More Countries May Dive Into Data-Sharing Pacts – By Sintia Radu (US News) / Oct 18 2019
A new U.S.-U.K. agreement to aid law enforcement opens doors for other countries to follow — and raises new privacy concerns, experts say.
Officials from the United States and United Kingdom signed a landmark data-sharing agreement earlier this month, culminating American efforts since 2016 to expand legal frameworks for accessing foreign electronic data for certain criminal investigations. Experts say pact paves the way for many other international agreements and a greater flow of data from one nation to another.
On Oct. 3, the two countries entered into the world’s first-ever Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, allowing authorized American and British law enforcement agencies to request electronic data related to serious crime, including terrorism, child sexual abuse and cybercrime, directly from technology companies based in the other country, without legal barriers.
“The current legal assistance process can take up to two years, but the agreement will reduce this time period considerably while protecting privacy and enhancing civil liberties,” the U.S. Department of Justice said in a statement.
The CLOUD Act comes more than a year after the U.S. Congress authorized entering into agreements with rights-respecting foreign companies that allow access to electronic data for certain criminal investigations. The accord will enter into force after a six-month congressional review and after British Parliament review.
Observers say the agreement updates the two countries’ law enforcement capabilities in a world of fast-changing technology and exploding amounts of data.
“In the broader sense, this agreement represents progress towards putting in place the new types of agreements that are needed to manage legitimate issues, like cross-border data flows,” says Nigel Cory, associate director for trade policy at the Information Technology and Innovation Foundation in Washington, D.C. “It’s a positive approach that countries can take to address what is a legitimate concern without resorting to harmful other approaches such as local data storage and stuff.”
But the CLOUD Act has also been met with skepticism, with the Electronic Frontier Foundation, or EFF, warning that user data privacy is still at risk. Under the CLOUD Act, they say, police will have the right to request data from foreign companies, provided the data belongs to one of their citizens. Yet in some situations, adjacent user data can also be exposed, says EFF.
For example, if British police were to request a U.S. technology company for access to digital correspondence between a British citizen in the U.S. accused of fraud and another U.S. citizen, the messages could be used to criminally charge the American with unrelated crimes.
“Why should a U.S. person worry about their privacy when foreign governments can’t specifically request their data?” asked David Ruiz, former activist at the EFF, in a blog post. “Because even though foreign governments can’t request U.S. person data, that doesn’t mean they won’t get it.”
In response to potential threats from such international agreements, several technology companies in the United States, such as Microsoft and Dropbox, published guidelines on how the process should work and how users can be protected.
Who’ll Follow and Why?
The U.S.-U.K. agreement is the first of the executive agreements envisioned under the CLOUD Act, Cory says. Before the CLOUD Act, gathering foreign digital data for ongoing criminal investigations was a laborious process. For instance, if the U.S. requested digital evidence from countries such as Ireland, it could take up to 18 months to receive the information needed, dragging all criminal investigations. A similar request for data from the U.S. to Mexico in 2010 delayed a civil asset forfeiture case for more than three years because the U.S. government faced “significant challenges” obtaining formal evidence from Mexico even after appealing to the Mexican government multiple times.
This can now change, as the CLOUD Act’s mission is to make data requests more efficient with several countries willing to sign such agreements. The U.S. government has announced it is already looking into similar discussions with the European Union, while negotiations with Australia were announced in early October. In addition, there are talks about a potential agreement with India, who is grappling with a divide about updating its framework for law enforcement access to data for their investigation, Cory says. New Zealand and Canada also may follow, as well as Singapore or Japan.
“The United States is pursuing these agreements initially with those countries where it will probably happen the quickest because they’re already at a high level of engagement and of a relationship to work on,” he adds. “And once the template becomes more set in stone, it’ll make it easier for subsequent negotiations with other countries.”