by Bruno Calabrich, Federal circuit prosecutor (Brazil)
There is a crisis in the world today concerning e-evidences. Law enforcement authorities deeply need to access and analyze various kinds of electronic data for efficient investigations and criminal prosecutions. They need it not specifically for investigating and prosecuting so-called internet crimes: virtually any crime today can be committed via the internet; and even those which aren’t executed using the web, possibly can be elucidated by information stored on one or another node of the internet. The problem is that enforcement authorities not always, nor easily, can access these data[i], as the servers where they are stored are frequently located in a different country. Thus, international cooperation is frequently a barrier to overcome so that the e-evidence can be obtained in a valid and useful way. And, today, the differences around the world in the legal structures available for this task may not be helping a lot.
The most commonly known instruments for obtaining electronic data stored abroad are the MLATs – Mutual Legal Assistance Treaties –, agreements firmed between two countries for cooperating in exchanging information and evidences (not restricted to internet evidences) that will be used by authorities in investigations and formal accusations. The cooperation occurs from authority to authority, according to a bureaucratic procedure specified in each treaty, one requesting (where it’s needed) and the other (where it’s located) providing the data. But, in a fast-changing world, where crime and information are moving even faster, the MLATs are not showing to be the fastest and efficient way. In Brazil, for instance, the percentage of success in the cooperation with the United States through its MLAT roughly reaches 20% of the cases. Brazil, US and other countries do not seem to be satisfied with that.
Seeking for an alternative, the US enacted the CLOUD Act, a bill approved by the North American Congress and signed into Law by President Donald Trump in March 2018, amending Titles 18 and 47 of the United States Code[ii], “to improve law enforcement access to data stored across borders, and for other purposes”[iii].
The text of the CLOUD Act was included within a budget bill – which requires a single voting in each of the houses of Congress and which needed to be approved for the functioning of the government (otherwise what happens is a so-called “shutdown”). This strategy allowed the bill to be approved quickly and without much debate[iv].
It is true that the approval of the CLOUD Act is embedded in a broader context; yet, the bill could be directly linked to a setback suffered by the US Department of Justice (DoJ): in an investigation into drug trafficking, the investigators intended to obtain IP data and e-mails from a determined user stored in a Microsoft e-mail account. The demand was denied by Microsoft based on the fact that the information was stored on a server located in Ireland (more precisely, in its subsidiary company, Microsoft Ireland). Since a US Court doesn’t have jurisdiction over Ireland, the information could only be exchanged through an international cooperation procedure. The DoJ took the case to trial, insisting on obtaining a search Warrant, to comply Microsoft to hand over the data. The New York District Court of Appeals denied the DoJ’s request, stating that the Stored Communications Act did not give base to a search warrant outside US territory. The DoJ challenged this decision and the Supreme Court of the United States granted the Writ of Certiorari.
The judgment was pending and, soon after the CLOUD Act was passed, the case was dismissed[v]. As stated in the Supreme Court’s decision:
“The parties now advise us that on March 23, 2018, Congress enacted and the President signed into law the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), as part of the Consolidated Appropriations Act, 2018, Pub. L. 115–141. […]
Soon thereafter, the Government obtained, pursuant to the new law, a new §2703 warrant covering the information requested in the §2703 warrant at issue in this case.
No live dispute remains between the parties over the issue with respect to which certiorari was granted”.
In practice, with respect to the international cooperation in the matter of e-evidences, the CLOUD Act aims to replace the Mutual Legal Assistance Treaty instrument with Executive Agreements. The main advantage would be the possibility of obtaining the data directly from the defendant companies, without depending on a judicial decision on the country where the data is stored[vi] and, in this manner, overcoming the slowness and inefficiency of the MLAT-based cooperation[vii].
In parallel to the North American initiative, the European Parliament and the Council of the European Union (EU) have approved the Regulation 2016/679, known as the General Data Protection Regulation (GDPR)[viii], and the Directive 2016/680, entitled Data Protection Directive on Police Matters[ix] (DPDPM), “with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data”[x]. These two European documents set a model that differs, in some relevant aspects, from the North American one[xi].
One aspect that must be noticed is that the DPDPM appears to be more restrictive regarding the requisites to the exchange of data between Member States and third countries and international organizations and regarding the level of data protection mechanisms – as seen, for instance, in Articles 15, 19 and 20 of the Directive 2016/680. The GDPR, in a similar tone, increments the standards of data protection as a whole. Another characteristic that seems to distinguish the American model from the European one is the role of internet companies. The CLOUD Act ascribes important responsibilities to them: they will have the legitimacy to defend – in Court, if necessary – the interests of their customers or users and to justify the refusal to deliver their data[xii]. Note: it will not be the user, but the company itself that holds its data, the one to defend him or her against a request considered (by the company) arbitrary, abusive or that can somehow put him or her (the user or client) at risk.
It is worth considering how the issue has been addressed in other countries, and Brazil can be an interesting example.
Brazilian Law No. 12.295/2014[xiii], the “Brazilian Civil Rights Framework for the Internet”[xiv], has an express provision that obliges foreign companies to submit to Brazilian legislation. Strictly speaking, the disclosure of data to Brazilian public authorities is already a legal obligation for any company operating in Brazil. If the data was stored in the US, Brazilian investigators could have access to the information (if authorized by a judge) and would not depend on the signing of an Executive Agreement between Brazil and the USA grounded on the CLOUD Act.
According to Law No. 12.295/2014,
“Art. 11. In any operation of collection, storage, retention and treating of personal data or communications data by connection providers and internet applications providers where, at least, one of these acts takes place in the national territory, the Brazilian law must be mandatorily respected, including in regard the rights to privacy, to protection of personal data, and to secrecy of private communications and of logs.
- 1º The established in Art. 11 applies to the data collected in the national territory and to the content of the communications in which at least one of the terminals is placed in Brazil.
- 2º The established in Art. 11 applies even if the activities are carried out by a legal entity placed abroad, provided that it offers services to the Brazilian public or at least one member of the same economic group is established in Brazil.”
Clearly, at least under Brazilian law, Brazilian authorities may require data stored abroad based solely on a direct judicial decision of a single Brazilian magistrate. Even a European company wishing to comply with this decision may be in breach of the GDPR and the Directive 2016/680.
In order to protect themselves, internet companies filed a Direct Action for Unconstitutionality (ADIN No. 51) in the Brazilian Federal Supreme Court in 2017. The plaintiff is an entity which brings together information technology companies in operation in Brazil, the “Federation of Associations of Information Technology Companies” (Federação das Associações das Empresas de Tecnologia da Informação – Assespro Nacional). Facebook Inc. asked the Court to intervene as an amicus curiae in the process. The result sought by the plaintiff is that the Court rules the unconstitutionality of a Decree (Federal Executive Decree No. 3,810/2001) – precisely, the decree that promulgated the Mutual Legal Assistance Treaty (MLAT) between Brazil and the US. As a consequence of the declaration of the unconstitutionality of this decree, these companies expect to be released from complying (directly) with Brazilian decisions, and that judges and other public security authorities will be compelled, in such cases, to use the MLAT or a similar instrument. The Supreme Court is yet to rule the case and It’s unknown which model will prevail.
In the global context, what´s at stake may not only be the effectiveness of cooperation between authorities of different countries for the exchange of data, but also the authority of the internal legislation of each country and the relation between these authorities and internet companies. This tension may be related to the peculiarities of each regulatory paradigm: the American paradigm, based on the CLOUD Act, the European paradigm, seated (at the present time) on the GDPR and the DPDPM, and other paradigms under construction in other countries, such as Brazil. They need to reach common grounds in a near future, and that doesn’t seem to be an easy challenge.
[i] For the purposes of this brief text, we’re using the words data and information as synonyms for electronic evidence.
[ii] Title 18 is the main US criminal code; Title 47 is the Telecommunications Act.
[vi] The CLOUD Act does not (necessarily) require a court decision of the country where the data is stored.
[vii] In Brazil, as a general rule, investigators and prosecutors can obtain and validly use private internet data only if previously authorized by a judge: the matter is subject to the so-called jurisdictional reserve, as established in its Federal Constitution, article 5, XII (<http://www.stf.jus.br/repositorio/cms/portalStfInternacional/portalStfSobreCorte_en_us/anexo/Constitution_2013.pdf>); also in Law No. 9,296/1996, article 3, and in Law No. 12,965/2014, article 22.
[x] The Directive 680/2016 should be transposed by the Member States by 6 May 2018.
[xi] It should also be noted that on 17 April 2018, the European Comission proposed new rules, in the form of a Regulation and a Directive, “on European Production and Preservation Orders for electronic evidence in criminal matters”: <https://ec.europa.eu/info/policies/justice-and-fundamental-rights/criminal-justice/e-evidence-cross-border-access-electronic-evidence_en>
[xii] (1) AMENDMENT.—Chapter 121 of title 18, United States Code, is amended by adding at the end the following:
“§ 2713. Required preservation and disclosure of communications and records (…)
“(2) MOTIONS TO QUASH OR MODIFY.— (A) A provider of electronic communication service to the public or remote computing service, that is being required to disclose pursuant to legal process issued under this section the contents of a wire or electronic communication of a subscriber or customer, may file a motion to modify or quash the legal process where the provider reasonably believes—
“(i) that the customer or subscriber is not a United States person and does not reside in the United States; and
“(ii) that the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government.
Such a motion shall be filed not later than 14 days after the date on which the provider was served with the legal process, absent agreement with the government or permission from the court to extend the deadline based on an application made within the 14 days. The right to move to quash is without prejudice to any other grounds to move to quash or defenses thereto, but it shall be the sole basis for moving to quash on the grounds of a conflict of law related to a qualifying foreign government.
[xiv] Also known as the “Brazilian Internet Civil Landmark”.
Pictures credits: Crime cibernético… by TheDigitalArtist.