Law in the Internet Society

Cross-border access to data? MLATs may still be the way forward!

-- By JurriaanVanMil - 11 Oct 2019

1 Introduction

States have an interest in acquiring personal data for national security and law enforcement purposes. But which State can exercise jurisdiction over data? Is it the country in which the individual concerned resides? Is the country in which the online service provider is incorporated? Is it the country in which the data is stored and held by the online service provider? Or is it all of the above? States seemingly have set these jurisdictional considerations aside to facilitate cross-border access to data. To that end, States traditionally relied on Mutual Legal Assistance Treaties (MLAT). This mechanism has, however, its downfalls. Therefore, States recently started resorting to other instruments to ensure access to data, in particular a new mechanism introduced by the American CLOUD Act, and other States’ enactment of data localisation laws. But the former instrument may prove to be ineffective, thus potentially pushing States towards the latter, which has human rights implications. As such, States’ efforts should perhaps shift from enacting such laws towards amending and enhancing the MLAT mechanism.

2 Mutual Legal Assistance Treaties

States’ ignorance to these jurisdictional considerations can be attributed to their mutual interest in cross-border access to data. Rather than discussing these implications and the politics related thereto, States enter into MLATs to get their hands of data stored and held abroad. Generally speaking, an MLAT calls for the domestic judicial review of foreign States’ individual access requests. This procedural aspect can potentially safeguard the fundamental rights at stake. However, critics argue that this procedure is cumbersome: it brings considerable administrative drag with, and is time-consuming. Consequently, critics hold that this ad hoc legal mechanism does not provide swift cross-border access, in particular to ephemeral data, and should thus be subject to review.


The CLOUD Act should, inter alia, establish a smooth-functioning and quick mechanism for foreign States to acquire data regarding their citizens, which are stored and held in the United States, for investigatory purposes. To that end, it allows foreign States to enter into executive agreements with the United States that allows them to request such data directly from American online service providers. Before the conclusion of an executive agreement, the executive must first certify a foreign State. Certification is contingent upon compliance with a baseline of substantive and procedural requirements, and the determination thereof cannot be subject to judicial or administrative review. Congress can, however, disapprove a specific executive agreement. The certification process aims to safeguard privacy and civil liberties. Unsurprisingly, certification can thus depend on foreign States’ adherence to international human rights obligations. Besides, foreign States have to grant the United States a reciprocal right to access. Moreover, concluded executive agreements are subject to periodical review of compliance. Under executive agreements, foreign States can order data regarding their citizens directly from American online service providers. Such an order too has to comply with substantive and procedural requirements. Online service providers seemingly have to assess whether an order satisfies these requirements.

4 The shortcomings of the CLOUD Act

First, the United States unilaterally imposes a baseline of substantive and procedural requirements on foreign States with the CLOUD Act, whereas MLATs theoretically called for a bilateral or multilateral discussion on the substance of treaties. This Western Imperialistic aspect of the CLOUD Act is exacerbated by the fact that the United States was the first to introduce this mechanism of executive agreements. A similar mechanism is currently being legislated by the European Union. In relation to the foregoing, the United States seemingly disregards the economic, legal, philosophical and political differences between States. By and large, it provides foreign States with a take-it-or-leave it choice: either comply with a specific set of requirements – that may go further than what international human rights obligations require –, or rely on an apparently outdated mechanism. It is likely that Western States will enter into executive agreements with the United States – the United Kingdom recently did so –, whereas non-Western States are likely to continue using MLATs or to resort to other instruments like data localisation laws. As such, a fragmented and piecemeal framework is to be expected.

Second, executive agreements are not subject to proactive and retrospective judicial review, whereas MLATs generally call for domestic judicial review of foreign States’ requests to access. Rather, the American executive and legislature decide a priori whether the United States should enter in an executive agreement, and they conduct a periodical review of compliance. These branches of State have a much stronger interest in a swift reciprocal right to access than the judiciary does. Furthermore, the CLOUD Act seemingly requires online service providers to assess the legality of foreign States’ orders to access. This form of privatised adjudication raises questions regarding appropriateness, capacity and competency. This can result in two practices. On the one hand, online service providers can be expected to promptly honour orders to access without a rigid review thereof. Afterall, the executive and legislature endorse the executive agreement, thus orders of access issued pursuant to that agreement must legitimate. On the other hand, online service providers can be expected to be sceptic of foreign interference, thus honouring only very few orders to access and forcing certified foreign States to rely on MLATs once again.

5 Conclusion

From the outset, both the CLOUD Act and MLATs do not sufficiently discuss jurisdictional considerations at the global level. However, MLATs do call for a bilateral or multilateral conversation between States, thus potentially better reconciling fundamental differences between States. Furthermore, the CLOUD Act’s other shortcomings are better addressed by MLATs (judicial oversight) and seemingly push foreign States to still rely upon MLATs. Given the standing relevance of MLATs, States in general should enter into a constructive discussion about amending and enhancing this mechanism. For example, States can agree upon standardized digital protocols and forms. They can also create specific procedures for high-impact crimes and establish a specific specialised department that processes all incoming requests.

I don't know how it looks from where you sit, because this draft doesn't actually show you or your own personal ideas in the map it is drawing. From where I sit, however, it's a plea against irrevocable change. MLATs weren't some mechanism dreamed up in the primordial forests of Germanic folk-democracy. They too were diktats of the American Empire, meant to bring the bank secrecy of the hardy Swiss to heel, and in other respects to gratify the requirements of legal globalization. No doubt the Luxembourgeois could have done without them too, but they hadn't any choice then and they haven't any choice now.

It would be helpful if instead of vague reference to the shortcomings of the CLOUD Act, which are repeatedly mentioned but never actually described, you described them. In particular, why process requirements that "may go further than what international human rights obligations require" would be objectionable, and what this "may go further" actually boils down to. When governments are preparing to share the outcome of real-time mass surveillance with one another, using local and multi-national platform operators as their acquisition agents, why would arrangements no more sensitive to individual rights than the minimum global consensus be wrong to impose? Why are the agreements negotiated between governments under the CLOUD Act less bilateral than the ones negotiated between the same governments with respect to non-real-time data access, called MLATs? If you have personally been involved in either form of negotiation, it would be helpful to have the benefit of your personal observations and conclusions. If not, you might want to check the nature of your speculations against the experience of those who have.

The opposition between the CLOUD Act and data localization is evident and direct, but maybe a little less of each than appears at first sight. Certainly it is reasonable to assume that any state that manages to keep all the data concerning its own citizens within its borders will need fewer arrangements for gaining access to data stored elsewhere. But there will b e no such states, and no state's investigative and enforcement activities can be fully conducted without data located outside its borders. Data localization is evidently sub-optimal whether you are in the cloud IT business or you believe in human development and freedom. You can readily find public commentary by me and my law partner, Ms. Choudhary, making these points at least solemnly enough and probably too often. But the problem with MLATs is that their time-scale is archaic. The US government is hardly the only one that would like to make arrangements for real-time access to global data flows. Your assumption that "non-Western" governments will not be interested in CLOUD Act arrangements is demonstrably at odds with the current state of international diplomacy. So it might be more useful to discuss what the arrangements for multi-national real-time listening ought to be than to expect it can all be put back in the tube.

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r2 - 25 Nov 2019 - 19:29:24 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM