Privacy and Security Across Borders

Privacy and Security

Article Snapshot


Jennifer Daskal


Yale Law Journal, Vol. 128, pp. 1029-1051, 2019


New rules in the United States, Europe, and Australia give law enforcement access to digital evidence even when the data is stored abroad. These rules may conflict.

Policy Relevance

Baseline rules for cross-border access to data should safeguard civil liberties. 

Main Points

  • Governments seek to access digital evidence for law enforcement, even when the data is held by a technology company outside the territory of the investigating state.
  • Generally, investigators in state A may not seize property located in target state B; traditionally, the investigating state must request the assistance of authorities in the target state under Mutual Legal Assistance (MLA) treaties.
  • Policymakers disagree as to how far the authority of a nation to order a company to produce data should extend.
    • Only to data stored within the territory of the state?
    • To data stored by companies headquartered within the state?
    • To data stored by companies with a physical presence within the state?
    • To data stored by any company that offers service within the state?
  • In the US, the Clarifying Lawful Overseas Use of Data (CLOUD) Act sets out rules for access to data across borders.
    • Law enforcement may access all data within control of a US-based provider, wherever the data is located.
    • Data providers may ask the court to quash an access order conflicting with foreign law.
    • Foreign states must make MLA requests for data held within the US, but this restriction may be lifted for some countries.
  • The European Commission’s draft e-Evidence Regulation authorizes each state to compel production of data from providers in another European Union (EU) member state; providers and the state where the data is located may make a limited range of objections within 10 days.
  • Australian law authorizes law enforcement to compel access to data from any provider offering service in Australia; however, if law enforcement seeks to access data directly from a device, they must make an MLA request of the state where the data is stored, even if the device is in Australia.
  • Broad assertions of jurisdiction undercut protection of civil liberties, but denying legal authority to access digital data across borders would be futile.
    • Nations could pass data localization laws, requiring all firms to store data locally.
    • Nations would secretly access data.
  • Efforts to set baseline rules offer an opportunity to protect civil liberties and accountability.
    • The CLOUD Act is innovative in providing judicial review.
    • The EU’s strict time limits on objections raise substantial concerns.
    • Policymakers should consider how acquired data is stored and used.

Get The Article

Find the full article online

Search for Full Article