The internet has allowed people and businesses to become connected at a scale once thought unimaginable. With just the click of a button families can share photos, banks can process loans, universities can share research, and so much more. Alongside the growth of these positive innovations, however, cyber criminals have become increasingly sophisticated, and there has been a corresponding increase in the sophistication and severity of global cyber crime. While criminals are able to build and leverage global networks to achieve their goals, law enforcement officers around the world remain stuck in a world of physical borders and jurisdictional limits on their powers, often having to navigate both complicated domestic legal systems and an increasingly complicated patchwork of international government access and information sharing laws, treaties, and political relationships. In a world of increasing global data flows, criminals have taken advantage of the fact that laws governing law enforcement access to data haven’t kept up, often allowing them to evade justice.
As a policy response to these circumstances, an increasing number of governments have turned to data localization requirements, believing that if companies store their data locally, law enforcement and security agencies will have more reliable and timely access. In reality, however, data localization laws offer an inefficient half-measure at best. In fact, they may make the situation worse. By leading the conversation away from a concerted global approach to solving the actual underlying problem of cross-border law enforcement access, data localization laws lead national governments to adopt inward looking, protectionist approaches that undermine global security efforts and provide openings for criminal networks to take advantage of the absence of international cooperation.
A superior approach to tackling security concerns in the long run, is promoting a more efficient use of mutual legal assistance treaties (MLATs), while also exploring how to better leverage multilateral solutions. An MLAT is an agreement between two or more countries that facilitates the gathering and exchanging of information related to enforcement of public or criminal laws. The trouble with how MLATs currently operate is, though they allow two countries to share information via the judicial process, they are slow and cumbersome to process, and are an especially inefficient mechanism when the information is needed immediately to prosecute a crime.
The MLAT system was designed for a time before the digital age took hold, and as a result, struggles to cope with the pace and complexity of data transfers across multiple jurisdictions. This is a problem not only for law enforcement around the world, but also for individuals who depend on the transparency and judicial oversight that is often built into MLATs to protect their privacy and other important rights. An increasing reliance on alternative, ad hoc and informal mechanisms for timely information transfer may not offer the same level of protections.
In light of these concerns, one more forward looking solution worth further exploration is the potential expansion of formalized multilateral instruments to provide mutual legal assistance and law enforcement cooperation, such as the Budapest Convention on Cyber-crime, which seeks to harmonize national laws and improve cooperation amongst nations without compromising citizen’s rights in adjacent areas.
Governments should also consider voluntary disclosure frameworks for private sector actors who operate multi-nationally. Providing a legal mechanism to allow companies to voluntarily share data with governments across borders for legitimate law enforcement purposes could pave the way for greater cooperation. The proposed US-UK bilateral treaty is an example of such a forward looking approach. The proposed US-UK agreement would ease domestic investigations in the UK by allowing companies under US jurisdiction to share relevant information with British law enforcement agencies, potentially bringing cyber and other criminals to justice more swiftly. Of course, enabling legislation would be required in the U.S. to implement such an approach, and the legislative proposal sent by the Obama Administration to the U.S. Congress would amend ECPA, amongst other things. If such a proposal were to become law, the hope is that the US-UK approach could then be extended to other countries who meet a certain level of oversight and due process requirements.
National governments will inevitably have to confront the challenge of global threats to domestic security, and the best way to do this will require strengthening networks of cooperation. More than ever, it has become critical that countries enter into reciprocal information sharing agreements to root out both domestic and non-domestic threats to global security.
Forced Localization Blog Series Table of Contents:
- What is Forced Localization?
- Local Content Requirements
- Local Presence Requirements
- Local Standards and Conformity Assessment
- Data Localization Explained
- The Costs of Data Localization
- Development and Data Localization
- Privacy Protection and Data Localization
- Cybersecurity and Data Localization
- Law Enforcement Access to Information and Data Localization
- Using Trade Agreements and other Multilateral Approaches to Address Forced Localization