Deputy Assistant Attorney General Richard W. Downing Delivers Remarks at the Academy of European Law Conference on “Prospects for Transatlantic Cooperation on the Transfer of Electronic Evidence to Promote Public Safety”

Remarks as prepared for delivery

Thank you for the kind introduction.  It is a privilege to be here with all of you and to share with you the views of the U.S. Department of Justice.

In my work as the Department’s Deputy Assistant Attorney General overseeing cybercrime and child exploitation issues, I see firsthand the extent to which crime has grown increasingly transnational, and to which criminals are able to inflict tremendous harm on innocent people around the world with a few keystrokes.  The attorneys I supervise build cases through cross-border investigations with evidence that spans the globe.  And I know well that working cooperatively and efficiently with our foreign counterparts is an absolute necessity for effective law enforcement today. 

We have worked together to achieve excellent results.  Working jointly, we have together taken down some of the largest DarkNet marketplaces selling guns, dangerous opioids and other narcotics, and stolen personal identity information.  We have together investigated sites that cater to the exploitation of children –in one operation identifying and rescuing over 250 children around the world.  We have together shuttered a bitcoin exchange that allegedly laundered over four billion dollars in criminal proceeds.  

These joint efforts are only the tip of the iceberg when it comes to the need for effective sharing of electronic evidence.  So many of our ordinary, everyday, domestic law enforcement matters now rely on electronic evidence.  From social media posts that preceded a homicide, to texts revealing a woman being stalked, to chat sessions involving those planning a terrorist attack, to the cell phone location of a drug trafficker – almost everything we do as law enforcement officials to protect the public is grounded in electronic evidence.

Consider, for example, a case where a homicide is committed here in London.  U.K. officers begin an investigation.  They collect evidence at the scene of the crime.  They interview witnesses.  They identify a suspect.  Maybe they even search his house and seize his phone.  But if they want to get the communications between his social media account and those of the victim, and if those communications are held by a provider in the United States—as is often the case—U.K. investigators will have to issue a formal mutual legal assistance request to the U.S. government, and may then wait months, or even longer, for a response, while the request makes its way through the American legal system.  This is the paradigm case that the U.S. Congress passed the Clarifying Lawful Overseas Use of Data Act – the CLOUD Act – to address.

It is fitting, then, that I find myself here so close to the date of the one-year anniversary of the passage of the CLOUD Act.  Since it was enacted last March, the CLOUD Act has, unfortunately, been the subject of many misconceptions, and is viewed by some with suspicion.  That may not be surprising, given the complexity and technicality of some of the issues involved.  But I hope to dispel some of those misconceptions today. 

The CLOUD Act as a Model for International Cooperation

In fact, the CLOUD Act should be embraced as a model for international cooperation.  It offers a sorely needed step toward resolving a near-universal challenge.  We are all grappling with the dramatic advances in technology and unprecedented proliferation of platforms.  We have all seen companies fanning out across the globe and increasingly storing their data in other countries in efforts to gain new footholds and achieve operational efficiencies.  And we all know that virtually every serious threat we investigate today requires access to electronic evidence like the contents of emails, instant messages, photos, traffic data, session logs, subscriber information, and the like.  Our collective safety and security depends on our ability to maintain lawful and efficient cross-border access to that evidence.

And yet, often, the global technology companies that hold key evidence are subject to more than one country’s laws.  One country may order them to disclose data vital to an investigation, but another country’s laws may restrict disclosure of that same data.  These potential legal conflicts present significant challenges to governments’ ability to acquire electronic evidence that may be vital to criminal investigations in a timely, efficient manner.  Sometimes, it is U.S. law that frustrates our international partners.  That’s why we’ve enacted the CLOUD Act. 

It is all too easy to see a very different kind of reaction from national governments as they – naturally – seek to protect the safety and privacy of their citizens.  The temptation is to create new restrictions on other countries’ access – new “blocking statutes”.  The temptation is to unilaterally ratchet up pressure on companies to disclose evidence.  The temptation is to insist that data be stored within a country’s borders to make access easier.  While these temptations are real, they run the risk of causing conflicts and paralysis that will hurt us all. 

The CLOUD Act offers a different way forward.  It offers not simply a solution to the challenge of this moment, but also an aspirational kind of solution.  That is, it is a solution aimed at fostering a community of like-minded, rights-respecting countries that abide by the rule of law – where the countries can minimize their conflicts of law and advance their mutual interests based on shared values and mutual respect. 

One particularly inaccurate statement about the Act being made in some circles is that it is a U.S.-centric law designed solely to serve U.S. interests and U.S. needs.  The truth is that the impetus for the CLOUD Act came from our foreign law enforcement partners, who expressed a need for increased speed in obtaining evidence held by U.S. providers – evidence which is normally obtained through the Mutual Legal Assistance Treaty – or “MLA” – process.  The U.S. government has heard repeatedly that the production of evidence must be facilitated and expedited to avoid criminal investigations being stymied.  The exponential rise in demand for electronic evidence also places extraordinary demands on the existing MLA process. 

Today the vast majority of major service providers are already in the territory and jurisdiction of the United States, and the United States receives far more requests for electronic data from other countries than it sends to them.  It was thus the practical impediments faced by countries outside the United States in their attempts to reach critical electronic evidence available inside the United States that fueled the calls for legislative action. 

The United Kingdom’s concerns in particular spurred our development of the CLOUD Act.  Indeed, it’s remarkable to reflect on just who the witnesses were before the U.S. Congress in the lead up to the law’s enactment.  Paddy McGuinness, then the U.K.’s Deputy National Security Advisor for Intelligence, Security, and Resilience provided key testimony.  As Mr. McGuinness put it succinctly at the time:

“It does not make sense that two criminals plotting a major drug deal, a murder, a kidnap, trafficking people or sexually abusing a child in the UK can have their communications intercepted if they communicate via text message, but if they use a US company’s services their data should be out of reach of UK law enforcement…. The current legal situation is bad for public safety, bad for companies and bad for privacy.”

To its credit, the U.S. Congress heeded that urgent call, which was supported by members of the U.S. law enforcement community.  With the CLOUD Act, the U.S. Congress created a way that we can lift U.S. legal restrictions so that our partners could more efficiently protect their citizens and promote justice and the rule of law.   

It was clear to all of us then that we could do better for public safety, better for companies, and better for privacy, and that the CLOUD Act was the path forward.  All that remains true now that the CLOUD Act is on the books.   

The CLOUD Act’s Authorization of Bilateral Agreements

The CLOUD Act accomplished two things.  First and foremost, it authorized the United States to enter into bilateral agreements to facilitate the ability of foreign partners to get electronic evidence.  As Mr. McGuinness noted in his testimony, many American providers currently will not disclose certain electronic data directly to foreign law enforcement authorities for fear of running afoul of U.S. restrictions on disclosure.  Under the CLOUD Act’s bilateral agreements, however, each country would agree to lower their respective barriers that might otherwise stand in the way of compliance with lawful orders.  And each country would agree to let covered orders go directly from the ordering country to the providers, without having to go through the other government or the overburdened MLA process.

CLOUD Act agreements will provide both more access – and more direct access – to the providers holding electronic evidence that is paramount in today’s prosecutions.  And remarkably, they do so through subtraction, not addition — that is, by eliminating existing obstacles to compliance, and not by creating new obligations.  Indeed, the bilateral agreements would not impose a single new affirmative obligation either on foreign providers to comply with U.S. orders, or on U.S. providers to comply with foreign orders.  They simply remove, on both ends, the conflicts of law.

This is a win-win for both countries:  For the United States, currently hard-pressed to keep up with the tremendous volume of incoming requests, this alternative mechanism for foreign countries to get data – in this case directly from providers – is expected to ease the pressures on the MLA process.  It should also mean that we can process the MLA requests that we receive more expeditiously as well.  Meanwhile, for our foreign partners, who currently originate the vast majority of requests, the ability to bypass the MLA process will reduce delays and pay potentially huge dividends in fast-moving investigations.  And when our partners are more effective in fighting serious crimes, we are all safer.

That said, CLOUD agreements are not available to countries that do not respect the rule of law and fundamental human rights.  Integral to the law is the premise that the countries eligible for such agreements must have a high level of checks and balances in place.  To be sure, the CLOUD Act does not seek to export U.S. legal standards to other countries.  It would be neither practical nor reasonable if the U.S. Congress were to insist that other countries match our legal requirements.  Indeed, because U.S. law has some of the highest evidentiary thresholds for investigators to obtain evidence, I suspect that there are few, if any, countries that today would qualify if the CLOUD Act had required other countries to hold their law enforcement officers to the exact same standards.  In my country, each and every search warrant is tethered to a demanding probable-cause determination; reviewed by an independent judge; and subjected to stringent requirements as to scope and established constitutional limits as to jurisdiction.  The requirements to intercept real-time content are even stricter.

Instead, the CLOUD Act permits each party to apply its own requirements for compulsory orders in accordance with the rule of law.  But bilateral agreements are still conditioned on the foreign party adhering to certain baseline commitments to privacy and civil liberties — commitments that cannot be bargained away, and may in some instances need to be accomplished through updates to domestic law.  As stated, the Act requires that our foreign partners respect the rule of law and international human rights.  It requires that they have adequate substantive and procedural laws on cybercrime and electronic evidence on the books.  It requires that they ensure that their orders target specific accounts, are adequately justified, and subject to meaningful independent review.  It requires that they confine the use of covered orders to the prevention, detection, and investigation of serious crimes.  And such orders cannot infringe on free speech, or be used to conduct bulk surveillance.  By reserving the benefits of bilateral agreements for rights-respecting countries, the CLOUD Act ensures that privacy and civil liberties will not be eroded in the pursuit of bilateral efficiencies.

So how does the CLOUD Act compare with other proposals?  The EU’s proposed E-Evidence legislation is sometimes referred to as the equivalent of the CLOUD Act.  Both laws, at their core, arise from the same concern:  law enforcement officers need access to electronic evidence in the hands of providers in order to solve crimes, protect public safety, and promote justice.  But the two laws stake out very different types of solutions.  The CLOUD Act seeks to promote cooperation through reciprocal agreements and reduced barriers to transfer by removing conflicts of law.

The draft E-Evidence on the contrary, is one-directional.  It does not offer a pathway for non-EU countries to access evidence they need directly from providers located in the EU.  Similarly, it does not lift any legal restrictions under EU or Member State law that could create a conflict of laws.  It appears to expand jurisdiction over providers outside of the EU and compels them to accept service of legal process within the EU.  The CLOUD Act, by contrast, does not expand jurisdiction over any additional providers. 

This expansive, one-directional approach is similar to the European Union’s General Data Protection Regulation, or GDPR, a sweeping privacy law that also has a broad extraterritorial jurisdiction and forces foreign companies to designate legal representatives in the EU to receive commands and punish non-compliance.  In addition, it imposes strict limits on processing personal data that discourage rather than facilitate the ability of third country authorities to obtain evidence from providers within and outside the EU, even when this evidence is needed to investigate and prosecute crime and protect the public.  Rather than build barriers to cross-border access to data, we should seek to develop cooperative solutions, like the CLOUD Act, that enable timely access to data under appropriate circumstances and subject to rigorous legal protections.

This risk of harming public safety by hindering the transfer of electronic evidence should not be understated.  Inflexible or overbroad laws and interpretations of the law risk making impossible transfers of evidence needed to prevent terrorist attacks, protect children from online sexual exploitation, or stop corruption or organized crime.  No one wants a world where law enforcement falls behind in the investigation of serious threats to our citizens and our democracies.  Instead, let us work towards reducing barriers and building both trust and security.

We in the United States hope to work diligently with the EU to reach a framework agreement that eliminates conflicts to the greatest extent possible and provides a cooperative path forward.  We also believe that the way forward envisioned by the CLOUD Act – enacted by the United States, but driven by the concerns raised by our foreign partners – is one that promises international benefits.  The CLOUD Act represents the kind of cooperative solution that should be championed and celebrated – something that I fear we have lost sight of amid some of the recent noise stemming from misconceptions about it.  The greatest gains in lawful access to cross-border data stand to come from the lowering of barriers – responsibly and incrementally – between nations with shared values, principles, and needs. 

The CLOUD Act’s Clarification of Provider Obligations

Aside from its authorization of bilateral agreements, the CLOUD Act also made explicit in U.S. law the long-held legal principle that a company operating within a country’s territory can be compelled to produce stored data within its “possession, custody, or control,” regardless of where it stores that data.

Let me pause for a moment on the idea that this is a “long-held legal principle”.  Some critics of the CLOUD Act have charged that the statute’s clarification of the obligations of providers is somehow novel, or, more ominously, a new incursion on data that would otherwise lie beyond the government’s reach.  That gets things backwards.  Far from introducing a new surveillance power, the CLOUD Act codified what had been the longstanding practice in the United States until a single 2016 decision by a court of appeals in a case involving Microsoft.  It is well established that a company present in our territory is subject to a U.S. subpoena for physical records in its possession, custody, or control, and must produce those records, regardless of where they are stored.  For decades, the corollary principle – that a provider in our jurisdiction must produce electronic evidence in its control, regardless of where the provider chooses to store the evidence – has been equally settled. 

Why has this principle been so critical in practice?  Consider the case of a provider, like Google, that for normal business reasons moves customer data between data centers in different countries.  It at times even breaks up a single account and stores it in different countries for efficiency or to reduce latency.  Current mutual legal assistance arrangements used by law enforcement to obtain data necessary to solve crimes and protect the public, however, can take months to complete.  What if a request is sent to one country, only to find that the data has moved on in the meantime?  And the problems are compounded still further by the realities that providers often do not have personnel in the country where the data is stored, nor the capability of complying with legal process in that country. 

Yet those were exactly the problems arising in the United States following the so-called “Microsoft Decision.”  Providers stopped complying, and data needed to protect children from child exploitation, investigate organized crime and corruption, or prevent cyber attacks suddenly became inaccessible no matter how important the need or what legal process officers sought.  While litigation over the “Microsoft Decision” was pending, the United States was even unable to fulfill certain MLAT requests from other countries because many major providers refused to disclose data stored outside the United States.  There was a pressing need to clarify again that providers operating in the United States should produce data, wherever stored, within its “possession, custody, or control” – a principle that, for decades, had been elemental in the United States.

And elemental not just to the United States: To the contrary, that principle has been elemental to most of our foreign partners as well.  Among others, the United Kingdom, France, Belgium, Spain, Ireland, Canada, and Australia have each asserted that same domestic authority over providers in their jurisdictions.  Indeed, that authority is a bedrock requirement of the nearly two-decades-old Budapest Convention on Cybercrime.  The Budapest Convention is, as many of you know, an international treaty to which there are currently 63 parties from around the world, including 26 European Union member states.  And Article 18(1)(a) of the Convention requires each of those more than 60 parties to adopt national laws under which authorities can compel providers in their territory to disclose electronic data in their control, leaving no exception for data that the provider may choose to store elsewhere.  The CLOUD Act provided for this. 

Indeed, without it, the United States had fallen out of compliance with its international treaty obligations. 

It is, therefore, particularly alarming for us to hear countries that maintain exactly the same kind of domestic authority malign the CLOUD Act as a data grab by the United States – and then use that distorted interpretation of the CLOUD Act as grounds to distrust U.S. companies, often to the benefit of their domestic competitors.  That is antithetical to the bridge-building letter and spirit of the CLOUD Act.  And it’s unacceptable coming from countries that simultaneously continue to demand the United States’ assistance in helping them obtain access to electronic evidence obtained using U.S. legal process for their public safety needs.  But we should not, and must not, lose sight of the shared principle:  Cross-border transfers of electronic evidence are necessary and appropriate, and they are a critical component of effectively prosecuting crime in the 21^st century.  We are all rowing in the same boat when it comes to these challenges, and we will sooner get where we need to go by working together, not against one another.

Let me be perfectly clear:  Nothing in the CLOUD Act’s clarification of U.S. law expands U.S. jurisdiction over foreign companies or any other entity.  Nothing in the CLOUD Act expands the categories of providers subject to U.S. jurisdiction.  The CLOUD Act does not alter who falls under the jurisdiction of U.S. courts; it merely confirms the obligations of the providers that already do.  The principles of personal jurisdiction are rooted in the U.S. Constitution and a well-developed body of constitutional law, and they provide for a strict test before a U.S. court can determine that a particular entity has “sufficient minimum contacts” with the United States based on the nature, quantity, and quality of those contacts.  Those principles are unchanged:  You will not be able to point to a single entity that is subject to U.S. jurisdiction after the CLOUD Act that was not already subject to U.S. jurisdiction before the CLOUD Act.

Nor does the CLOUD Act give U.S. law enforcement any new legal process to acquire data.  It does not affect, much less reduce, the burden on a U.S. investigator seeking a warrant and the approval of an independent judge.  The Act, at bottom, creates no new legal requirements under American law.  CLOUD is a benefit rather than a threat to other countries.

* * *

In conclusion, we stand at a decisive moment.  The decisions we make today about the future of cross-border access to electronic evidence will have far-reaching implications for our collective safety and security for decades to come.  Congress could not and would not have passed the CLOUD Act without the pivotal support of our foreign partners, who so ably articulated the urgency of a new solution to protect our citizens.  I hope we can remain united in that sense of urgency and purpose as we work toward CLOUD Act agreements that facilitate our mutual efforts to combat serious crimes.  And I hope you will join me in articulating and supporting the vision that the CLOUD Act presents going forward:  efficient transfer of evidence, reduction in legal barriers, and respect for privacy and the rule of law.  The United States stands ready to work with our partners to bring it to fruition.