Goodlatte Statement at Hearing on "International Conflicts of Law Concerning Cross Border Data Flow and Law Enforcement Requests"

Chairman Goodlatte: Today’s hearing will examine international conflicts of law and how these conflicts impact law enforcement access to data both here and abroad. This is an extremely important issue that affects individuals, technology companies, law enforcement, and the economy. In the digital age where the Internet knows no boundaries, U.S. technology companies have flourished internationally and provide services to customers and subscribers around the world.  But, there is a growing tension between U.S. law and foreign law, and U.S. technology companies are caught in the middle.  U.S. law places restrictions on access to data by foreign countries, making it difficult, if not impossible in some instances, to obtain evidence of crimes or terror plots carried out by their own citizens in violation of their laws. This has provided an incentive for foreign governments to enact their own legislation to address the problem.  Some foreign governments have enacted laws requiring U.S. technology companies, as a requirement for doing business there, to comply with that government’s requests for data.  Alternatively, other countries are considering legislation that would require U.S. providers to locate servers in that country to ensure that country’s jurisdiction over the U.S. provider. This is sometimes referred to as “data localization.” The disparity between U.S. and foreign law has similarly created a conflict with regard to what law governs requests by the U.S. government to U.S. companies for data stored in foreign countries.  Certain foreign countries prohibit the removal of data from their boundaries in contravention of their law.  U.S. law, on the other hand, makes no distinction between data stored domestically versus data stored abroad, nor any distinction with regard to the nationality or location of the customer. The result of these conflicts is that U.S. technology companies find themselves with a Hobson’s choice.  Either comply with U.S. law, or comply with foreign law.  But, it is increasingly impossible to comply with both.  This is an untenable situation for U.S. tech companies. This conflict also thwarts timely access to information by foreign governments and has the potential to create additional barriers for U.S. law enforcement. Current U.S. law requires foreign governments who want access to content maintained by a U.S. technology company to make a government-to-government request for the data.  This is generally accomplished through the Mutual Legal Assistance Treaty (MLAT) process.  But frankly, the MLAT process is slow and cumbersome.  It has been reported that an MLAT request takes, on average, approximately ten months.  This is clearly causing serious frustrations from foreign governments who have legitimate interests in their own public safety.  For example, a foreign government may be investigating criminal activity that has occurred wholly within that government’s borders by its own citizens, but because the perpetrators are utilizing the email services of a U.S. email provider, that foreign government cannot get access to email content for evidentiary purposes except through the MLAT process, which takes entirely too long. The current, arduous MLAT process likewise poses significant hurdles to the U.S. government obtaining information stored abroad from U.S. companies and is not designed to carry the heavy burden of these types of cross border data requests.  It is abundantly clear that Congress must find a modern legislative approach that embraces the modern manner in which data is stored and acquired internationally. One such approach could be bilateral agreements between the U.S. and foreign countries that work to resolve or waive these conflicts of law.   Earlier this month it was reported that the U.S. and the United Kingdom recently commenced negotiations on a bilateral agreement that would allow the U.K. government to request data directly from U.S. companies in criminal and national security investigations not involving U.S. persons. This type of agreement may serve as a model for future agreements and thus relieve some of the international pressure on U.S. tech companies, but we must closely examine important details such as the legal standard for which the U.K. government may make requests of U.S. tech companies; whether such requests would require an independent review; and what privacy protections should be implemented.  Such an agreement could also help alleviate any conflicts of law relating to requests by the U.S. for data stored abroad by U.S. companies.  But, any such agreements must preserve Americans’ civil liberties and privacy protections embodied in U.S. law. Ultimately, in order for a bilateral agreement of this kind to have effect, Congress would first need to enact legislation enabling direct access to U.S. companies by foreign governments and prescribing the criteria that must be met by the foreign government to receive such access. Once again, the House Judiciary Committee finds itself at the forefront of a pressing issue that impacts personal privacy, national security and public safety, economic viability, and the rule of law.  Members of this committee have been dedicated to finding a legislative solution to address the issues raised by the current conflict of laws, and we will continue to examine all options presented to the committee.  As always, we will not shy away from the heady task ahead of us in finding a thoughtful, balanced solution to this problem. I look forward to closely examining these issues today and hearing from our distinguished witnesses.