Associate Deputy Attorney General Sujit Raman Delivers Remarks to the Center for Strategic and International Studies

Remarks as prepared for delivery

Law enforcement agencies increasingly rely on electronic evidence to investigate and prosecute crimes.  Thus, in our digital age, it is paramount that investigators maintain effective, efficient, and lawful access to electronic data.  That is especially the case as businesses store information across the globe in an effort to reach new markets, better serve their customers, and streamline their operations.

Every government confronts the challenge of accessing data across borders for law enforcement purposes.  I would like to speak to you today about the solution that my government has chosen.  It is a solution rooted in a broader vision of the Internet that is open, interoperable, and governed by the rule of law.  It is a solution that protects individual privacy and respects the legal regimes of other democratic nations.  And it is a solution that rejects one worldview that protects criminals by elevating privacy above every other value, just as it rejects another, equally dangerous worldview that would accept the jurisdictional claims of any foreign government, no matter how authoritarian it might be.

We stand at a pivotal moment in the future of cross-border data flows.  The decisions we make today will have extraordinary consequences for public safety, commercial innovation, and individual freedom.  I appreciate your willingness to listen to the solution my government has chosen to address these challenges.  Hopefully, you will find that vision as appealing as we do.

Our lives increasingly rely on a growing digital infrastructure.  This technological progress has brought with it profound change—much of it positive, and on an unprecedented scale.  The services and networks we depend on literally span the globe, along with the data centers that host our communications and the devices that route them to their destinations in an instant.  As a result, more entities handle more data in more places than was possible ever before.

These developments carry significant implications for individual privacy.  As societies, we are rightly concerned with understanding and managing those implications.  At the same time, privacy regimes should not impair the lawful and effective exercise of critical governmental functions.

When it comes to protecting the privacy of data, we in the United States engage in risk management.  Our elected legislatures determine which risks to private information are greatest, and the laws they enact reflect those commitments.  As a result, we have strong statutory privacy and security protections in particular areas such as healthcare, financial information, and employment, as well as for communications data.  We also have strong constitutional limitations on our government’s authority to access data in which there is a reasonable expectation of privacy.  By keeping communications open with the business community, the United States—while certainly not perfect—has nonetheless achieved some of the highest data security and privacy compliance rates in the world, while still maintaining a healthy, dynamic economy.

Tomorrow, the European Union’s General Data Protection Regulation, or GDPR, goes into effect.  The GDPR reflects a different approach to data protection.  Based on the premise that data protection is a fundamental human right, the GDPR defines personal information extremely broadly, announces a system of universal rules that apply irrespective of context, and imposes huge penalties for non-compliance.

The American approach to privacy and data security is different from that of Europe.  At the same time, we share with Europe a culture that deeply values respect for personal privacy and individual autonomy, as embodied in our Constitution and laws.  The perception that Americans do not care about privacy as much as Europeans do, or that US law does not adequately protect privacy, is unfair.  This misperception may have contributed to a series of European enforcement actions against US companies.  It sometimes seems that, in the European mind, the American tradition of strong privacy norms and enforcement is ignored, while transfers of personal data to countries that treat the values of personal privacy and individual autonomy with contempt, trigger little comparable scrutiny.

The problem isn’t simply one of selective enforcement.  The deeper issue is the risk that those charged with implementing the GDPR may attempt to regulate user privacy without fully weighing the potential costs to public safety.  To be clear, there is no reason why the GDPR, as currently drafted, should affect information sharing between law enforcement agencies.  The European Union and the United States already have entered into a binding international agreement governing privacy protections for such information sharing.  With respect to the sharing of EU person information by the private sector, the United States has entered into two binding international agreements governing the protection of particular types of transfers with US law enforcement.  And while the GDPR’s Article 48 places a preference on the treaty channel for data transfers to non-EU nations, that channel is “without prejudice to other grounds for transfer,” including pursuant to an “adequacy decision” or a finding that the other country sufficiently protects personal data.  If necessary, the United States is also well-positioned for a different agreement to cover future transfers, given our strong privacy protections in the area of law enforcement.  Finally, even absent blanket solutions, the GDPR authorizes transfers “necessary for important reasons of public interest,” including the need to combat serious cross-border crimes.

But even if the GDPR doesn’t pose a direct obstacle to cross-border law enforcement data sharing, the European model of data protection nonetheless sometimes threatens to significantly restrict government efforts to protect public safety and national security, as we have seen in litigation over areas as diverse as data retention and passenger name records.  The non-territoriality of electronic data exacerbates these effects.  Because of the Internet’s borderless nature, EU restrictions imposed in the name of privacy inevitably extend far beyond the EU’s borders, and, in effect, regulate even the core public safety missions of other rights-respecting countries.

Let me give you a concrete example.  Since the 1980s, persons who registered Internet domain names have accepted that doing so carries with it the obligation of making public certain limited contact information.  A non-profit entity, the Internet Corporation for Assigned Names and Numbers, or ICANN, manages that information, and maintains it in an online database called WHOIS.  The WHOIS database greatly assists investigators because determining who controls a domain can be important to making contact if the domain is being used to cause harm, such as hosting child exploitation materials or serving as part of a botnet’s command and control function.  American law enforcement agencies query WHOIS data tens of thousands of times a day, not only to investigate crimes, but also to identify suspects, witnesses, and victims.  Investigators also rely on WHOIS to combat fraud and deceptive practices.

Despite the WHOIS database’s obvious role in maintaining public safety around the world—including in Europe—the Dutch data protection authority has declared that the database is in direct violation of GDPR.  So far as we know, much of this critical source of information will be limited, if not completely blocked, for many non-law enforcement agencies starting tomorrow.  As for law enforcement personnel: starting May 25, they will have to find ways to ensure they retain access to the database, and to authenticate their identities.  The long and short of the extensive effort to make WHOIS GDPR-compliant is this: if European data protection authorities interpret the GDPR such that public access to the WHOIS database is restricted or eliminated, public safety will suffer—including in Europe.

It is not just WHOIS data that is at stake.  The evidence we need to identify all kinds of criminals and bring them to justice frequently takes the form of electronic communications data, and it often resides on the very same systems these individuals use to commit their criminal acts. 

That is why, if you ask any law enforcement officer with cyber experience, he or she will tell you that virtually every serious crime we investigate—from violent crime, to narcotics trafficking, to fraud, in addition to cybercrime and terrorism—requires effective and efficient access to electronic evidence.  To protect society against modern threats, investigators need evidence like the contents of emails, instant messages, and photos; they need traffic data and session logs; and they need subscriber information.  Yet, as a result of GDPR and of another draft EU law, the proposed e-Privacy Regulation—which in Article 7  would require providers, including non-EU based providers offering services in Europe,  to destroy or to anonymize metadata and content information that may be evidence of crime, once that information is no longer needed for purposes of transmitting a communication—law enforcement agencies worldwide may now find themselves blocked from obtaining this vital evidence in a timely manner, or even at all.  And while these regulations do allow EU Member States to legislate exemptions from these rules, they do not extend this privilege to countries outside of the EU.

These kinds of legal barriers dangerously impede our efforts—and those of our allies—to investigate serious crime and terrorism.

If the European model, which privileges privacy above other values (and often to the detriment of public safety) represents one worldview regarding cross-border data flows, the worldview espoused by nations like Russia and China represents another.  That worldview rejects outright the very concept of the free flow of information.  Instead, it focuses on citizenship, territoriality, and control, insisting—in its most extreme form—that basically every piece of information relating to a nation’s citizens must be housed in its own borders, and must be accessible to the government without basic privacy protections.

“Data localization” laws of this sort are costly for companies.  Isolating all of the information that pertains to a particular nation’s citizens within that nation’s borders also can impede the free flow of data and ideas, and inhibit the innovation and insights that such exchange brings about.  Wholesale data localization also empowers national governments, and authoritarian states employ that tool to surveil their citizens’ behavior, censor what they can see and hear, and identify and quell dissent.  That is hardly a recipe for protecting individual privacy.  And if those governments’ citizens are using the Internet to commit crimes that victimize citizens of other nations, it can become very difficult for those victims, or their governments, to secure the evidence they need to achieve justice.

Our experience in law enforcement and with our law enforcement partners teaches that building legal barriers in the world of communications technology has real costs, perhaps none greater than the cost to our collective safety and security.  That is because the same modern technologies that make it possible to communicate instantly from almost anywhere on earth also make it easier than ever for criminals and terrorists to harm our citizens from abroad, behind layers of anonymity, at a keystroke.  The reality is, digital threats are growing in size and sophistication.  We need a global response.

Today, the United States enjoys a unique position with respect to communications data because much of it is stored within the United States or by providers based in the United States.  We understand that we may not be in the same position even a few years from now.  We now have an opportunity to lead proactively in this area and are prepared to work with our allies to build new mechanisms that appropriately balance privacy and public safety.

Recently, the Department of Justice was able to work with Congress, providers, academics, and others to develop a new approach that we hope will be a path forward for how countries can work together more efficiently to obtain critical evidence from increasingly global providers.  This new approach represents the first step towards an international system in which rights-respecting countries are able to obtain effective access to data to investigate serious crime, no matter where the data happens to be stored.

In charting this new path forward, several principles have guided us.  First, we need legal mechanisms that enable law enforcement in rights-respecting countries to lawfully obtain digital evidence as quickly as possible.  We must work to reduce delays in obtaining evidence critical to solving fast-moving investigations involving terrorism, computer intrusion, and child exploitation, to name just a few.  These delays are dangerous and harmful to the safety and security of any country’s citizens.

Second, reforming the mutual legal assistance process is only one part of the solution, for both the United States and our allies.  Under the MLA process, the evidence is often slow to arrive, even with our closest partners; and with others, it may not arrive at all.  In addition, our partners can struggle to understand and comply with the very high US legal standards for the evidence they seek.  We have begun and will continue to improve the MLA process, and we ask our partners to do the same.  But that is not a panacea.

Third, we must preserve an open and interoperable Internet.  As I’ve mentioned, data localization requirements are counterproductive.  They exacerbate conflicts of law, reduce the efficiency of Internet communications, impose costs on companies seeking to do business online, and will ultimately undermine individual privacy if data is moved to jurisdictions that lack robust due process protections.

Finally, we cannot address existing conflicts of law—for example, situations where a communications provider is served with a lawful order by one democratic government demanding the production of data, but is barred from producing that data by the laws of the country in which the data is stored or where the provider is based—by creating new conflicts.  That is why we must avoid inflexible restraints on data transfers for law enforcement.  Instead, we should reduce potential conflicts where we can, including through bilateral agreements between rights-respecting countries that share robust privacy laws.  We can respect and improve safeguards for privacy and civil liberties without imposing a rigid, one-size-fits-all regime on countries that have their own legal traditions.  Indeed, we should support a flexible mechanism that can accommodate and respect different countries while still holding all of us to a rigorous, high standard.

Building upon these principles, the United States Congress recently passed, and the President signed into law, a statute that accomplishes these objectives in a way that is operationally sound, is privacy-enhancing, and is respectful of foreign sovereignty.  This law is known as the Clarifying Lawful Overseas Use of Data Act, or CLOUD Act.  I’d like to take a moment to explain to you exactly what it does.

First, the CLOUD Act clarifies the obligation of communication service providers subject to the jurisdiction of the United States to produce data within their control in response to lawful US government warrants, no matter where they have chosen to store it.  This is not a new obligation.  In fact, until a recent (and now-vacated) court decision, this had long been the status quo under US law, and it is the same authority that other rights-respecting countries assert for themselves.  Indeed, under the Budapest Convention on Cybercrime—a nearly two-decades-old international treaty that provides an essential mechanism for cross-border cybercrime enforcement and electronic evidence sharing—more than fifty nations around the globe already have agreed that national laws should include the authority to compel providers in their territory to disclose data in the providers’ possession and control, even when the data is held somewhere else.

So let me underscore this key point: the CLOUD Act does not create any new legal requirements under either American or international law.  Neither does it in any way reduce the constitutional burden on American investigators, when seeking a warrant, to provide a sworn affidavit to the satisfaction of an impartial judge establishing both probable cause and particularity.    

That brings me to a second major development in the CLOUD Act: the legislation establishes a new framework for bilateral agreements with our partners that directly addresses potential conflicts of law.  Under such agreements, each nation commits to removing legal impediments so that providers can comply with the other nation’s lawful orders seeking communications data in investigations of serious crime.  For covered orders, no MLAT process would be required; legal process could be served directly on the provider, even though the data that is sought may be stored in the other country.  Again, the CLOUD Act does not impose any new obligations under US law.  Rather, a provider’s obligations derive solely from the requesting country’s law.

It bears emphasizing that, in order to benefit from the CLOUD Act framework, a foreign country’s orders must be in furtherance of serious criminal and terrorism investigations; and they may not target US persons or persons located in the United States. The statute also requires that implementing procedures and oversight measures be put in place to ensure this rule is followed.  In other words, this is not a blank check.

A foreign country can qualify for a bilateral agreement under the CLOUD Act only if our Attorney General, with the concurrence of the Secretary of State, first certifies to Congress that the country has met robust obligations and commitments designed to protect privacy and civil liberties.  These commitments include laws that are compatible with the Budapest Convention; a demonstrated respect for the global free flow of information; and adherence to international human rights obligations, among other things.  In addition, that nation’s orders must be subject to review or oversight by a court, judge, magistrate, or other independent authority; they may not be used to infringe freedom of speech; and they must be targeted at individual accounts.  Bulk surveillance is not permitted.

Finally, let me underscore that the CLOUD Act involves data transfers for law enforcement purposes.  It does not undercut or create a conflict with the Privacy Shield framework, which provides a legal basis under EU law for transfers of data from the EU to registered US private companies.  The Privacy Shield framework of commercial data transfers is unrelated to, and unaffected by, the CLOUD Act.

As a whole, the CLOUD Act addresses both the conflicts that may arise when the United States seeks data abroad and when our foreign allies seek data located in the United States for law enforcement purposes.  Managing both sources of potential conflict simultaneously is critical.

We believe the CLOUD Act framework offers major benefits to our qualifying law enforcement partners.  It was enacted on the premise that, where our partners are more effective in investigating serious crime, we are all safer—especially in a world in which terrorism and many other criminal threats are transnational in nature.  I understand that the Act, as with any new legal regime, may not be well understood.  To be sure, there will be challenges in its implementation, and one of my goals today is to try to address some of the questions that we have received about the Act.

First, as you may know, the US government is already in the process of negotiating the first CLOUD Act agreement, with the United Kingdom.  This agreement would lift legal restrictions on providers that might prevent them from disclosing data directly to UK authorities for investigations of serious crime, including terrorism, where the UK has obtained authorization to access the data under its own laws.  Under the agreement, the United States would have reciprocal rights with respect to data subject to UK law. 

We hope to conclude this agreement first before entering into other bilateral agreements, and we expect to negotiate similar agreements with other privacy-respecting, rights-protecting governments around the world.  We have not yet begun negotiations with any other country, although there have been many expressions of interest.

Second, countries that are interested in negotiating a bilateral agreement should keep in mind the robust set of privacy and civil liberties protections I mentioned before, which are listed in the text of the statute.  We cannot execute an agreement with a country unless our Attorney General can certify, and provide a written explanation to Congress, that the country’s legal system—both on paper, and in practice—meets those high thresholds.

I have seen commentary suggesting that the CLOUD Act permits foreign countries that we execute an agreement with to potentially wiretap people located anywhere in the world, so long as the target of the wiretap is not a US person or located in the United States.  That is simply untrue.  As I’ve just mentioned, the statute requires that any country we enter into an agreement with has in place robust substantive and procedural protections for individual privacy and civil liberties.  These are the same standards our partners routinely apply when they seek wiretaps within their own countries and the data is accessible there.  Moreover, the CLOUD Act also requires heightened requirements specifically for a wiretap order, many of which mirror the heightened requirements for a wiretap order under US law.

I’ve also heard the suggestion that the CLOUD Act allows the US government to engage in mass surveillance of other nation’s citizens.  That, too, is simply incorrect.  As I emphasized before, this law does not in any way reduce the constitutional burden on American investigators, when seeking a warrant, to persuade a neutral judge that probable cause exists connecting the contents, say, of a particular email account to a specific crime.   

Finally, any country that is interested in a bilateral agreement may wish carefully to consider the various provisions outlined in the CLOUD Act regarding the criteria that must be met with respect to a particular order requiring the production of electronic evidence.  For example, do the country’s orders require a showing based on articulable and credible facts, particularity, legality, and severity?  Can the country afford reciprocal rights of data access, including by removing any domestic legal restrictions it may have that would otherwise prevent communications providers from responding to valid legal process issued by the United States?  Can the country adopt and implement appropriate “targeting and minimization” procedures, which are designed to ensure that US persons or persons located in the United States are not targeted, and that any information concerning such persons that may incidentally be collected, is properly restricted?  Will the country submit to periodic review by the United States of its compliance with the terms of any bilateral agreement?  Of course, my government understands that we, too, have to be prepared to meet similar conditions with regard to our obligations under any agreement.

While the laws of some nations may already be sufficient to meet the requirements of the CLOUD Act, others may need to make modifications before they can become eligible for a bilateral agreement.  In fact, the United Kingdom undertook changes to its own laws in order to assure that it could comply with the CLOUD Act’s requirements.  But I should emphasize that no one expects foreign countries to adhere to US laws governing US legal process.  Countries with sufficient civil liberties and privacy protections within their own system will be able to obtain data under this framework under their own legal standards.  Nonetheless, we expect that any interested country will make significant efforts to facilitate entering into an agreement, including by evaluating its own laws and by identifying and undertaking any necessary reforms in due course.

Let me offer some concluding thoughts.  One of the enduring principles of any stable society is the responsibility of its government to protect its citizens.  In today’s world, access to electronic evidence, wherever it may be stored, is a necessary means to fulfilling that solemn responsibility.  Countries with a commitment to human rights and civil liberties must work together in that endeavor, and not against one another.  We are at an important inflection point in building those cooperative relationships. The CLOUD Act offers that opportunity, and the United States stands ready to work with our partners to build new and efficient structures to enhance both privacy and public safety