The global nature of the Internet means that police agencies all around the world facing challenges investigating crime when the data is stored in other countries. The pressure to make this process easier is mounting. To many governments, that means stripping away legal protections for privacy. Soon, police in other countries could get their hands on data from abroad based on an international agreement or other legal initiative. Under new cross-border authorities, police elsewhere can obtain evidence to investigate things that might not even be a crime in your country — and their demands for data might not be reviewed by a judge, or by anyone from your own government. (In the U.S., foreign agencies can’t use the new CLOUD Act methods to get access to data of Americans, and companies are supposed to actively remove Americans’ data from their responses, but proposals elsewhere mostly don’t have an analogous restriction.)
This year EFF and our colleagues have been fighting over access mechanisms like the CLOUD Act in the United States, the US-UK CLOUD Act Agreement, the upcoming US-Australia CLOUD Act Agreement, proposals for a US-EU agreement, the European e-evidence proposal, and cross-border data exchange systems proposed in amendments to the Council of Europe’s Budapest Convention (which we commented on in February and November). Some of these are bilateral deals involving just two countries, but others — especially the European and Budapest Convention mechanisms — could potentially involve dozens of countries, rapidly ushering in legal changes that allow officials in any one of them to get personal information from companies in any other.
The Internet has no borders, but countries and jurisdictions do. We don’t want to lose the many benefits of a borderless Internet: that individuals can speak as equals quickly and easily to others on the other side of the world, that businesses can trade at the speed of light, and that those faced with repression in one jurisdiction can sometimes use the global Internet to route around it. But laws are enforced by states. Every country wants to see its own laws enforced, and sometimes they believe that this requires acting beyond their borders. Internet jurisdiction questions crop up in all different contexts and touch on many different aspects of human rights. But today they are especially visible in the context of cross-border data access negotiations. Like us, privacy authorities are worried that these deals fail to protect the public’s rights; the EU’s privacy watchdog, for instance, offered its own warnings on the US-EU negotiations and on the Budapest convention amendment process.
The Principle of Territoriality and Differences Between Legal Systems
By default, countries can only enforce their laws within their own territory. All these initiatives to some extent bargain away this principle of territoriality and the privacy safeguards that accompany it: the U.S. CLOUD Act, for instance, will allow qualifying countries to ignore U.S. privacy protections for non-U.S. persons’ communications content, while the EU e-evidence proposal, if passed, will allow law enforcement of one country to make data requests that ignore the privacy laws of the other country.
But the laws of different countries are quite different. That includes what kinds of things are or could be a crime in the first place, what law enforcement has to prove before accessing personal data, and whether different kinds of personal data are legally protected at all. The trend in cross-border access proposals, unfortunately, is to try to ignore most of these differences, often by adopting the less-protective rule.
In surveillance law, we see countries racing one another towards an unfortunate finish-line: weaker privacy protections for everyone. For instance, in the United States, we enjoy strong protections against government access to the content of communications — the government needs to show at least “probable cause,” and higher standards for real-time interception. Elsewhere, for instance in Canada, we see strong protections for subscriber data. And Brazil (unlike the United States) requires a court order for most data, whether content or metadata. When negotiations begin between countries over how law enforcement should obtain data, these differences can be swept aside.
- For example, authorities have called for getting rid of “blocking statutes,” which include the U.S. protections we mentioned above. They propose immunizing companies that share data with authorities, even in jurisdictions where this is currently banned.
- The U.S. CLOUD Act will allow U.S. officials to ignore foreign privacy protections in requesting data from other countries, while qualifying foreign governments that enter into an agreement with the U.S. will in turn be able to avoid U.S. privacy protections by using their own law on U.S. soil.
In some cases, a foreign country’s law may not be in compliance with international human rights standards.
- For example, data retention mandates (requiring retention of metadata about users even when they’re not under suspicion of a crime) have been declared illegal in Europe by the European Court of Justice. But many European data retention laws remain on the books and continue to be enforced.
We fear that countries can effectively export their bad practices or weak human rights protections through extraterritoriality in these agreements; when two nations negotiate over their differences, the weakest human rights protections may win, and bad local law can prevail over international standards of human rights.
Don’t Race to the Bottom
Official international legal cooperation has existed for centuries, including things like extradition, and cooperation on criminal investigations. It can be useful and appropriate. We agree that some forms of cooperation ought to be made faster and more predictable than they are today. Valid legal requests between countries should be dealt with promptly, and shouldn’t languish in bureaucratic limbo. But this shouldn’t be an excuse to undermine either side’s legal system and the protections it offers. Let’s not make the weakest privacy protections into the de facto global standard.
Truthout Is Preparing to Meet Trump’s Agenda With Resistance at Every Turn
Dear Truthout Community,
If you feel rage, despondency, confusion and deep fear today, you are not alone. We’re feeling it too. We are heartsick. Facing down Trump’s fascist agenda, we are desperately worried about the most vulnerable people among us, including our loved ones and everyone in the Truthout community, and our minds are racing a million miles a minute to try to map out all that needs to be done.
We must give ourselves space to grieve and feel our fear, feel our rage, and keep in the forefront of our mind the stark truth that millions of real human lives are on the line. And simultaneously, we’ve got to get to work, take stock of our resources, and prepare to throw ourselves full force into the movement.
Journalism is a linchpin of that movement. Even as we are reeling, we’re summoning up all the energy we can to face down what’s coming, because we know that one of the sharpest weapons against fascism is publishing the truth.
There are many terrifying planks to the Trump agenda, and we plan to devote ourselves to reporting thoroughly on each one and, crucially, covering the movements resisting them. We also recognize that Trump is a dire threat to journalism itself, and that we must take this seriously from the outset.
After the election, the four of us sat down to have some hard but necessary conversations about Truthout under a Trump presidency. How would we defend our publication from an avalanche of far right lawsuits that seek to bankrupt us? How would we keep our reporters safe if they need to cover outbreaks of political violence, or if they are targeted by authorities? How will we urgently produce the practical analysis, tools and movement coverage that you need right now — breaking through our normal routines to meet a terrifying moment in ways that best serve you?
It will be a tough, scary four years to produce social justice-driven journalism. We need to deliver news, strategy, liberatory ideas, tools and movement-sparking solutions with a force that we never have had to before. And at the same time, we desperately need to protect our ability to do so.
We know this is such a painful moment and donations may understandably be the last thing on your mind. But we must ask for your support, which is needed in a new and urgent way.
We promise we will kick into an even higher gear to give you truthful news that cuts against the disinformation and vitriol and hate and violence. We promise to publish analyses that will serve the needs of the movements we all rely on to survive the next four years, and even build for the future. We promise to be responsive, to recognize you as members of our community with a vital stake and voice in this work.
Please dig deep if you can, but a donation of any amount will be a truly meaningful and tangible action in this cataclysmic historical moment.
We’re with you. Let’s do all we can to move forward together.
With love, rage, and solidarity,
Maya, Negin, Saima, and Ziggy