Imagine a U.S. prosecutor is investigating a criminal matter and needs to obtain data or information stored in a suspect’s smartphone application. The problem is, the app was developed by a small tech startup in Denmark. In order to obtain access to the relevant information, the prosecutor would need to issue a MLAT subpoena to the app developer. Under normal circumstances, this would be a challenge, because of the General Data Protection Regulation (GDPR), a regulation of the European Union (EU).
Under the GDPR, European companies cannot provide user information or private data in response to a U.S. subpoena, except in a manner that is consistent with the Mutual Legal Assistance Treaty (MLAT). America has entered into MLAT agreements with 65 other countries and reached a specific agreement with the EU with regard to how data disclosure would be handled in these situations. Foreign companies who receive a U.S. subpoena should carefully consult an experienced Internet attorney from Revision Legal to help navigate the appropriate response.
What Is an MLAT?
At its most basic level, a mutual legal assistance treaty is a signed agreement between two nations, which provides a means for sharing data and information needed to investigate and prosecute crime. If one nation’s government is investigating a criminal matter and requires electronic or secure data from a private entity in another country, an MLAT provides the mechanism for obtaining that information.
Private entities generally include service providers, app developers, hosting platforms, and community website owners. In the U.S., we tend to think of companies like Google, Facebook, Twitter, and so forth. But there are countless service providers and other applicable companies around the globe that maintain and store sensitive private data that can be relevant to criminal investigations in other countries.
It’s very important to remember that MLATs are not a single agreement, but rather many individual agreements with individual nations. When collectively applied in the EU, however, European providers have a single set of principles to look to when responding to international subpoenas and requests.
Specific Limitations on the Use of Information Obtained Through MLATs
A mutual legal assistance treaty is not generally intended to be used for every purpose. While quite broad, there are still limits.
For instance, they have specific provisions, many of which are unique to the dealings between the two nations that are parties to them. However, they also often contact a default or catchall provision which allows for mutual assistance and cooperation that may not necessarily be otherwise outlined. The goal is to make sure the requesting nation can get the information it is seeking.
When it comes to the use of information obtained through a request, there are limits. Things that are usually not permitted include:
- Political investigations and prosecutions
- Military crimes that are not otherwise illegal outside of military service
- Any investigative or prosecutorial purpose not contained within the request
The last of these three is interesting, because a receiving nation can deny a request if it believes the information will be improperly used to an improper purpose.
There have been instances where one country’s law enforcement agency submits a request seeking information for the purpose of one criminal matter; however, the service provider receiving the request is aware of information that suggests the information may be used for some other reason, such as prosecuting someone other than the subject of the request. This could be grounds for denial as well.
Important MLAT Provisions
There are many nuances and narrow provisions that must be considered when dealing with foreign requests. The following represent some of the more notable provisions that may deserve added attention.
First, a U.S. prosecutor making a request to a foreign service provider must follow the specific requirements of the applicable MLAT. These specific requirements may vary from one country to another but, in general, they include instructions for things like:
- The request must be in writing
- Must include the name of the agency making the request
- Must provide a description of the evidence that is being requested
- The purpose of the request
- Information about the underlying case or offense
A service provider should carefully inspect the request to ensure that it meets all of the unique requirements of the applicable country’s MLAT agreement. If not, then it could give the provider the legal right to deny the request. This determination is subject to judicial review, though, so it is important to make sure that legal counsel is sought prior to making such a determination.
Style of Requests
Even the U.S. Department of Justice acknowledges that the style of a request for foreign information must be clear and in narrative form. Requests should not use legal jargon or abbreviations that may be well understood in U.S. courts, but which may have no meaning elsewhere in the world.
Within the U.S. Department of Justice, the Office of International Affairs (OIA) is charged with implementing policy for these types of foreign requests for assistance in the investigation and prosecution of crimes. Those foreign and domestic companies responding to such requests should work with an attorney who is familiar with the workings of OIA in order to ensure that requests meet the guidelines of the applicable MLAT.
Concept of Dual Criminality
This term is often confused with the idea that a crime can be prosecuted simultaneously in two places. However, it actually just means that unlike an extradition treaty, MLATs have no requirement that a crime be punishable under both countries’ laws. In other words, let’s assume a U.S. investigation into a crime that does not exist in a particular foreign jurisdiction. Even though the conduct may not be punishable under foreign law, MLATs would still permit the U.S. to obtain information leading to prosecution. There are, of course, limits to this power. For instance, if the crime would not be punishable by at least a year of jail time in the U.S., then a search warrant would not be allowed. Rather, a subpoena would need to be used instead.
How Does the GDPR Affect EU Service Providers Subpoenaed?
When a service provider from a European Union member state receives a subpoena from another country with which that country has an MLAT agreement, there are particular procedures for making sure that the response is proper. First, service providers must be keenly aware of the General Data Protection Regulation (GDPR), which applies to all EU countries. This GDPR is a wide-scope regulation that has enormous bearing on how service providers respond to subpoenas. The regulation went into full effect on May 25, 2018, and it carries heavy fines for providers who violate it.
Some key things to consider about the EU’s GDPR regulation are as follows:
When an organization or company is found to be in breach of GDPR, the fines can be up to the greater of either 4 percent of their annual “global turnover” or €20 Million. Things that can lead to penalties include things like violating privacy provisions, not having enough consent for the acquisition of data, or improper storage and security of data.
GDPR also has strict rules for obtaining consent for the release of private data. Companies that fail to obtain adequate consent before sharing or releasing information (even in response to international requests and subpoenas) may face steep fines.
Right to be Forgotten
This unique principle gives individuals the right to have his or her information and data erased. This so-called “Data Erasure” rule has limitations, but service providers need to be aware that under Article 17 of DGPR, “subjects” (i.e. individuals who have data stored by a provider) have a right to request erasure. The provider or controller of the data must weigh the balance between the individual’s interest in data erasure against the public’s interest in keeping the data available. This would also include any interest in making data available to foreign investigations pursuant to an MLAT request.
There are many other pivotal provisions that a service provider should know and be familiar with when dealing with foreign MLAT requests. However, it is unrealistic to expect that service providers would want to spend countless hours reviewing GDPR and individual MLATs for dozens of countries. Instead, the use of a skilled internet attorney is often the easiest and most efficient way to deal with these issues. Beware that MLATs do not obviate a service provider’s obligations under GDPR. Rather, MLATs provide the sole exception or sole means for legally disclosing protected data.
What Should EU Service Providers Do if Subpoenaed by a US Law Enforcement Agency?
Consider what happens when an EU service provider receives a foreign subpoena from a U.S. law enforcement agency. Keep in mind that there is only one way to legally respond without running afoul of GDPR rules. This can be a difficult tightrope to walk for many service providers.
Here are some basic steps in the process of responding.
The first thing a service provider must do is determine the validity of the request or subpoena. Does it meet the requirements of the applicable MLAT treaty agreement between the two countries involved? Does it meet the style requirements? Is there a distinct conflict between the MLAT and GDPR that cannot be resolved or satisfied?
Responding to Subpoenas
Perhaps the service provider organization has determined that the subpoena is deficient, and they will not be providing the requested information. How does the provider make that statement to a U.S. law enforcement agency? What is the proper way to word such a denial?
Alternatively, what if the request is to be partially answered and partially denied? Maybe the requesting agency is entitled to some of the data or information requested, but other parts of the request appear to violate the terms of the MLAT. How should a provider handle partial disclosures?
18 U.S.C. 3292 provides a mechanism for a U.S. prosecutor to seek to toll the statute of limitations on a pending matter, while seeking to obtain foreign information that is relevant to the case.
This means extending the time limit for bringing a criminal case.
To obtain a court order tolling the statute of limitations, the prosecutor must do certain things, including filing an MLA request to the country where the evidence is believed to be located. The standard of proof for the prosecutor to obtain tolling is relatively low. While conviction of a criminal violation in America requires that the government prove its case beyond a reasonable doubt, a prosecutor needs only to show by a preponderance of evidence that it “reasonably appears” as though the necessary evidence is in the country where the MLA request was submitted. If granted, the statute of limitations tolls beginning with the date on which the MLA request was made. Defendants do not have a right to notice in these tolling proceedings. Tolling can last up to three years or until such time that the receiving nation takes some action.
What Can’t European Union (EU) Service Providers Disclose Under the GDPR when Subpoenaed?
As mentioned earlier, the GDPR is a wide-scope regulation applicable to all EU nations, and it does not permit service providers to simply respond to subpoenas from other countries pursuant to the terms of those subpoenas. Perhaps the best way to think of it is the member nation has a strict rule that gives only one exception.
Run afoul of that, and there are dire consequences.
This is designed to protect individual privacy interests, above and before foreign countries and their criminal investigations. The one exception is that EU countries can respond, but only in a manner consistent with the applicable MLA between that country and the requesting nation.
Does GDPR Apply?
When a request is received by a service provider, one of the first things an EU provider must determine is whether GDPR actually applies. This can get tricky, though. There are several scenarios to consider. Say a U.S. law enforcement agency requests information from an EU provider, but the data pertains to a U.S. user, this may not fall under GDPR because the user is not an EU citizen.
However, in other circumstances, the requesting law enforcement agency may seek data from an EU service provider which pertains to an EU citizen. In this case, it is fairly clear that the person’s privacy is protected by GDPR and the matter would fall under that regulation. But there are more complex scenarios, where perhaps an EU user is using a service provider’s platform for business purposes, and the business is based in the U.S. Key questions may include whether the user’s private data is still protected if being used for a U.S. business interest. Further, sometimes a foreign non-EU citizen is using a platform for EU business purposes. These situations can present deeply challenging legal questions that require sophisticated counsel.
U.S. Requests to U.S. Entities
While MLAT agreements dictate how and when a foreign entity responds to a U.S. law enforcement agency’s requests for information, there are also many U.S. tech companies and service providers that store sensitive data on millions of people in the U.S. and abroad. Consider major players such as Facebook, Google, and Twitter, just to mention a few.
The Stored Communication Act, which is found at 18 U.S.C. 2701, was created to protect against computer hackers trying to obtain sensitive and private information without proper authorization. One can easily contemplate many ways that a person or company could run afoul of this statute if proper authorization is not obtained before accessing information.
Related Reading: CLOUD ACT Compliance & Relationship to GDPR
Types of Requests
When a U.S. law enforcement agency requests information from a service provider, they generally do so through one or more of the following mechanisms.
Subpoenas. A subpoena is generally created by the clerk of a court on request of an attorney, and it seeks documents, evidence, or testimony, such as a deposition. However, some states permit private attorneys to sign and generate subpoenas without seeking prior approval from the court. A subpoena generally acts much like a discovery request, meaning it has similar force as a court order, except that it is subject to being quashed. In general, the attorney issues the subpoena, the recipient reviews the request and decides whether to (a) respond with the requested information or (b) move to quash the subpoena. To quash means to get the court to deny the request, thereby allowing the recipient to not respond in whole or in part. This motion to quash should be filed within just 14 days of receiving the subpoena. This does not give a recipient much time to respond.
Warrants. People often confuse warrants with subpoenas. But a warrant is not issued by an attorney. It does not seek production of documents or testimony. Rather, a warrant is a judicial document, signed by a judge, which permits law enforcement to take a specific action. In most cases, a warrant is used in order to make an arrest, search a property, or gain access to a private area on a property. These are sometimes used in order to seek information stored in electronic means.
Court Orders. A court can order just about anything within its jurisdiction. Judges sign orders frequently, ruling on issues and making decisions about actions that parties in a litigated matter must take or not take. Therefore, it is not uncommon to see a simple court order, instructing a service provider to turn over data or other information that it stores pertaining to a criminal defendant. Care must be used in responding, because, unfortunately, just because a judge believes the information to be subject to disclosure does not always mean there is jurisdiction or that the order is even lawful.
What Is Commonly Sought?
When a law enforcement agency seeks disclosure or production of information, they generally are seeking either the content of communications or client records.
Content of communication. A service provider cannot disclose this type of information to a law enforcement agency in response to a subpoena. These communications often include text messages, data records of transmissions, and so forth. There are, however, certain scenarios where a service provider can voluntarily provide such information if it inadvertently obtains it and there is a reasonable belief that it pertains to the commission of a crime. Likewise, when it comes to things like child pornography and trafficking, the service provider can notify the National Center for Missing and Exploited Children.
Customer records. Customer records can include any sort of data or private information about users. This can be phone numbers, addresses, Social Security numbers, dates of birth, health data, and so forth.
A Few Parting Notes
Attorneys routinely advise service providers in an effort to comply with the various and often conflicting rules and regulations. While it is tempting to seek out reasons not to comply, there is a lot of merit in compliance and cooperation. This is not to say service providers should blindly or carelessly disclose or produce data and other sensitive information, but there is certainly value in understanding the underlying purpose of MLAT treaties. The purpose has always been to encourage not stifle cooperation between nations.
On the other hand, for American law enforcement agencies and U.S. courts, obtaining what is sought through an MLAT can be sluggish, even among nations that have strong allegiances. Consider that through the MLAT between the U.S. and U.K., requests can take well over a year. However, a service provider can openly cooperate in most situations. Not only will this make things go faster and reduce litigation and other costs, but it also fosters a mutual sense of cooperation.
As MLATs become the subject of increased scrutiny and use, there will likely be no shortage of subpoenas and other requests seeking data from service providers in the U.S., EU and throughout the world. Tech companies are beginning to plant their flags in many countries that may not have previously been thought of as tech havens. Technology has brought everyone closer together in ways we could not have imagined even 20 years ago. Therefore, regardless of where a company is located, skilled legal advice can be found quickly and when it is needed most.
At Revision Legal, we focus on intellectual property and internet law. For questions about MLATs or to receive assistance responding to a subpoena, contact us with the form on this page, or call us at 855-473-8474.