[Congressional Record Volume 163, Number 130 (Tuesday, August 1, 2017)]
[Senate]
[Pages S4640-S4641]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]



                International Communications Privacy Act

  Mr. HATCH. Mr. President, I represent a generation of lawmakers 
brought up on the principles of bipartisanship and compromise, and I 
believe these very virtues are the key to my success as a legislator. 
By putting these principles in practice as chairman of the Finance 
Committee, I was able to pass more than 40 bills into law during the 
last Congress, and by working with my friends across the aisle over 
many decades of public service, I have been able to pass more 
legislation than anyone alive today.
  I draw from these personal experiences to illustrate a simple point: 
In an era of endless gridlock and increasing polarization, there is no 
alternative to civility and healthy debate. We would do well to 
remember this in light of the frustrations we have all felt over the 
past several months.
  The Senate is capable of so much more than it is today. I know 
because I have seen the Senate at its best, and I have seen the Senate 
when regular order was the norm, when legislation was debated in 
committee, and when Members worked constructively with one another for 
the good of the country. I have seen the Senate when it truly lived up 
to its reputation as the world's greatest deliberative body.
  I believe we can again see this body at its best, but restoring the 
Senate to its proper function requires real change on all sides. It 
begins by recognizing that all of us here, Democrats and Republicans 
alike, are to some extent culpable for the current dysfunction. If we 
want to break free of the current gridlock and if we want to show the 
American people we are serious about legislating, then we have to be 
honest with ourselves, and we have to recognize that laying all the 
blame on the other side is as counterproductive as it is disingenuous.
  Most importantly, we must be willing to work in good faith with 
Members of the opposite party. All too often, we miss the opportunity 
to effect meaningful change by hiding behind partisan differences. We 
must take the opposite course by renewing our efforts to reach across 
the aisle to overcome division and forge consensus. There is no better 
template for effective, bipartisan legislating.
  This is the model I have followed for decades for the betterment of 
Utah and the Nation, and it is the model I have followed most recently 
in working with my dear friend Senator Coons to introduce the 
International Communications Privacy Act, or what we affectionately 
refer to as ICPA.
  ICPA is more than just a commonsense proposal that updates law 
enforcement for the modern age; it is a symbol of what our two parties 
can accomplish when we lay aside petty differences and come together 
for the good of our Nation. In crafting this proposal, Senator Coons 
and I took great pains to strengthen international data privacy 
protections while also enhancing law enforcement's ability to access 
data across borders.
  This issue has long been a priority of mine. I have spoken about it 
at length both here on the Senate floor and in other venues and have 
introduced legislation on the subject over multiple Congresses. Most 
recently, I came to the Senate floor to explain how the rise of cloud 
and remote network computing has transformed the way we store data and 
to describe the implications of that transformation for our data 
privacy laws.
  Until relatively recently, most electronic data was housed in 
personal computers or on servers located in offices or homes. This 
meant that in order to access data, a person could simply go to the 
relevant location and retrieve it. That is no longer the case. 
Nowadays, much of our data is stored not on home or office computers 
but in the cloud--a network of remote servers spread throughout the 
world that allows us to access data from literally anywhere. Data 
pertaining to a single individual or even to a single document may be 
stored at multiple sites spread across countries or even continents.
  This has profound implications for data privacy. To begin with, our 
privacy laws require government officials to obtain a warrant before 
they can access many types of electronic communications. Warrants, 
however, traditionally have stopped at the warrant's edge. This means 
that if a law enforcement agent is investigating a crime here in the 
United States but a key piece of information is stored on a remote 
server outside the United States, the agent may have significant 
difficulty obtaining the information. Without a warrant or the ability 
to get a warrant, the agent may have to use diplomatic channels to 
obtain the information--a process that can be extremely slow and 
cumbersome.

[[Page S4641]]

  Our privacy laws also prohibit disclosure to foreign entities. This 
means that when a foreign government is investigating a crime within 
its borders and a key piece of information is stored in the United 
States, the foreign government must likewise work through diplomatic 
channels to obtain the information.
  The growing prevalence of cloud and remote network computing has put 
law enforcement into increasing conflict with these sorts of 
restrictions. Crime knows no borders. A child pornographer in Bangalore 
may post photos of an American victim on a British server which can be 
accessed worldwide. A U.S. official investigating the crime may need 
information stored on the British server in order to track down the 
culprit. If the server was in the United States, the official could 
simply issue a warrant. But that tool isn't available in this scenario 
because the server is overseas.
  Moreover, the United Kingdom may have a statute, similar to our own 
law, that prohibits British service providers from disclosing 
communications to foreign entities. Diplomatic channels exist for 
sharing such data, but these channels are exceptionally slow and can 
take months or even years to process requests. In the meantime, crimes 
go unpunished and perpetrators disappear.
  This state of affairs is simply not tenable. We cannot allow outdated 
laws to hamstring law enforcement efforts in this way. At the same 
time, we must adequately protect Americans' privacy against unwarranted 
government intrusion.
  Some have suggested that the answer is to simply extend the reach of 
U.S. warrants worldwide. This, however, is not a viable solution as 
foreign disclosure laws can and do conflict with U.S. laws. Extending 
the reach of U.S. warrants without reasonable limits would thus place 
service providers in the impossible position of having to choose which 
country's laws to violate--ours or the foreign jurisdiction's.
  What we need is a sensible regime with clear rules that determine 
access based on factors that matter to the person whose data is being 
sought. At the same time, we need to take proper account of the laws 
and interests of other countries, especially our allies.
  We ought to avoid, wherever possible, trampling on other nations' 
sovereignty or ignoring their own citizens' legitimate claims to 
privacy. Accordingly, ICPA sets clear rules for when and how U.S. law 
enforcement can access electronic data based on the location and 
nationality of the person whose data is being sought.
  Here is what the bill says:
  If a person is a U.S. national or is located in the United States, 
law enforcement may compel disclosure, regardless of where the data is 
stored, provided the data is accessible from a U.S. computer and law 
enforcement uses proper criminal process.
  If a person is not a U.S. national, however, and is not located in 
the United States, then different rules apply. These rules are founded 
on three principles: respect, comity, and reciprocity.
  First, respect. If U.S. law enforcement wishes to access data 
belonging to a non-U.S. national located outside the United States, 
then U.S. law enforcement must first notify the person's country of 
citizenship and provide that country an opportunity to object. This 
shows respect to the other country and gives it an opportunity to 
assert the privacy rights of its citizen.
  Second, comity. If, after receiving notice, the other country lodges 
an objection, a U.S. court undertakes a comity analysis to determine 
whose interests should rightly prevail--the U.S. interests in obtaining 
the data or the foreign interests in safeguarding the privacy of its 
citizen. As a part of this analysis, the court considers such factors 
as the location of the crime, the seriousness of the crime, the 
importance of the data to the investigation, and the possibility of 
accessing the data through other means.
  Third, reciprocity. In order to receive notice and an opportunity to 
object, the other country must provide reciprocal rights to the United 
States. This ensures that the U.S. provides its own citizens an equal 
or greater level of protection against foreign requests for data. It 
also offers incentives to foreign governments to properly safeguard the 
data of U.S. citizens within their borders.
  Up to this point, I have been focusing on requests by U.S. law 
enforcement for data stored outside the United States, but there is 
another side to the problem, and that is what happens when foreign law 
enforcement requests data stored inside the United States.
  As I have mentioned, our privacy laws prohibit disclosure to foreign 
entities. Suppose a British subject committed a crime in Britain but 
data relevant to the investigation is stored in the United States. Even 
if British law provides for extraterritorial process, a UK official 
investigating the crime will be unable to obtain the data because U.S. 
law prevents disclosure to foreign officials. As with U.S. requests for 
data in other countries, diplomatic channels exist for sharing such 
data, but these channels are slow and extremely cumbersome.

  Accordingly, for the past several months, I have been working with 
Senator Graham and others to find a solution for this second part of 
the problem. Senator Graham, together with Senator Whitehouse, convened 
a hearing in May of this year that I believe highlighted the need for 
action. I have also met with Ambassadors and other high-ranking foreign 
officials who have impressed upon me the challenges they are facing 
under existing U.S. law.
  I think we need to address this second side of the problem--foreign 
requests for data in the United States--as well. We need to address it 
in conjunction with the first side--U.S. requests for data in other 
countries.
  It will not do to give foreign authorities readier access to data 
stored in the United States without likewise clarifying U.S. law 
enforcement's ability to obtain data stored abroad. Similarly, it is 
inconceivable to me that we would open our doors to foreign law 
enforcement requests while telling U.S. law enforcement that data in 
other countries is off-limits. Surely, we should not prefer foreign 
criminal investigations over domestic ones.
  I believe these two issues--ICPA and the bilateral United States-
United Kingdom agreement--are inextricably linked. I have worked in 
good faith with Senator Graham and with Senator Whitehouse to find a 
path forward on these issues. It is my firm belief that we need to move 
these two issues together. Everyone has a vested interest in privacy, 
and everyone has a vested interest in bringing criminals to justice. We 
are going to work together on this.
  In closing, I would emphasize one additional point. The question of 
whether, when, and under what circumstances the United States should 
authorize law enforcement access to data stored abroad is a question 
for Congress. There have been suggestions in some corridors that this 
is a question for the courts to decide. I emphatically reject that 
question. This is a policy question for Congress.
  We should not defer to the courts' interpretation of a statute that 
was passed 30 years ago with no thought or comprehension of the 
situation we face today. Subject to constitutional constraints, it is 
Congress's job to set the bounds of government's investigatory powers. 
We decide what government officials can and cannot do. We should not 
pass the buck to the judiciary merely because this is a complicated 
issue. We shouldn't do that.
  The International Communications Privacy Act provides critical 
guidance to law enforcement while respecting the laws and interests of 
our allies. It brings a set of simple, straightforward rules to a 
chaotic area of the law and creates an example for other countries to 
follow. It is a balanced approach and a smart approach, and it deserves 
this body's full-throated support.
  I suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The bill clerk proceeded to call the roll.
  Mr. THUNE. Mr. President, I ask unanimous consent that the order for 
the quorum call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.