The Internet and Jurisdiction network aims to address the tension between the cross-border nature of the internet and international jurisdiction. It held its second global conference in Ottawa from 26 to 28 February 2018. Thanks to the work of the secretariat, this conference turned yet again into a well prepared and constructive meeting.
The project is structured along three work tracks: “Cross border access to user data”, “Cross border content restrictions” and “cross border domain suspension”. Since the first conference in Paris late 2016, task forces have drafted policy option documents that provided the basis for discussions in Ottawa. In this article, we focus on two of these three tracks (data track and domains track).
Cross border domain suspension
The policy options document for this track focused strongly on the potential role of trusted notifiers in the search for swifter remedial action in case of illegal content.
The discussions in this track benefitted from active and high level participation and a reasonable mix of stakeholders. Visibly absent in this ‘Domains track’, however, were Law Enforcement Agencies and the intellectual property community.
While there was common agreement that the prep work since Paris provided a sound basis to build on, the debates shifted the focus to notifications (instead of notifiers) and struggled to agree on terminology. (e.g. deletion/suspension/interruption). In his summary, the session Chair Maarten Botterman, underlined strong support for:
- The notion that any interruption of the DNS is a blunt tool for controlling access to content
- The principle of proportionality as a crucial factor in any decision to intervene in the regular working of the DNS
- The need for due process in case of voluntary action
- The essential differences between ccTLDs and gTLDs
- The need to include abusive behaviour in addition to illegal content to the scope of this track
New elements identified include:
- The need to educate policy makers and the courts
- The (legal) status of notifiers and the formatting of notifications
- The need to inform registrants
- The need to jointly develop effective and scalable tools (spotting abuse, sharing information across the DNS industry)
- The possibility to use notifiers as data providers (identifying bad actors and abuse occurrence)
Actions include:
- Update the existing policy options with the above
- The I&J secretariat to build a database of existing educational material
- Develop a taxonomy
- Identify essential elements of what constitutes Due Process in this context
- Building an inventory of the necessary tools and identify what is already available
Data and jurisdiction
The “data workstream” addressed the question: how can transnational data flows and the protection of privacy be reconciled with lawful access requirements to address crime?
Today, most of the evidence related to crime is digital and in many cases, the information to which access is requested is held by private companies (e.g. service providers) in jurisdictions outside the requesting country. Mutual Legal Assistance (MLA) mechanisms are considered cumbersome and slow and alternative approaches to achieve access to such evidence (e.g. direct requests to companies) are being explored. Whereas these can increase speed, they lack necessary safeguards and procedures, or can even be forbidden by national law (e.g. US Electronic Communications Privacy Act). Governments, in order to avoid cross-border cases, react by requiring that data be stored on their territory. The challenge is to define a framework, which is viable and scalable, allows for data to flow freely, and which ensures policy coherence and regime interoperability.
The data contact group, as a result of GIJC 2016, worked out Policy Options and explored components for a voluntary framework, focusing on access to stored data, thereby excluding interception and encryption. In a nutshell, relevant authorities from specific countries should be able to make direct requests (structured and following due process) to private companies in a different country. Such companies would then disclose user data on a voluntary basis, irrespective of where such data is stored.
In Ottawa, the data workstream discussed and complemented so-called “structuring questions” on which further debate is needed. These include, inter alia:
- statutory requirements to ensure human rights protection while enabling law enforcement to make requests
- criteria to determine eligible countries (the framework could then be expanded to other countries)
- competent authorities, which would include not only those at national level but also sub-national units (e.g. at regional or state level)
- criminal investigation within scope should be defined and distinguished by type.
- elements allowing a requesting country to demonstrate its substantial connection and legitimate interest in the stored data should be identified
- there should be tailored rules for certain categories of data (e.g. content, non-content data, sensitive data).
Three new structuring questions were added:
- the need for both a qualifying regime and a qualifying individual request;
- data preservation provisions for individual investigations before a full request for data can be made;
- capacity building, i.e. trainings for, e.g., competent authorities, law enforcement, courts, etc.
It should also be noted that despite the focus on “voluntary action”, the group agreed that the edited text could also guide compulsory action, i.e. where a company would be forced to turn over data.
On day 2, the workstream participants took stock of current developments in different regions of the world with regards to legislation on access to data stored outside a requesting country. The trend towards legislation with an extraterritorial dimension is obvious, especially in:
- the EU e-evidence directive (draft expected in March),
- the US American CLOUD Act (draft),
- the Microsoft Ireland case (a US Supreme Court hearing took place on 27 Feb),
- negotiations on a new protocol to the Budapest Convention on sharing data across borders (within the framework of the Council of Europe).
The following topics were deemed to be useful to include in the current debate or to help advance it:
- the notification to users when their data is requested (and the fact that in some countries this is a constitutional right whereas in others it is forbidden),
- the size of an entity that receives a request (i.e. the capacity of small and medium-sized companies to handle requests),
- the question of sovereignty (and the need to bring in the traditional language of international law, i.e. prescriptive vs. adjudicative vs. enforcement jurisdiction)
- the need for a glossary of acronyms and a set of references.
Impact of these discussions in practice
The Secretariat of Internet & Jurisdiction put an immense effort in creating a space that fosters debate and works towards practicable solutions. Participation during day 2 was very good and constructive. It was refreshing to see a multistakeholder process at work outside the confinements of ICANN. Useful elements, such as transparency and capacity building were added to the discussions and case examples from different regions exchanged.
Whereas the group included companies, law enforcement, government, and civil society, it cannot be considered representative. Despite the constructive atmosphere, the results and further debates have to be looked at in this context. Also, the longer the discussions went on, the more complex the issues at stake became. Additional elements were added, and the focus on voluntary action and stored data was diffused. More and more often, participants referred to traditional language from international law.
It will be important to avoid that a new framework is comparable in complexity to MLAs, but strips them off the necessary safeguards. This trend can also be observed in planned legislation on digital evidence. It is unfortunate that there is no (at least parallel) effort that focuses on the actual problem: how MLAs can be improved and made more efficient. It could obviate the need to come up with a new framework that lowers the bar for the protection of human rights and ensuring due process.
How to get involved
The next conference will take place in Berlin in June 2019. In the meantime, three working groups will be established that will further develop the policy option documents, using structuring questions as guidelines. The working groups will combine both virtual and physical meeting and will meet between June 2018 and March 2019. To know more about the process, visit the Internet & Jurisdiction Policy Network website.
