How Technology is Prompting US/EU Tension on Mutual Legal Assistance Peter Swire Huang Professor Law and Ethics Georgia Tech Scheller College of Business Senior Counsel, Alston & Bird LLP Emory Law School Thrower Symposium February 11, 2016
Overview • Changes in global communications create challenges • Cross-border data flows common and increasing for cybercrime, other crimes, cybersecurity, and national security • Law enforcement has large national security implications, especially for counter-terrorism • Criminal law is part of “all tools” approach for counter-terrorism and national security • Strict US privacy law creates obstacles to EU requests for data • Strict EU privacy law creates obstacles to US requests for data • What are we to do?
Research context for this talk/paper • Research project on mutual legal assistance (with Justin Hemmings) • “Stakeholders in Reform of the Global System on Mutual Legal Assistance,” http://ssrn.com/abstract=2696163 • “Mutual Legal Assistance in an Era of Globalized Communications: The Analogy to the Visa Waiver Program,” http://ssrn.com/abstract=2728478 • Research and policy work on Safe Harbor/Schrems/EU (with DeBrae Kennedy-Mayo): • “US Surveillance Law, Safe Harbor, and Reforms Since 2013”, http://ssrn.com/abstract=2709619 • Today’s project: bringing the two parts together
Why UK and Others Want Direct Access to Data/Evidence Held in the US • Announcement last week of UK/US agreement that, if enacted, would enable UK to go directly to providers in US for stored records, wiretaps, and national security wiretaps • Have been working with industry/civil society/academic group on these issues, to assure privacy/human rights rules for these • Stored records: UK victim, UK suspects, email or social network records held in US (law enforcement) • Wiretaps: Alice in UK emails/Skypes Bob in UK; it is encrypted, but may be plaintext at server in US (law enforcement) • National security investigations: UK investigation, and don’t want to necessarily share it with NSA; evidence accessed in US
US Privacy Law is Stricter than EU • US Electronic Communications Privacy Act (ECPA) stricter in many respects than law enforcement rules in other countries: • Judicial oversight of request • Probable cause, or almost (reasonable and articulable suspicion) • Notice to service provider of the basis of the request • 1st Amendment: • Don’t provide evidence for hate speech, blasphemy, etc. • Mutual Legal Assistance Treaties • Careful review in US DOJ Office of International Affairs • Big delays, averaging 10 months even for successful requests • EU perspective: • LOTS of evidence held in US by global service providers • US won’t provide vital evidence, even where EU victims, crimes, suspects
EU Privacy Law is Stricter than US • US seeks to export data/evidence from EU, for many reasons • Commerce – Safe Harbor, global companies and services • Law enforcement/national security – we are allies • Strict EU privacy laws • 1998 Directive, and new General Data Protection Regulation • Schrems ECJ case in October, struck down Safe Harbor • US/EU negotiations about stricter EU privacy rules • Privacy Shield – commercial and some foreign intelligence • Umbrella agreement – new US promises on data uses and downstream disclosures when receive from EU • US perspective: there must be limits to EU insistence on changing US practices
Mutually Assured Frustration • Human rights advocates on both sides of the Atlantic can’t imagine lowering their standards • US: “You have no judges and no probable cause!” • EU: “You have no comprehensive privacy law like ours and lack legal structure for downstream uses!” plus “The NSA makes the US an unsafe place for our data!” • In our era of global communications, blaming each other and blocking legitimate data flows among allies not the right way to proceed • New agreements have to be effective and also follow privacy and human rights laws and norms
Some Thoughts on the Way Forward • Clearly describe the situation (a main goal of our research project) • Technology – why so many new data flows and challenges • Law – why each side distrusts the other’s approach • Educate the elites who are prone to criticize any reform • Identify concrete reforms that enable data flows while honoring core legal principles of each country • Consider how to expand beyond the “club” of US and EU, to address legal, privacy, and human rights challenges for global data flows