Responding to Foreign Requests for Data Through the MLAT Process
What happens when a foreign law enforcement agency seeks information from a U.S.-based communications service provider in order to obtain evidence in an investigation? U.S.-based companies often must consider whether and how to respond to requests from foreign law enforcement agencies. This includes communications providers as well as companies that provide a range of services not limited to electronic communications services or data storage.
The Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2501 et seq., is generally interpreted to preclude U.S.-based communications companies from providing stored user content directly to foreign governments. While U.S. companies are permitted by U.S. law to provide non-content data to foreign governments, in non-emergency circumstances, companies generally require foreign governments to go through the U.S. government as provided for in the Mutual Legal Assistance Treaty (“MLAT”) between the countries. This ensures that the incoming request conforms to U.S. legal standards, including, but not limited to, comparable protections as afforded by the Fourth Amendment. A request processed under the applicable MLAT is also subject to the supervision of a U.S. federal judge. Companies that do business globally also need to consider how compliance with a particular law enforcement request complies with various countries’ laws, including, for example, the laws that apply where the company is headquartered, where the company has offices and operations, and where the company stores its user data.
From a process perspective, requests by foreign government law enforcement organizations to U.S. companies using the MLAT process are routed through the U.S. Department of Justice’s Office of International Affairs, which reviews and processes requests in coordination with the appropriate U.S. Attorneys’ Office. Next, the request is reviewed by a federal judge for sufficiency. The judge then authorizes legal process that can be served domestically on the U.S. company. MLATs can also be used for outgoing requests; that is, a U.S. law enforcement agency can request information or data stored by a foreign company in a foreign country. (The issue of whether U.S. law enforcement can request data held by a U.S. company when the data is located abroad is yet another variation, and is pending Supreme Court consideration.)
When there is an emergency, foreign government investigators may make disclosure requests directly to a U.S. company. Currently, ECPA does not expressly authorize companies to provide foreign governments with content information even in an emergency. Such disclosures are authorized by ECPA only to U.S. law enforcement. Nevertheless, companies have made such disclosures anyway, relying, at least in part, on exceptions they have carved out in their own Terms of Service and Privacy Policies especially where such disclosures may help prevent serious injury or death in the face of an imminent threat.
The MLAT process has been widely recognized across sectors as a legal framework and bureaucratic process that has not kept pace with the expansion of worldwide use of U.S.-based communications providers, the increasing volume of electronic data being stored in different countries, and the varying business and technology models adopted by different platforms. Law enforcement officials across the globe often seek out data located in another country to help solve cases. As an example of one effort to improve the existing practice, the U.S. Justice Department has prepared a proposal that would provide a framework for a bilateral agreement with the U.K., that would facilitate U.K. law enforcement’s ability to obtain communications content directly from U.S. providers. U.S. government officials assess that, if approved, this framework that has been negotiated with the U.K. could serve as a model for future agreements with other countries. Civil liberties groups, however, have expressed concerns that the proposal fails to adequately protect the privacy rights of users, and expands intrusive government surveillance activities. In order for the proposal to be effectuated, legislation is needed, including amendments to existing communications-related laws that would lift the bar against U.S. service providers responding directly to foreign governments in response to requests for the content of communications. Until legislation and accompanying process changes are made, however, companies should continue to evaluate day-to-day foreign government requests for data under the existing framework that is provided for under MLATs.