular
document or piece of data happens to be stored at a given moment in
time.
What we need is a sensible regime with clear rules that determine
access based on factors that actually matter to the person whose data
is being sought. Privacy laws are meant to protect people, not
abstractions. We ought not get bogged down with mindless formalism.
Most people could care less whether their data is stored at site A or
site B or country A or country B as long as it is easily accessible and
has robust privacy protections.
At the same time, we need to take proper account of the laws and
interests of other countries, especially our allies. We ought to avoid,
where possible, trampling on other nations' sovereignty or ignoring
their own citizens' legitimate claims to privacy, whether here in the
United States or abroad.
For this reason, I believe the right approach to international data
privacy is to ground the analysis on the location of the person whose
data is being sought. It is, after all, the person who has rights and
the person whose interests are devalued when data is obtained without
proper process.
Accordingly, I have proposed legislation called the International
Communications Privacy Act, or ICPA, that sets clear rules for when and
how U.S. law enforcement can access electronic data based on the
location and nationality of the person whose data is being sought. I
intend to introduce an updated version of this legislation in the very
near future.
Here is what the updated version of this legislation will say: If a
person is a U.S. national or located in the United States, then law
enforcement may compel disclosure no matter where the data is stored,
provided the data is accessible from a U.S. computer and law
enforcement uses proper criminal process. If a person is not a U.S.
national, however, and is not located in the United States, then
different rules apply.
These rules are founded on three principles: respect, comity, and
reciprocity.
First, respect. If U.S. law enforcement wishes to access data
belonging to a non-U.S. national located outside the United States,
then law enforcement must notify the person's country of citizenship
and provide that country an opportunity to object to the disclosure.
This protocol shows respect to the other country and gives the country
an opportunity to assert the privacy rights of its citizen.
Second, comity. If, after receiving notice, the other country lodges
an objection, the U.S. court undertakes a comity analysis to determine
whose interests should rightfully prevail--the U.S. interests in
obtaining the data or the foreign interests in preventing disclosure.
As part of this analysis, the court can consider such factors as the
location of the crime, the seriousness of the crime, the importance of
the data to the investigation, and the possibility of accessing the
data through other means. This analysis prevents an obstinate foreign
power from impeding investigations without good reason or where the
U.S. interests in disclosure are particularly strong.
Third, reciprocity. In order to receive notice and an opportunity to
object, the other country must provide reciprocal notice-and-objection
rights to the United States. The country must also provide robust
privacy protections within its own borders and satisfy international
human rights standards. These requirements ensure that the U.S.
provides its own citizens an equal or greater level of protection
against foreign requests for data. They also offer incentives to
foreign governments to properly safeguard the data of U.S. citizens
within their jurisdiction.
Tomorrow, the Senate Judiciary Committee Subcommittee on Crime and
Terrorism will hold a hearing on law enforcement access to data stored
abroad. That hearing, I hope, will elucidate many of the principles I
just described.
Soon after the hearing, I will reintroduce the International
Communications Privacy Act. The bill as reintroduced will incorporate
feedback from law enforcement and privacy groups. I intend to push very
hard for this legislation and will seek every opportunity to do so. I
want my colleagues to know that I will be pursuing any and all
legislative vehicles to get it across the finish line.
In the words of Utah businessman Jeff Hadfield, writing in the
Deseret News, ``It's imperative that Congress quickly address the
ambiguity within our current law. As every company becomes a software
company, we need legislation that supports our companies' ability to
store data overseas, protects our individual privacy rights, and helps
U.S. law enforcement do its important job.'' I could not agree more.
The International Communications Privacy Act provides critical
guidance to law enforcement, while respecting the laws and interests of
our allies. It brings a set of simple, straightforward rules to a
chaotic area of law and creates an example for other countries to
follow. It is a balanced approach and a smart approach, and it deserves
this body's full support.
Mr. President, on another matter, I wish to register my strong
support today for the confirmation of John Sullivan to be Deputy
Secretary of State.
The nomination of John Sullivan is another example of President Trump
choosing the best and brightest for national security positions in his
administration.
I have known John Sullivan since he was confirmed as Deputy Secretary
of Commerce during the George Bush administration. He excelled in this
position, which bears many similarities to the Deputy Secretary of
State role to which he has been nominated.
For example, as Deputy Secretary of Commerce, John was responsible
for the day-to-day operations and management of a major Federal agency.
As Deputy Secretary of State, he will assume the same managerial
duties, but for a different Federal agency.
In facilitating international trade agreements at the Department of
Commerce, John Sullivan also honed his negotiating abilities,
developing a diplomatic skill set that will be critical in his new role
at the State Department.
As the chairman of the Finance Committee, I closely followed John's
tenure at Commerce. I was consistently impressed with his ability to
promote American interests abroad while maintaining constructive
relations with our trading partners. I have no doubt that he will
continue to serve our Nation well as the Deputy Secretary of State.
In addition to his management expertise, John Sullivan is a
practicing attorney with the law firm of Mayer Brown LLP. There, too,
he has developed a reputation for excellence, especially in the area of
national security law.
In John Sullivan we have a proven manager, a seasoned diplomat, and a
sharp policy mind who will bring strong leadership to the State
Department. In John Sullivan, President Trump and Secretary Tillerson
have made an inspired choice.
Secretary Tillerson is doing a tremendous job at the State
Department. With John Sullivan as his Deputy, even more can be
accomplished.
In addition, I would like to thank John Sullivan for his willingness
to serve. Of course, I would be remiss if I did not also thank his
family--especially his wife of 29 years, Grace Rodriguez, who has
provided invaluable support to John throughout his public service. It
is unlikely John would be here today without their consent and their
constant support.
Few have the skills that John Sullivan possesses. Fewer still possess
the patriotism, professionalism, and integrity he has displayed over a
distinguished career. He is the best man for the job, which is why I
urge my colleagues to confirm him without delay.
I appreciate this opportunity to make these points on the floor.
I yield the floor.
The PRESIDING OFFICER. The Senator from New Mexico.