By Will Horvath
Ahead of the June 15 House Judiciary Committee hearing on “Data Stored Abroad: Ensuring Lawful Access and Privacy Protection in the Digital Era,” tech industry groups sent Congress a clear message: the International Communications Privacy Act (ICPA) would serve as a solid foundation to address the untenable legal ambiguity regarding lawful access to data under current law. In a letter to lawmakers, ACT | The App Association joined 12 other industry groups, including the U.S. Chamber of Commerce, the Internet Association (IA), and the National Association of Manufacturers (NAM), to advocate for a modern framework addressing law enforcement access to data stored abroad. The letter’s signatories represent businesses of all sizes and interests within the tech community, and their agreement unequivocally shows the current framework governing lawful access desperately needs revision. We hope Members of Congress are listening and working constructively to address this significant problem.
The hearing highlighted the importance of quick congressional action to avoid additional conflicts of law that hurt both American business and law enforcement agencies. At the start of the hearing, Members of Congress discussed the forthcoming implementation of the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR, which will go into effect in May 2018, imposes stringent privacy requirements on American companies operating in the EU. Specifically, Article 48 of the GDPR prohibits a company operating in the EU from complying with a law enforcement order from another country, unless it is issued under the framework of an agreement, like a mutual legal assistance treaty. This means that if a U.S. company receives a warrant from American law enforcement for data stored in the EU, and complies, it could be penalized with heavy fines.
California Representative Zoe Lofgren (D-CA) expressed her concern that without reform to the American legal framework, the GDPR will make it so that “great American companies are going to be in violation of the law no matter what they do.” Representative Darrell Issa (R-CA) doubled down on Rep. Lofgren’s point, prompting Richard Downing, who testified on behalf of the U.S. Department of Justice, to respond that the concerns are overstated. He reasoned that EU member countries must interpret the requirements of the GDPR, which gives them flexibility in their implementation of the directive to create “exceptions and loopholes.” Neither Rep. Issa nor Rep. Lofgren were comforted by the suggestion that EU member states could be relied upon to prevent conflicts with U.S. law on behalf of American companies.
The App Association represents businesses engaging and storing data across the globe. We agree that U.S. companies shouldn’t have to rely on “exceptions and loopholes” to conduct business internationally. Congress must act to revise the U.S. statute before the GDPR is implemented.
Shifting from a legal to a business perspective, Representative Hakeem Jeffries (D-NY) asked the DOJ witness if the current lawful access framework “implicates [the] United States’ economic interests.” The DOJ witness had no choice but to agree. Forcing American companies to choose which country’s law to follow places them between a rock and a hard place, and can’t possibly be good for American economic interests. However, the DOJ witness offered the caveat that national security must be balanced with economic interests. We couldn’t agree more, but unfortunately the current framework benefits neither economic nor national security interests. The conflicting laws at issue are not centered on national security—they dictate the course of criminal investigations as opposed to intelligence surveillance. The argument offered by the DOJ citing the choice between national security and the interests of American businesses is fundamentally false, and we need a different solution. You can watch the interaction play out here.
We appreciate the House Judiciary Committee’s willingness to hold the hearing on this issue that impacts app developers and technology companies across the country, and Rep. Jeffries deserves commendation for recognizing the importance of reforming the statute governing lawful access. Along with Representatives Tom Marino (R-PA) and Suzan DelBene (D-WA), Rep. Jeffries has indicated his intent to co-lead the next iteration of ICPA, and build upon the broad tech industry support to implement legislation this year. We hope that Congress can reach agreement on this vital, bipartisan measure. We can’t allow an outdated set of statutes to stifle American innovation. The current framework benefits neither law enforcement nor business, and harms international comity. Congress has an opportunity to benefit all three by moving legislation based on ICPA.