Law in the Internet Society

Cross-border access to data? MLATs may still be the way forward!

-- By JurriaanVanMil - 11 Oct 2019

1 Introduction

States have an interest in acquiring personal data for national security and law enforcement purposes. But which State can exercise jurisdiction over data? Is it the country in which the individual concerned resides? Is the country in which the online service provider is incorporated? Is it the country in which the data is stored and held by the online service provider? Or is it all of the above? States seemingly have set these jurisdictional considerations aside to facilitate cross-border access to data. To that end, States traditionally relied on Mutual Legal Assistance Treaties (MLAT). This mechanism has, however, its downfalls. Therefore, States recently started resorting to other instruments to ensure access to data, in particular a new mechanism introduced by the American CLOUD Act, and other States’ enactment of data localisation laws. But the former instrument may prove to be ineffective, thus potentially pushing States towards the latter, which has human rights implications. As such, States’ efforts should perhaps shift from enacting such laws towards amending and enhancing the MLAT mechanism.

2 Mutual Legal Assistance Treaties

States’ ignorance to these jurisdictional considerations can be attributed to their mutual interest in cross-border access to data. Rather than discussing these implications and the politics related thereto, States enter into MLATs to get their hands of data stored and held abroad. Generally speaking, an MLAT calls for the domestic judicial review of foreign States’ individual access requests. This procedural aspect can potentially safeguard the fundamental rights at stake. However, critics argue that this procedure is cumbersome: it brings considerable administrative drag with, and is time-consuming. Consequently, critics hold that this ad hoc legal mechanism does not provide swift cross-border access, in particular to ephemeral data, and should thus be subject to review.


The CLOUD Act should, inter alia, establish a smooth-functioning and quick mechanism for foreign States to acquire data regarding their citizens, which are stored and held in the United States, for investigatory purposes. To that end, it allows foreign States to enter into executive agreements with the United States that allows them to request such data directly from American online service providers. Before the conclusion of an executive agreement, the executive must first certify a foreign State. Certification is contingent upon compliance with a baseline of substantive and procedural requirements, and the determination thereof cannot be subject to judicial or administrative review. Congress can, however, disapprove a specific executive agreement. The certification process aims to safeguard privacy and civil liberties. Unsurprisingly, certification can thus depend on foreign States’ adherence to international human rights obligations. Besides, foreign States have to grant the United States a reciprocal right to access. Moreover, concluded executive agreements are subject to periodical review of compliance. Under executive agreements, foreign States can order data regarding their citizens directly from American online service providers. Such an order too has to comply with substantive and procedural requirements. Online service providers seemingly have to assess whether an order satisfies these requirements.

4 The shortcomings of the CLOUD Act

First, the United States unilaterally imposes a baseline of substantive and procedural requirements on foreign States with the CLOUD Act, whereas MLATs theoretically called for a bilateral or multilateral discussion on the substance of treaties. This Western Imperialistic aspect of the CLOUD Act is exacerbated by the fact that the United States was the first to introduce this mechanism of executive agreements. A similar mechanism is currently being legislated by the European Union. In relation to the foregoing, the United States seemingly disregards the economic, legal, philosophical and political differences between States. By and large, it provides foreign States with a take-it-or-leave it choice: either comply with a specific set of requirements – that may go further than what international human rights obligations require –, or rely on an apparently outdated mechanism. It is likely that Western States will enter into executive agreements with the United States – the United Kingdom recently did so –, whereas non-Western States are likely to continue using MLATs or to resort to other instruments like data localisation laws. As such, a fragmented and piecemeal framework is to be expected.

Second, executive agreements are not subject to proactive and retrospective judicial review, whereas MLATs generally call for domestic judicial review of foreign States’ requests to access. Rather, the American executive and legislature decide a priori whether the United States should enter in an executive agreement, and they conduct a periodical review of compliance. These branches of State have a much stronger interest in a swift reciprocal right to access than the judiciary does. Furthermore, the CLOUD Act seemingly requires online service providers to assess the legality of foreign States’ orders to access. This form of privatised adjudication raises questions regarding appropriateness, capacity and competency. This can result in two practices. On the one hand, online service providers can be expected to promptly honour orders to access without a rigid review thereof. Afterall, the executive and legislature endorse the executive agreement, thus orders of access issued pursuant to that agreement must legitimate. On the other hand, online service providers can be expected to be sceptic of foreign interference, thus honouring only very few orders to access and forcing certified foreign States to rely on MLATs once again.

5 Conclusion

From the outset, both the CLOUD Act and MLATs do not sufficiently discuss jurisdictional considerations at the global level. However, MLATs do call for a bilateral or multilateral conversation between States, thus potentially better reconciling fundamental differences between States. Furthermore, the CLOUD Act’s other shortcomings are better addressed by MLATs (judicial oversight) and seemingly push foreign States to still rely upon MLATs. Given the standing relevance of MLATs, States in general should enter into a constructive discussion about amending and enhancing this mechanism. For example, States can agree upon standardized digital protocols and forms. They can also create specific procedures for high-impact crimes and establish a specific specialised department that processes all incoming requests.

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r1 - 11 Oct 2019 - 19:27:19 - JurriaanVanMil
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM