Hatch Speaks on ICPA (International Communication Privacy Act) Ahead of Judiciary Committee Hearing
Washington, D.C.— Ahead of Wednesday’s Senate Judiciary Committee Crime and Terrorism Subcommittee hearing on “Law Enforcement Access to Data Stored Across Borders,” Senator Orrin Hatch (R-Utah)—a senior member and former Chairman of the Senate Judiciary Committee, and the Chairman of the Senate Republican High-Tech Task Force—spoke about the current landscape of international data privacy and the International Communications Privacy Act, his bill to address shortcomings in the current system.
In his remarks, Senator Hatch described the drawbacks of existing data privacy approaches and outlined his proposal to better protect consumer privacy and clarify US law enforcement’s ability to obtain global electronic communications while respecting the data privacy laws of other countries.
What we need, Mr. President, is a sensible regime with clear rules that determine access based on factors that actually matter to the person whose data is being sought. Privacy laws are meant to protect people, not abstractions. We ought not get bogged down with mindless formalism. Most people couldn’t care less whether their data is stored at site A or site B, or country A or country B, so long as it’s easily accessible and has robust privacy protections.
At the same time, we need to take proper account of the laws and interests of other countries, especially our allies. We ought to avoid, where possible, trampling on other nations’ sovereignty or ignoring their own citizens’ legitimate claims to privacy, whether here in the United States or abroad.
For this reason, Mr. President, I believe the right approach to international data privacy is to ground the analysis on the location of the person whose data is being sought. It is, after all, the person who has rights, and the person whose interests are devalued when data is obtained without proper process.
Accordingly, I’ve proposed legislation called the International Communications Privacy Act, or ICPA, that sets clear rules for when and how U.S. law enforcement can access electronic data based on the location and nationality of the person whose data is being sought.
Senator Hatch mentioned Utah businessman, Jeff Hadfield, in his speech. Hadfield recently wrote an op-ed about the importance of addressing the ambiguity of international data privacy within US law, focusing on how the current incertitude affects Utah.
The full speech, as prepared for delivery, is below:
Mr. President, I rise today to discuss international data privacy. This is a critically important issue that has become all the more pressing in recent months as a result of court decisions impacting law enforcement’s ability to access electronic communications overseas.
I don’t think it will surprise anyone, Mr. President, to hear me say that our privacy laws have not kept pace with technological developments. The primary statute that governs law enforcement’s ability to access electronic data, the Electronic Communications Privacy Act, or ECPA, was enacted over thirty years ago, long before most people had even heard of email or the internet.
ECPA was drafted in a world in which electronic data was stored on personal computers, or on servers located in offices or homes. It presumes a world where data is in one location, and where in order to access data, a person simply goes to the relevant location and retrieves it.
But that is not the world we live in, at least not today. Nowadays, much of our data is stored, not on home or office computers, but in the cloud, a network of remote servers spread throughout the world that allows us to access data from literally anywhere.
The rise of cloud and remote network computing has transformed the way companies and individuals store data. No longer is data stored onsite, or in one discrete location. Rather, data pertaining to a single individual, or even to a single document, may be stored at multiple sites spread across countries or even continents.
This has created all sorts of complications for our laws. ECPA requires law enforcement to obtain a warrant before it can access many types of electronic communications. It also prohibits disclosure to foreign entities.
Warrants, however, traditionally have stopped at the water’s edge. A judge here in Washington can issue a warrant authorizing law enforcement to search an office here in Washington, but cannot issue a warrant for searches in London or Paris.
So what is law enforcement to do in a world of cloud computing, where pieces of the same electronic document might be stored in Washington, London, and Paris? One possibility is to say that as long as the data is accessible from the United States—that is, so long as you can retrieve it by logging onto a computer somewhere in the United States—that’s all that matters. Law enforcement can order its disclosure.
This sort of maximalist approach, however, brings with it a whole host of problems.
To begin with, it pays scant attention to the laws and interests of other countries, including our closest allies. Other countries, it turns out, have data privacy laws of their own. And just like ECPA, sometimes these laws prohibit disclosure to foreign entities, including foreign law enforcement.
So to say U.S. law enforcement can compel disclosure of data stored anywhere in the world so long as the data is accessible from the United States is really to say U.S. law enforcement can override the laws of other countries. Or more particularly, it’s to say U.S. law enforcement can order individuals, or companies, that store data overseas to violate the privacy laws of other countries.
This is unfair to service providers, who may find themselves on the wrong side of the law no matter which side they choose, and does little to help international relations. It also undermines trust, drives customers to foreign competitors, and undermines the privacy of U.S. citizens by emboldening other countries with less robust privacy regimes to similarly seek unlimited extraterritorial access to data.
Another possibility is to say that if the data is stored in the United States, then law enforcement may access it. But if it’s stored outside our borders, it’s off limits.
This is essentially the current state of affairs following a decision last summer by the U.S. Court of Appeals for the Second Circuit that ECPA warrants do not reach data stored abroad. Under the Second Circuit’s decision, U.S. law enforcement can use compulsory process to access data stored in the United States, but must work through diplomatic channels to obtain data stored overseas.
This sort of domestic-storage regime has the benefit of avoiding the conflict-of-laws problems I’ve just described, but it also has very real drawbacks.
To begin with, it impedes law enforcement’s ability to solve and prevent crime in cases where the needed data is stored outside the United States, even when the creator of the data is an American, the service provider storing the data is an American, and the crime being investigated took place here in the United States. The mere happenstance that the data is stored beyond our borders—even though it may instantly be accessed from within our borders—places it off limits. Service providers’ varying business practices in moving and holding data determine whether an investigation moves forward.
This sort of domestic-storage regime also forces U.S. law enforcement to work through diplomatic channels, which are slow and cumbersome and in many instances less protective of privacy than U.S. criminal process, which requires a warrant from a neutral magistrate and a finding of probable cause.
The upshot, Mr. President, is that neither of these regimes is satisfactory. A maximalist regime that extends U.S. law enforcement jurisdiction worldwide creates serious conflict-of-law problems and places U.S. service providers in impossible positions. A more modest domestic-storage regime, by contrast, hinders law enforcement’s ability to solve crime and protect us from harm based solely on where a particular document or piece of data happens to be stored at a given moment in time.
What we need, Mr. President, is a sensible regime with clear rules that determine access based on factors that actually matter to the person whose data is being sought. Privacy laws are meant to protect people, not abstractions. We ought not get bogged down with mindless formalism. Most people couldn’t care less whether their data is stored at site A or site B, or country A or country B, so long as it’s easily accessible and has robust privacy protections.
At the same time, we need to take proper account of the laws and interests of other countries, especially our allies. We ought to avoid, where possible, trampling on other nations’ sovereignty or ignoring their own citizens’ legitimate claims to privacy, whether here in the United States or abroad.
For this reason, Mr. President, I believe the right approach to international data privacy is to ground the analysis on the location of the person whose data is being sought. It is, after all, the person who has rights, and the person whose interests are devalued when data is obtained without proper process.
Accordingly, I’ve proposed legislation called the International Communications Privacy Act, or ICPA, that sets clear rules for when and how U.S. law enforcement can access electronic data based on the location and nationality of the person whose data is being sought. I intend to introduce an updated version of this legislation in the very near future. Here’s what the updated legislation will say.
If a person is a U.S. national, or located in the United States, then law enforcement may compel disclosure, no matter where the data is stored, provided the data is accessible from a U.S. computer and law enforcement uses proper criminal process.
If a person is not a U.S. national, however, and is not located in the United States, then different rules apply. These rules are founded on three principles: respect, comity, and reciprocity.
First, respect. If U.S. law enforcement wishes to access data belonging to a non–U.S. national located outside the United States, then law enforcement must notify the person’s country of citizenship and provide that country an opportunity to object to the disclosure. This protocol shows respect to the other country and gives the country an opportunity to assert the privacy rights of its citizen.
Second, comity. If, after receiving notice, the other country lodges an objection, a U.S. court undertakes a comity analysis to determine whose interests should rightfully prevail—the U.S. interests in obtaining the data or the foreign interests in preventing disclosure. As part of this analysis, the court considers such factors as the location of the crime, the seriousness of the crime, the importance of the data to the investigation, and the possibility of accessing the data through other means. This analysis prevents an obstinate foreign power from impeding investigations without good reason or where the U.S. interests in disclosure are particularly strong.
Third, reciprocity. In order to receive notice and an opportunity to object, the other country must provide reciprocal notice-and-objection rights to the United States. The country must also provide robust privacy protections within its own borders and satisfy international human rights standards. These requirements ensure that the U.S. provides its own citizens an equal or greater level of protection against foreign requests for data. They also offer incentives to foreign governments to properly safeguard the data of U.S. citizens within their jurisdiction.
Tomorrow, the Senate Judiciary Committee Subcommittee on Crime and Terrorism will hold a hearing on law enforcement access to data stored abroad. That hearing, I hope, will elucidate many of the principles I have just described.
Soon after the hearing, I will reintroduce the International Communications Privacy Act. The bill as reintroduced will incorporate feedback from law enforcement and privacy groups.
I intend to push very hard for this legislation, Mr. President, and will seek every opportunity to do so. I want my colleagues to know that I will be pursuing any and all legislative vehicles to get it across the finish line.
In the words of Utah businessman Jeff Hadfield, writing in the Deseret News, “It’s imperative that Congress quickly address the ambiguity within our current law. As every company becomes a software company, we need legislation that supports our companies’ ability to store data overseas, protects our individual privacy rights, and helps U.S. law enforcement do its important job.” I could not agree more.
The International Communications Privacy Act provides critical guidance to law enforcement while respecting the laws and interests of our allies. It brings a set of simple, straightforward rules to a chaotic area of law and creates an example for other countries to follow. It is a balanced approach and a smart approach and it deserves this body’s full-throated support.
###
===================
Guest opinion: Honoring National Police Week by giving them the best tools possible
By Senator Orrin Hatch
[LINK]
We find ourselves in challenging times for law enforcement. Crime is up across much of the country. Violent crime, in particular, has risen alarmingly in many of our towns and cities.
Facing such challenges, it is essential we place in the hands of law enforcement every possible resource necessary to get the job done. That’s why helping our men and women in blue is a hallmark of my work in Congress.
Last week, I was grateful to see that the Senate passed my bill, the Rapid DNA Act of 2017. This critical legislation — which has garnered support from the National Association of Police Organizations, the Fraternal Order of Police and the National District Attorneys Association — updates the law and leverages advancements in rapid DNA technology. With its passage, our police forces across the country will be able to more quickly apprehend the guilty and more expeditiously exonerate the innocent.
DNA technology has made tremendous strides in recent years. In the past, creating a DNA profile from a cheek swab or other sample would prove a cumbersome, time-consuming process requiring significant laboratory technician involvement.
What’s worse, our federal law — which is written to match this outdated technology — slows down the process even further by requiring that any DNA profile uploaded to the FBI’s CODIS database be first processed at an accredited crime lab.
Recent developments, however, have opened new opportunities in DNA analysis. New technology is now available to streamline the process, so that samples can be analyzed in self-contained, fully automated “Rapid DNA” devices. With processing times of less than two hours, these devices can be placed in booking stations to expedite data sharing with the FBI’s Combined DNA Index System. This groundbreaking new development will allow our officers to determine almost immediately if an individual in custody is wanted for an outstanding crime or has a connection to evidence gathered from a crime scene.
It’s time that the federal law be brought up to date with these new advancements. That is precisely what my bill, the Rapid DNA Act of 2017, seeks to do.
If enacted, this common-sense proposal will enable law enforcement to analyze DNA in record time, reducing backlogs in rape kits and keeping violent criminals off our streets. By facilitating the use of rapid DNA technology, this bill will also help to exonerate those wrongly accused of crime. There are investigations currently underway in Utah, and many surely to come, in which this technology will be supremely useful.
The Rapid DNA Act has received strong support from several of the highest-ranking law enforcement officers in the country. Attorney General Jeff Sessions, during his confirmation hearing, said, “Rapid DNA analysis is a hugely important issue for the whole American criminal justice system. It presents tremendous opportunities to solve crimes in an effective way and produce justice because it’s the kind of thing that you can’t fake or mislead. So I am very strongly in favor of [it].” And in remarks before the Senate Judiciary Committee, former FBI Director James Comey said the Rapid DNA Act “will help us change the world in a very exciting way. [It] will materially advance the safety of the people of the United States.”
Last week we celebrated, as a part of National Police Week, the men and women in whom we place our trust to protect our families and keep the peace. There can be no greater tribute to those in uniform than our best efforts to give them every resource they need to get the job done.
The Rapid DNA Act does just that. I look forward to its passage, the assistance it will provide our police officers, and the good it will do our communities.
Hatch is the senior senator for Utah and president pro tempore of the U.S. Senate.
=======================
Hatch, McCaskill Introduce Bill to Provide Relief to States and Communities Complying with Ozone Rule
Washington, D.C.—Senator Orrin Hatch, R-Utah, and Claire McCaskill, D-Mo., today introduced a bill under which state, local, and tribal governments may develop Early Action Compact (EAC) plans to achieve and maintain the EPA’s National Ambient Air Quality Standards for ozone.
“I'm concerned that the EPA simply set a one-size-fits-all air quality standard for ozone that is unattainable for many Western states,” Hatch said. “This bipartisan legislation directs the EPA to implement a program that gives communities a voice to design locally crafted solutions to improve air quality so that they can comply with federal standards. Under this program, our communities could actually improve air quality and altogether avoid the negative economic job-killing consequences that come with a non-attainment designation.”
“Ensuring the health and safety of Missourians from ozone pollution is a critical goal we all share,” McCaskill said. “But too many Missouri communities are facing down economic penalties as they struggle to comply with environmental regulations, and the folks in those communities shouldn’t be punished by standards that are often impossible to meet. That’s why this commonsense, bipartisan plan is a win-win: helping alleviate that burden on localities and the businesses that call them home in a way that continues to safeguard the health and livelihood of our communities.”
Background
On November 26, 2014, the Environmental Protection Agency (EPA) announced proposed revisions to the National Ambient Air Quality Standards (NAAQS) for ground-level ozone. If finalized, the proposal would set more stringent standards, lowering both the primary (health-based) and secondary (welfare-based) standards from the current 75 parts per billion (ppb) to somewhere in a range of 65 to 70 ppb.
Regardless of a change to the standard, many areas throughout the country are at risk of being designated as areas that are in "non-attainment" under the NAAQS. When a particular area in the country is designated as such, it can have significant, negative economic implications.
In 2002 the EPA initiated a program called the Early Action Compact (EAC) Program to make available an option that allowed for these areas to enter into a voluntary cooperative agreement with the EPA to take early action to prevent a non-attainment designation and provide for cleaner air sooner than might have occurred by otherwise following the timelines in the Clean Air Act.
This program was met with great success, and 13 out of the 14 areas that voluntarily opted into this program were successful in improving air quality and avoiding a non-attainment designation entirely. Unfortunately, in 2007, the EPA scrapped the EAC Program due to ligation, which argued that the Program was found to be outside the EPA’s authority under the Clean Air Act. Thus, after 2007, the Program ended.
This legislation, without amending the Clean Air Act, would give clear authorization and direct the EPA to implement a similar program to the EAC so that other areas throughout the country can again have the option of taking early action to improve air quality and avoid a nonattainmentdesignation.
=======================
Hatch to Speak on ICPA (International Communications Privacy Act) Tomorrow Ahead of Judiciary Committee Hearing
Washington, D.C.— Ahead of Wednesday’s Senate Judiciary Committee Crime and Terrorism Subcommittee hearing on “Law Enforcement Access to Data Stored Across Borders,” Senator Orrin Hatch (R-Utah)—a senior member and former Chairman of the Senate Judiciary Committee and the Chairman of the Senate Republican High-Tech Task Force—will speak about the current landscape of international data privacy and the International Communications Privacy Act, his bill to address shortcomings in the current system.
In his remarks, Senator Hatch will describe the drawbacks of existing data privacy approaches and outline his proposal to better protect consumer privacy, clarify U.S. law enforcement’s ability to obtain global electronic communications, and respect the data privacy laws of other countries.
The speech will take place on the Senate floor today at 2:15 PM. Watch the speech live on the Senate floor webcast.
Below is a preview from Senator Hatch’s speech:
What we need is a sensible regime with clear rules that determine access based on factors that actually matter to the person whose data is being sought. Privacy laws are meant to protect people, not abstractions. We ought not get bogged down with mindless formalism. Most people couldn’t care less whether their data is stored at site A or site B, or country A or country B, so long as it’s easily accessible and has robust privacy protections.
At the same time, we need to take proper account of the laws and interests of other countries, especially our allies. We ought to avoid, where possible, trampling on other nations’ sovereignty or ignoring their own citizens’ legitimate claims to privacy, whether here in the United States or abroad.
For this reason, I believe the right approach to international data privacy is to ground the analysis on the location of the person whose data is being sought. It is, after all, the person who has rights, and the person whose interests are devalued when data is obtained without proper process.
Accordingly, I’ve proposed legislation called the International Communications Privacy Act, or ICPA, that sets clear rules for when and how U.S. law enforcement can access electronic data based on the location and nationality of the person whose data is being sought.
Watch the speech live on the Senate floor webcast:
====================
Hatch Commends Supreme Court Ruling on Patent Venue
WASHINGTON, D.C.--Senator Orrin Hatch (R-Utah), senior member and former Chairman of the Senate Judiciary Committee and Chairman of the Senate Republican High-Tech Task Force, issued the following statement in response to the Supreme Court’s decision today in TC Heartland v. Kraft Foods Group Brands ending the ability of plaintiffs in patent litigation to sue defendants virtually wherever they want:
“I applaud the Supreme Court’s decision today interpreting the patent venue statute according to its plain meaning,” Hatch said. “As I have said many times—most recently in an op-ed in WIRED—Congress never intended to allow plaintiffs in patent litigation to pick and choose whichever court they thought would give them the easiest shake. The purpose of venue is to ensure cases are brought in a convenient location. Today’s decision will help return order to patent litigation, end the abusive forum-shopping practices we’ve seen in recent years, and reduce the ability of patent trolls to extort settlements from actual innovators on the basis of frivolous claims. I continue to oppose all forms of abusive patent litigation and intend to introduce legislation in the coming months to address other problems with our current patent litigation system.”
In Hatch’s full March op-ed in WIRED, titled “The Supreme Court Should Bring Sanity to Patent Law,” he wrote:
“Plaintiffs are gaming the system by having their cases heard in courts they know will be friendly to their cause, a practice commonly known as “forum shopping.” This would be unseemly enough on its own. But what makes the practice even worse is that many of the plaintiffs in these cases aren’t productive enterprises. They don’t actually invent anything, or make anything, or even sell anything. Rather, their entire business model is to purchase patent licenses and then turn around and sue anyone they can arguably claim may have infringed the patent in some small way. Their goal is not actually to stop the allegedly infringing activity, but to extort a settlement and then move on to the next lawsuit.
It’s my hope that the Supreme Court will decide this week’s case in a way that conforms to Congress’s intent and puts an end to abusive forum-shopping. A decision is likely before the end of June. In the unfortunate event the Court upholds the current system, I stand ready to move legislation that will help bring sanity back to patent litigation.”
