ICC policy statement on cross-border law enforcement access to company data – current issues under data protection and privacy law
Companies processing data in multiple countries face increasing government pressure to comply with law enforcement and other regulatory requests for access to personal data that conflict with data protection and privacy laws in other countries in which they operate.
The growing number of such cases is caused in part by the explosive growth in phenomena such the use of multi-locational servers for cloud computing, which provide efficient, lower-cost services for individuals and businesses. Companies take their legal compliance responsibilities very seriously, including those under both law enforcement requirements and data protection and privacy laws. However, compliance with law enforcement requests should not require companies to violate the privacy and data protection laws of other countries, as well as their commitments to individuals, employees, and customers.
ICC urges law enforcement authorities and governments to take the following actions, some of which have already been advocated by ICC in existing policy papers (such as in the ICC Global business recommendations and best practices for lawful intercept requirements of June 2010) :
- Take into account the possibility that law enforcement requests may violate the data protection or privacy law of other countries.
- Make requests for access to data only in writing and in accordance with written law and/or local regulation, rather than through informal requests. State clearly in any request the specific legal basis for it and the name of the requesting responsible authority.
- Make cross-border requests for data stored in another country through mutual legal assistance treaties and procedures (MLATs) within existing frameworks, ensuring appropriate involvement of authorities in the countr(ies) where data are stored. Improvements should also be made to existing MLATs so that they (1) cover evolving IP-based communications services; (2) deliver requested data in timeframes satisfactory for law enforcement authorities; (3) increase legal certainty for compliance with respective national laws; (4) give companies sufficient information to interact with the MLAT process in an efficient manner; and (5) create a single point of contact with law enforcement authorities in each country.
- Give companies the opportunity to ascertain the legitimacy of the request and inform the authorities (including their own national authorities) about their obligations under data protection and privacy law, when this is required.
- Be as specific and concise as possible about the scope of the request (such as which data the authority is seeking and for which timeframe), and minimize the amount of data requested.
- Avoid developing mechanisms that compel companies to enter into supposedly “voluntary” agreements to deliver up information under threat of significant, penal, financial, or tax sanctions or local business suspension if they do not.
- Allow companies to limit potential liability, for example by anonymizing or shielding personal data of third parties that are not under investigation.
Implementation of these recommendations would allow more efficient compliance with legitimate public and law enforcement requests, better allow companies to cope with conflicting legal obligations, promote compliance with data protection and privacy laws, and strengthen the flow of international commerce by giving companies the increased legal security they need to plan investments.