Google pitches new legal framework for cross-border data handling

The current legal ambiguity concerning cross-border law enforcement requests for data has slowed down investigations and leaves consumer privacy at risk, Google argued in Washington, DC.
Written by Stephanie Condon, Senior Writer

Google on Thursday proposed a new, international legal framework to govern cross-border law enforcement requests for data.

The current laws underpinning digital evidence gathering are outdated, Google general counsel Kent Walker argued in a blog post and in a speech in Washington, DC.

"These rules are due for a fundamental realignment in light of the rapid growth of technology that relies on the cloud, the very real security threats that face people and communities, and the expectations of privacy that internet users have in their communications," he wrote.

Google's proposed legal framework is guided by two general principles: First, countries should be able to directly ask service providers for user data pertaining to serious crimes within their borders and users within their jurisdiction -- so long as those countries agree to baseline principles of privacy human rights and due process. Google doesn't specify how to define those principles.

Second, Google suggests the US and other countries (that meet "baseline standards) sign bilateral agreements to govern cross-border digital evidence gathering. These agreements would need to be authorized under new US legislation.

Currently, the US Electronic Communications Privacy Act (ECPA) requires foreign governments to use diplomatic mechanisms such as Mutual Legal Assistance Treaties (MLAT) to access content held by a company in the US. This can delay investigations for months. Furthermore, it poses a threat to consumer privacy, Walker argued: Rather than go through the lengthy MLAT process, some countries are now claiming their own evidence-gathering laws apply to companies and individuals outside of theri borders.

Meanwhile, US investigators have tried to use the ECPA to compel service providers to disclose user data that is stored outside of the US, but those efforts have been held up in court.

Rather than asserting their own laws overseas, some governments have considered alternative workarounds: They've considered proposals to require companies to store data within local borders. Walker said there is a "host of problems" with this idea.

To address these challenges, the US would first need to reform its laws, and Walker said Google is "pleased to see serious debate" on the matter.

Google has endorsed the International Communications Privacy Act (ICPA), a bill introduced in the last Congress, which would allow US law enforcement to use a warrant to collect digital evidence based on the location or nationality of the person in question, rather than basing it on the location of the data.

"While refinements to ICPA may be necessary, we believe the principles upon which ICPA is based are sound," Walker wrote.

Meanwhile, the current Republican-led Congress has made some progress in their efforts to update laws concerning domestic digital evidence collection. In February, the House unanimously passed the Email Privacy Act, which would update the ECPA to require the US government to obtain a warrant before it can compel companies like Google to hand over the content of users' communications. The Senate, however, has yet to take up the bill.

More on government data collection:

Editorial standards