The European Commission just proposed legislation to solve the problem faced by European law enforcement agencies (LEAs) when they try to collect investigative data such as emails and text messages stored by communication service providers (CSPs) in foreign data centers.  The proposal, called the EU Production Order, would potentially replace existing investigative channels such as mutual legal assistance treaties, or “MLAT” treaties, which are considered slow and unreliable. The US recently enacted a similar law called the Clarifying Lawful Overseas Use of Data Act, also known as the “Cloud Act.”  How would the Production Order and the Cloud Act affect international CSPs?

Under the proposed Production Order, CSP subscriber data would be collected as follows.  First an LEA in an EU member state such as France would submit its data request to a French court.  The targeted data may consist of stored “content” (e.g. the text of an email) or “transactional” information (e.g. the names and phone numbers of the suspect and the people he or she calls).  If the judge grants the LEA’s request, the LEA would serve the resulting court order on the suspect’s CSP.  The CSP may have stored the targeted data in another EU member state such as Germany, or in a non-EU nation such as the United States.  But regardless of the storage location, the CSP would be required to disclose the data to the LEA.

The Cloud Act is an American version of the Production Order.  It would permit a US court to order the disclosure of subscriber records, regardless of whether they happen to be stored in the US.  The US plans to enter into agreements with other countries – at least with other democracies – that establish systems of reciprocity so each nation’s courts can access data stored in the other country while respecting a common baseline of due process and privacy rights.  If implemented as planned, the reciprocity agreements would avoid conflicts of law where a CSP is ordered by a US court to disclose data that is stored in a foreign server and protected from disclosure by the foreign nation’s privacy law.

In the US, the Cloud Act was supported by both the government and industry.  As a result, the Supreme Court dismissed a pending case involving Microsoft emails in Ireland that had raised the issue of LEA access to foreign-stored data.  The Court might have either forced Microsoft to disclose the material to the FBI or curtailed the power of US courts to assert extra-territorial jurisdiction over foreign-stored data.  Either outcome could have severely harmed the interests of the losing side.  The Cloud Act envisions that in the age of cloud computing, where a subscriber’s data may be stored in any country, the interests of both privacy and law enforcement may be served.

If the EU Production Order is enacted into law, CSPs serving EU markets should expect to receive a greater volume of records requests from European LEAs.  With the passage of the Cloud Act, CSPs serving the US will likely receive more records requests from American LEAs.  There may be confusion in the short run before the reciprocity agreements come into play.  For example, a US CSP may have difficulty determining whether it is prohibited by a foreign privacy law from disclosing foreign-held records in response to a valid US order.  Moreover, the process of negotiating even one reciprocity agreement could take years.   

On the other hand, the US and Great Britain have already negotiated the framework of a reciprocity agreement that appears to satisfy the needs of both privacy and public safety.  That framework could become the model that all other nations adopt.

At the very least, the EU and US legislative initiatives may finally solve the longstanding problems of evidence-gathering in criminal and terrorist investigations.  No longer can a criminal or terrorist subscribe to a CSP in a particular country for the purpose of evading law enforcement in other jurisdictions.