By Ruth A Fitz Gerald, B.L.
Which country has the authority to investigate crimes committed with the use of the internet where the evidence is located in different states? This question has come into sharp focus recently, as demonstrated by the Microsoft Ireland case heard by the US Supreme Court on 27 February 2018. More than 30 amicus curiae briefs were filed, i.e. briefs on behalf of entities and persons who were not parties to the litigation but who considered they had something to contribute on the legal issues in the case. The briefs filed in support of Microsoft reportedly represented 289 individuals or entities from 37 countries.
The case arose out of a challenge by Microsoft to a US federal warrant which sought to compel Microsoft to provide the US authorities with a customer’s emails stored in its facility in Ireland. Microsoft argued that the legislation governing the search warrant did not extend extraterritorially to encompass the data stored in Ireland; that the correct procedure was for the US to use the traditional mutual legal assistance mechanism to request the Irish authorities to obtain the evidence from Microsoft in Ireland. Mutual legal assistance, a mechanism provided for by treaty (there is one between Ireland and the US), includes requirements that protect due process. However, mutual assistance is considered slow and cumbersome. The US Government argued that in circumstances where Microsoft had control of the data – even though it was in Ireland – that enforcement of the warrant was, in effect, a domestic matter and that it was unnecessary to apply mutual assistance. The case highlights the need for a harmonised, international mechanism which balances the internet users’ right to due process on the one hand, and the efficient investigation and prosecution of crimes committed on the internet on the other.
The absence of an internationally coordinated approach to reform or replace mutual assistance has led some states to adopt measures which impact severely on the free flow of data by requiring that national data be stored, processed or handled within their borders so as to be available to local law enforcement. This localisation of data has the potential to fragment the internet with a consequent impact upon every user.
Both the US and Europe have recently addressed the question of how to gather electronic, criminal evidence, including real-time interception and surveillance, but in ways which would seem to clash. In this context it should be noted that the EU and the US have fundamentally different approaches to privacy. In Europe privacy is viewed as a human right; this is not the case in the US, perhaps as a consequence of the First Amendment’s protection of free speech. Whereas in Europe a comprehensive, omnibus approach is taken to the protection of all personal data, in the US privacy laws are developed on a sector by sector basis.
The EU General Data Protection Regulation (GDPR) and ePrivacy Directive introduce a controversial, expansive extraterritorial jurisdiction: they claim jurisdiction, not just over the processing by service providers established in the EU, but also over the processing by service providers established outside the EU when these direct their services to, or monitor the behaviour of, persons within the EU. This extraterritorial jurisdiction claimed by the EU has caused considerable alarm in the US where service providers face being treated as data controllers for the purposes of EU law.
The GDPR provides that service providers may only transfer personal data to countries outside the EU if one of the mechanisms it prescribes apply. Data subjects may give informed, explicit consent to the transfer of their data outside the EU to facilitate criminal investigations but the GDPR provides that such transfer cannot be compelled by an order or decision of a judge or authority outside the EU unless “based on an international agreement, such as a mutual legal assistance treaty”.
The US, on the other hand, in the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) which was adopted as part of Federal Omnibus Spending Bill on 23 March 2018, requires (subject to certain provisos) service providers based in the US to give effect to US search warrants to provide law enforcement with data even where this is held overseas. This provision is aimed at avoiding a requirement for a mutual assistance request, as in the Microsoft Ireland scenario. Indeed, the enactment of the CLOUD Act has caused both the US Government and Microsoft to seek a dismissal of the case as the CLOUD Act has rendered it moot.
The long reach of the CLOUD Act’s search warrant into data held abroad, however, seems to clash with Article 48 of the GDPR which prohibits such a transfer of data in the absence of a mutual assistance agreement or the like. As already mentioned, mutual assistance procedures contain safeguards for due process. The CLOUD Act procedure would sidestep the mutual assistance requirement that a judge must authorise the transfer of data out of the state which holds the evidence. It would also circumvent the requirement that the conduct under investigation must be an offence under both US law and the law of the country where the evidence is to be found. The absence of these protections would seriously undermine the right of an accused to due process and, indeed, jeopardise the rule of law.
While the CLOUD Act envisages agreements between the US and other states, a bilateral agreement between the US and the EU would require the EU to revise Article 48, something which would seem improbable, particularly now in the face of the Facebook/Cambridge Analytica scandal.
I know of two forums actively pursuing an international, harmonised approach to the retrieval of data evidence from the internet, albeit in very different ways. These are the Internet & Jurisdiction Policy Network (I&J) and the Council of Europe’s Cybercrime Convention Committee (T-CY).
The I&J Network aims to develop transnational, voluntary polices for the governance of the internet. The objective is that governments would adopt these and give them legal effect. The mix of stakeholders in the Network is impressive; the intention is to ensure that the concerns of many different groups are taken into account.
I attended the second global meeting of the Network which was held at the end of February 2018 in Ottawa. Stakeholders from government, international organisations, internet service providers and civil society met to consider what standards and conditions should apply to allow law enforcement to obtain electronic evidence from service providers. The purpose of the second global conference was to decide on the issues which require more detailed study, so as to develop internet governance policies which will be considered at the third global meeting in Berlin in 2019.
The Budapest or Cybercrime Convention is the only convention which deals with crimes committed through the internet, e.g. computer-related fraud, child pornography and hate crimes. Last June, the T-CY proposed the development of a 2nd Protocol to the Budapest Convention to provide for law enforcement’s access to electronic evidence, more effective mutual legal assistance, direct cooperation with service providers and human rights safeguards, including data protection.
An internationally coordinated approach to the collection of electronic evidence is essential in order to keep the free flow of information. Both the I&J Network and the T-CY are working to establish such an approach. However, both the proposed Terms of Reference for the 2nd Protocol and the I&J Network proposals, while well intentioned, have the potential adversely to affect due process by by-passing, and not replacing, at least some of the protections in the mutual assistance procedure. Nor is any thought being given as to how to improve and transform mutual assistance to adapt it to the internet environment. The response is to disregard mutual assistance, even though its drawbacks result not from the system itself but rather from the fact that the states which implement it do so in a burdensomely slow and bureaucratic manner.
There is a stakeholder who is not at the table in the T-CY and I&J Network discussions – the suspect. That absent stakeholder will rely on those attending the T-CY and I&J Network who hold precious the right to a fair trial to champion his or her rights; they will have to be especially vigilant to ensure that the solutions proposed do not undermine the rights which support due process.
