IGF 2019 WS #288 Solutions for law enforcement to access data across borders

Subtheme

Organizer 1: Alexandre Roure, Computer & Communication Industry Associations (CCIA)
Organizer 2: Alexander Seger, Council of Europe
Organizer 3: Nina Lichtner, Council of Europe

Speaker 1: Alexander Seger, Intergovernmental Organization, Western European and Others Group (WEOG)
Speaker 2: Bertrand de La Chapelle, Civil Society, Western European and Others Group (WEOG)
Speaker 3: Jennifer DASKAL, Civil Society, Western European and Others Group (WEOG)

Additional Speakers
  • Fernanda Teixeira Souza Domingos, Federal Prosecutor, Prosecutor Federal Prosecutor's Office of Brazil (LATAM)
  • Ludmila Georgieva, Manager, Public Policy & Government Relations, Google (WEOG)
Moderator

Alexandre Roure, Private Sector, Western European and Others Group (WEOG)

Online Moderator

Nina Lichtner, Intergovernmental Organization, Western European and Others Group (WEOG)

Rapporteur

Alexandre Roure, Private Sector, Western European and Others Group (WEOG)

Format

Panel - Auditorium - 90 Min

Policy Question(s)

Jurisdiction, law enforcement and transborder data flows – More and more countries are unilaterally adopting new criminal procedural laws granting law enforcement powers to obtain users’ data to prevent, detect, investigate, and prosecute crimes, regardless of the location of data or the users’ place of residence. What are the policy and legal implications of such unilateral assertions of state jurisdiction for users, companies and state actors? How do we reconcile the obligations of criminal justice authorities and users’ rights? How can we prevent or minimise the conflicts of law for companies? Responses to these questions are currently being developed by different organisations and in different fora. The workshop is to feed into these processes and offers an opportunity for multiple stakeholders to share their views.

SDGs

GOAL 16: Peace, Justice and Strong Institutions
GOAL 17: Partnerships for the Goals

Description: Agenda 1. Highlight country-level trends (20 min): More and more countries are adopting or have already passed legislation allowing law enforcement to access data at rest (on company’s servers) and in transit (interception) to help solve criminal investigations, regardless of the location of data. We will hear the views from representatives from Brazil, Europe, and the United States. 2. Implications of unilateral domestic rules on Internet governance (20 min): As much as these new laws and bills create opportunities for the law enforcement community, they raise challenges for individuals to exert their rights (e.g. judicial redress, personal data protection), for third countries to enforce their laws, and for companies to comply with conflicting statutory and fiduciary obligations. We will hear the views from academia, NGOs and companies. 3. Looking ahead, what are the solutions (20 min): The discussion will cover the necessary considerations and building blocks to advance common norms which can meet the needs of the law enforcement community without undermining third countries’ laws, users’ rights, or companies’ legal position vis-à-vis third country legislation. Panellists will then discuss the state of play of on-going projects aimed at resolving emerging tensions (e.g. Council of Europe’s 2nd protocol to Budapest Convention, negotiations between European Union and the United States, negotiation of EU e-evidence Regulation). 4. Q&A session with the audience in the room and online (30 min)

Expected Outcomes: (a) Recognise that rules need to be modernised to meet the needs of law enforcement and the judiciary during criminal investigations and prosecutions. (b) Contribute to on-going and future multilateral and bilateral dialogues to establish common norms and resolve legal and sovereignty tensions.

Panel discussion: Starting with 3-5 minutes introductory remarks from the speakers. The rest of the session will take the form of a discussion between panellists on all 3 agenda items (see above). Q&A: One third of this workshop will be dedicated to interaction with room and online audience (30 min). Over 70% of the workshop will consist in interaction between panellist and with audiance. On spot and online participants will be encouraged to present their views and possible solutions.

Relevance to Theme: Law enforcement access to data cross border raises a wide range of issues, including on the jurisdiction to enforce. The location of data is becoming increasingly irrelevant in determining whether and how law enforcement can obtain data, and stronger focus is placed on the person in possession or control, including service providers. But as data travel across multiple jurisdictions, the execution of warrants may encroach upon multiple foreign laws, including foreign laws designed to protect personal data, including their disclosure to third countries, and laws related to judicial redress. Solutions are being discussed at bilateral, regional and global levels to resolve those tensions and to ensure a sustainable data governance framework to respond to the legitimate needs of the law enforcement community.

Relevance to Internet Governance: It is vital for governments, companies, and citizens’ representatives to develop common norms which reconcile the needs of the law enforcement community, with the need to respect third countries’ laws protecting users’ rights and imposes different obligations on companies.

Online Participation

Onsite moderator will encourage online participants to ask questions throughout the panel. Online moderator will pick up a few questions during the Q&A session.

Proposed Additional Tools: Onsite moderator will encourage all attendants to comment, ask questions via Twitter. Someone from the co-organiser’s organisations will be live-tweeting key comments / answers from the panel.

Agenda
  • Country-level trends (20 min): More and more countries are adopting or have already passed legislation allowing law enforcement to access data at rest (on company’s servers) and in transit (interception) to help solve criminal investigations, regardless of the location of data. We will hear the views from representatives from Brazil, Europe, and the United States.
  • Implications of unilateral domestic rules on Internet governance (20 min): As much as these new laws and bills create opportunities for the law enforcement community, they raise challenges for individuals to exert their rights (e.g. judicial redress, personal data protection), for third countries to enforce their laws, and for companies to comply with conflicting statutory and fiduciary obligations. We will hear the views from academia, NGOs and companies.
  • Looking ahead, what are the solutions (20 min): The discussion will cover the necessary considerations and building blocks to advance common norms which can meet the needs of the law enforcement community without undermining third countries’ laws, users’ rights, or companies’ legal position vis-à-vis third country legislation. Panellists will then discuss the state of play of on-going projects aimed at resolving emerging tensions (e.g. Council of Europe’s 2nd protocol to Budapest Convention, negotiations between European Union and the United States, negotiation of EU e-evidence Regulation).
  • Q&A session with the audience in the room and online (30 min)
1. Key Policy Questions and Expectations

More and more countries are unilaterally adopting new criminal procedural laws granting law enforcement powers to obtain users’ data to prevent, detect, investigate, and prosecute crimes, regardless of the location of data or the users’ place of residence.

  • What are the policy and legal implications of such unilateral assertions of state jurisdiction for users, companies and state actors?
  • How do we reconcile the obligations of criminal justice authorities and users’ rights?
  • How can we prevent or minimise the conflicts of law for companies?

Responses to these questions are currently being developed by different organisations and in different fora. The workshop is to feed into these processes and offers an opportunity for multiple stakeholders on the panel and in the audience to share their views.

2. Summary of Issues Discussed

There was broad support for bilateral and, ideally, multilateral solutions for law enforcement to access data across borders. There was unequivocal support for the on-going negotiations on a draft 2nd protocol to the CoE Cybercrime Convention. Several speakers highlighted that substantive and procedural safeguards are equally important as the definition and scope of law enforcement investigatory powers in cross-border cases. All speakers were skeptic about a UN-led process; experience has shown that it is very difficult to achieve consensus on a meaningful UN treaty on this subject. Not all speakers agreed that existing bilateral frameworks (e.g. the U.S. Cloud) were fit for purpose. 

3. Policy Recommendations or Suggestions for the Way Forward
  • In cross-border cases, consensus on procedural and substantive safeguards is as important as the scope and definition of law enforcement investigatory powers
  • Follow-up on any developments expected next yea, including the finalisation of the draft protocol to the Budapest Convention, adoption of EU's e-Evidence rules, EU-U.S. bilateral negotiations, enforcement of the U.S.-UK bilateral agreement, possible start of negotiations on a UN cybercrime treaty.
4. Other Initiatives Addressing the Session Issues
  • Council of Europe draft 2nd protocol to the cybercrime convention
  • EU's e-Evidence package
  • U.S. CLOUD Act
  • Internet & Jurisdiction Policy Network's multistakholder engagement (Berlin Roadmap)
  • A possible UN-led cybercrime treaty
5. Making Progress for Tackled Issues

See response under section 1.

6. Estimated Participation
  • Onsite and online participants: between 100 and 75 (2/3 and half the room)
  • Between 30 and 40% of the audience were women
  • Speakers: 3 women, 2 men
  • Moderators: 1 woman, 1 man
7. Reflection to Gender Issues

Gender issues were not addressed during this session.