Georgia Tech Cross-Border Requests for Data Project

With support from the Hewlett Foundation Cyber Initiative and others, Georgia Tech has become a leading source of research on the increasingly important area of Mutual Legal Assistance (MLA) and cross-border government requests for data.

Note: This page documents the Georgia Tech Cross-Border Requests for Data Project through 2018. In 2018, building on this project, Swire founded and became Research Director for the Cross-Border Data Forum. For more recent research on these topics, please visit www.crossborderdataforum.org.

2018 Update

Update, April 25, 2018: Peter Swire was named a 2018 Andrew Carnegie Fellow to study “Protecting Human Rights and National Security in a New Era of Data Nationalism.” The new project, with $200,000 in research funding, builds upon the Cross-Border Requests for Data Project, and will explore a broader range of issues on the new era of “data nationalism,” the escalating actions by nations to control the flow of data, especially personal data, from one country to another.

Update, March 23, 2018:  Congress passed the CLOUD Act (Clarifying Lawful Overseas Use of Data). Section 5 of the Act sets forth a long list of privacy  and civil liberties protections, while enabling qualifying countries to access electronic evidence about serious crimes in their countries. (Among the safeguards, targeting of U.S. persons is prohibited.)

We announced this approach for the first time at a conference at NYU Law School on May 29, 2015 (timestamp 21:50). The academic paper explaining the approach can be found here.

It is gratifying when research turns into actual law and practice.  Our Project looks forward to continuing to work on these important issues.
— Peter Swire


  • Computers, Privacy & Data Protection (CPDP 2018) conference panel: “Can Citizenship of the Target Ever Be a Justified Basis for Different Surveillance Rules?”
  • Computers, Privacy & Data Protection (CPDP 2017) conference panel: Panel on “Privacy and Government Cross-Border Requests for Data”
  • Computers, Privacy & Data Protection (CPDP 2016) conference panel: “Cross-Border Requests for Law Enforcement in the Post-Snowden Era”

Overview of the Project

Two technological trends are rendering the traditional MLA system obsolete: (1) the globalization of criminal evidence, as webmail, social networks, and other electronic communications are pervasively stored in the cloud, often in a different country; and (2) widespread use of encryption for these communications, so that wiretaps in the local country cannot gain access to the evidence.

Since early 2015, our research team has completed five academic papers, hosted conferences, and worked with global stakeholders to update rules and practices to match the new reality of globalized evidence for criminal cases.

Our research and policy efforts seek to promote four goals:

  1. Fulfill legitimate law enforcement requests, to investigate cybercrimes and other crimes where evidence is held in a different country;
  2. Protect privacy and civil liberties in the United States and globally, by assuring due process before evidence is sent to a different country;
  3. Provide a workable regime for the companies holding the communications records; and
  4. Safeguard the Internet by resisting calls to localize data and splinter the Internet.

Why MLA is a Growing Problem

Consider a burglary that takes place in Paris with a French suspect and a French victim. In investigating the crime, French law enforcement finds that the suspect was using a US-based email service, and the emails can only be retrieved from the United States.

Under the current regime, to access the emails, French law enforcement would need to make a mutual legal assistance treaty request from the French Minister of Justice to the U.S. Department of Justice. This request would need to show “probable cause” of a crime (the U.S. legal standard), even though the crime is connected to the U.S. only due to the physical location of the email server.  The average length of time to respond to a request is about 10 months.

The example shows how MLA issues increasingly arise even for routine criminal investigations. The need for MLA requests is even more pervasive for cybercrime, drug smuggling, money laundering, and other crimes where the criminal activity itself often crosses borders.

Academic Publications

Defining the Scope of ‘Possession, Custody, or Control’ for Privacy Issues and the Cloud Act
Justin D. Hemmings, Sreenidhi Srinivasan, & Peter Swire
Journal of National Security Law and Policy (forthcoming), January 2020
This article provides the first full analysis of the scope of “possession, custody, and control” in the CLOUD Act. It introduces a new visualization tool for describing where courts have found possession, custody, or control previously in the context of the Federal Rules of Criminal and Civil Procedure, and four additional implications for the CLOUD Act. Finally, the article reviews similar concepts in other nations, specifically reviewing Belgian law, where two prominent recent cases involving Yahoo! and Skype have shown an expansive view of Belgian courts’ access to evidence.

When Does GDPR Act as a Blocking Statute: The Relevance of a Lawful Basis for Transfer
Peter Swire
Georgia Tech Scheller College of Business Research Paper No. 3473187, October 2019
This paper addresses an important practical topic – when does the EU General Data Protection Regulation act as a “blocking statute,” to prohibit transfers of personal data in response to requests by non-EU law enforcement agencies? This paper builds upon Théodore Christakis’ article on the effects of Article 48 and 49 of GDPR and when the GDPR acts as a blocking statute, and expands the discussion by addressing hte full set of GDPR legal provisions that govern such transfers of personal data from the EU to a non-member country, including the lawful bases for transfer under Articles 45 and 46 of GDPR.

Frequently Asked Questions about the U.S. CLOUD Act
Peter Swire & Jennifer Daskal
Cross-Border Data Forum, April 2019
This set of FAQs responds to questions from non-U.S. countries about the meaning and implications of the CLOUD Act. Some questions have arisen from the European Union in connection with the CLOUD Act, and this paper seeks to address those questions specifically. But it is important to note that countries outside of the EU are expected to seek executive agreements under the CLOUD Act as well.

India-US Cooperation for Law Enforcement Sharing: Blueprints for Reform
Madhulika Srikumar, Sreenidhi Srinivasan, DeBrae Kennedy-Mayo, & Peter Swire
Observer Research Foundation, January 2019
This paper proposes what appears to be a workable path to an India-US Executive Agreement under the US CLOUD Act. A major rationale for current data localization proposals in India is to address the difficulties encountered by Indian law enforcement in accessing content held by US service providers. If a carefully crafted Executive Agreement based on the principles outlined in this paper could be adopted, this rationale for data localization would be greatly weakened.

The Important, Justifiable, and Constrained Role of Nationality in Foreign Intelligence Surveillance
Peter Swire, Jesse Woo, & Deven R. Desai
Hoover Institution, Aegis Paper Series, January 2019
This article addresses whether government ever have a basis for treating targets of surveillance differently, in any way, based on nationality. The article concludes that stricter protections are warranted because surveillance of nationals and others with a close connection to the domestic policy poses a special threat to the political opposition and free press of a country, both of which play crucial roles in limiting abuses of state power.

Stakeholders in Reform in the Global System for Mutual Legal Assistance
Peter Swire & Justin D. Hemmings
Chapter in Systematic Government Access to Private-Sector Data (Oxford University Press 2017)
The chapter identifies the stakeholders in the international MLA regime and their respective incentives and goals for reform. This article examines the interests of the US government, non-US governments, technology companies, and public interest groups both in the US and abroad, to inform debates about what reforms are practical and desirable.

Mutual Legal Assistance in an Era of Globalized Communications: The Analogy to the Visa Waiver Program
Peter Swire & Justin D. Hemmings
71 NYU Annual Survey of American Law 687 (2017).
This article contends that MLATs today are emerging as a key component of multiple legal and policy debates. Drastically improving the mutual legal assistance (MLA) process has become important, not only for accurate adjudication in individual cases, but also for supporting a globally open and inter-operable Internet against calls for data localization and institution of other stricter national controls on the Internet.

A Mutual Legal Assistance Case Study: The United States and France
Peter Swire, Justin D. Hemmings, & Suzanne Vergnolle
34 Wisconsin International Law Journal 323 (2017).
The article examines the substantive rules that apply for MLA requests involving the United States and France, complementing the procedural rules discussed in the previous article. We believe a relatively detailed explanation of the two regimes will be helpful to discussions of MLA reform, because few participants in such debates are experts in both U.S. and French criminal law and procedure.

How Both Europe and the U.S. are “Stricter” than Each Other for the Privacy of Government Requests for Information
Peter Swire & DeBrae Kennedy-Mayo
66 Emory Law Journal 617 (2017).
The article examines ways that the United States and the European Union (EU) each offer stricter privacy protections for government access to data, contrary to the common assumption that EU privacy law is generally stricter than U.S. law. The analysis builds on our French case studies to show broader implications for MLA reform.  The analysis also is highly relevant for current policy debates and lawsuits concerning whether the U.S. has “adequate” safeguards for privacy, a legal condition for many transfers of personal data from the EU to the U.S.

Understanding the French Criminal Justice System as a Tool for Reforming International Legal Cooperation and Cross-Border Data Requests
Suzanne Vergnolle
Chapter in Data Protection, Privacy, and European Regulation in the Digital Age (Helsinki University Press 2016)
This chapter provides a detailed case study of the French system for exchanging criminal evidence with the United States – focusing on the procedural aspects of how France makes or receives MLAT requests. This chapter explains ways that French investigative authorities have broader powers than their American counterparts, as well as safeguards for individuals’ rights during the French criminal investigation process.

Beyond Location: Data Security in the 21st Century
Deven R. Desai
Communications of the ACM, January 2013
This article examines the tensions between desires for data security and integrity and a government’s interest in access to data. It uses cloud computing as a lens to show that modern data management enhances data security and integrity by breaking up and moving data similar to the way power grids are managed. That reality indicates a need to move away from location-based approaches to jurisdiction. It also means that we need to develop a new system that allows those with desired data to respond to legitimate government requests for data.

Shorter Publications

The U.K.-U.S. CLOUD Act Agreement Is Finally Here, Containing New Safeguards
Jennifer Daskal & Peter Swire
Lawfare Blog, October 8, 2019
This article examines the publicly released U.K.-U.S. CLOUD Act Executive Agreement, including what’s new, what’s surprising, and why the authors view these agreements as positive developments that protect privacy and civil liberties, accommodate divergent norms across borders, and respond to the reality that digital evidence critical even to wholly local crimes is often located across international borders.

The US, China, and Case 311/18 on Standard Contractual Clauses
Peter Swire
Le Monde (in French), European Law Blog (in English), July 11, 2019
This op-ed argues that the CJEU decision in Schrems II could create an aberration where EU data could not be transferred to the US for surveillance risk, but could still freely move to China. The French version of this op-ed published in Le Monde is available here, and an English version published by the European Law Blog is available here.

The Cloud Act Is Not a Tool for Theft of Trade Secrets
Justin D. Hemmings & Nathan Swire
Lawfare Blog, April 23, 2019
This article responds to criticisms that the U.S. CLOUD Act was passed as a vehicle for conducting economic espionage for the benefit of U.S. economic interests. The article refutes these claims, and explains why existing U.S. law, judicial supervision of prosecutors, and the safeguards of trade secret litigation mean the CLOUD Act would in any event be an ineffective means of conducting economic espionage.

EU and U.S. Negotiations on Cross-Border Data, Within and Outside of the CLOUD Act Framework
Peter Swire
Cross-Border Data Forum, April 13, 2019
This article explains the streamlined U.S. legislative procedure that applies for executive agreements under the CLOUD Act. By contrast, other procedures exist, but require considerably more challenging steps for approval by Congress to go into effect.

How Stricter Procedures in Existing Law May Provide a Useful Path for CLOUD Act Executive Agreements
Justin D. Hemmings, Sreenidhi Srinivasan, & Peter Swire
Cross-Border Data Forum, November 16, 2018
This article looks at the impact of the rise in electronic evidence critical to ordinary criminal investigations being located across territorial borders. The article examines legal responses to this trend, including the U.S. CLOUD Act, the EU E-evidence proposal, and data localization measures.

The Globalization of Criminal Evidence
Jennifer Daskal, Peter Swire, & Theodore Christakis
IAPP, October 16, 2018
This article looks at the impact of the rise in electronic evidence critical to ordinary criminal investigations being located across territorial borders. The article examines legal responses to this trend, including the U.S. CLOUD Act, the EU E-evidence proposal, and data localization measures.

Recommendations for the Potential U.S.-U.K. Executive Agreement Under the Cloud Act
Peter Swire & Justin D. Hemmings
Lawfare Blog, September 13, 2018
This article explains key points for the U.S. Justice Department and Congress to consider if a CLOUD Act Executive Agreement between the UK and U.S. is presented for consideration on the Hill.

A Possible EU-U.S. Agreement on Law Enforcement Access to Data?   
Jennifer Daskal & Peter Swire
Lawfare Blog, May 21, 2018
This post explores whether the CLOUD Act allows the United States to forge executive agreements with the European Union (EU) as a whole or whether negotiations must proceed country-by-country. After describing legal requirements under U.S. and EU law, the authors propose that a framework EU-U.S. agreement could set standards and resolve important issues across the EU. To join the framework agreement, individual member-states would then need to establish (and, pursuant to the CLOUD Act, be certified as complying) that they meet the requisite standards.

Suggestions for Implementing the CLOUD Act   
Jennifer Daskal & Peter Swire
Lawfare Blog, April 30, 2018
Jennifer Daskal and Peter Swire propose nine issues the Justice Department will face in formulating executive agreements under Section 5 of the CLOUD Act. The nine issues address the specifics of executive agreements, such as the details of compliance reviews and transparency reporting. Considering these issues can help the Justice Department fulfill legitimate law enforcement requests for data while protecting privacy and civil liberties, providing a workable regime for companies holding requested data, and discouraging data localization.

What the CLOUD Act Means for Privacy Pros   
Peter Swire & Jennifer Daskal
Privacy Tracker, International Association of Privacy Professionals, March 26, 2018
This article explains the history leading up to passage of the CLOUD Act. Most immediately, the CLOUD Act moots the Microsoft Ireland case pending before the U.S. Supreme Court regarding U.S. access to emails stored abroad. The Act clarifies that U.S. warrants require U.S.-based providers to turn over data, regardless of where responsive data is stored. The Act also permits the U.S. to form executive agreements with qualifying foreign governments, who can request data from U.S.-based providers on a streamlined basis. To qualify for an agreement, the U.S. must certify that the foreign government has sufficient privacy and civil liberties protections for data collection activities and additional protections for U.S. person data.

Privacy and Civil Liberties Under the CLOUD Act: A Response
Jennifer Daskal & Peter Swire                                        
Lawfare Blog, March 21, 2018
Responding to critiques from the ACLU and Amnesty International, a bill requiring foreign governments to adopt U.S. legal standards would not be preferable to the CLOUD Act. Insisting on U.S. legal standards discounts legitimate differences in national law. One benefit of the CLOUD Act is the likelihood that foreign governments would voluntarily increase privacy protections to meet the Act’s requirements. The United States may lose its current bargaining position in a future without the Act, when more of the world’s data will lie outside the US and be subject to legal standards that the United States cannot influence. 

Why the CLOUD Act is Good for Privacy and Human Rights
Jennifer Daskal & Peter Swire
Lawfare Blog, March 14, 2018
Contrary to criticisms by privacy advocates, the CLOUD Act requires an “impressively long list” of privacy safeguards and additional protections for U.S. persons. It affords the United States unprecedented power to monitor how foreign governments handle requested data after receiving it. Failure to pass the CLOUD Act may spur foreign governments to localize data and apply their own privacy protections, which are often less stringent than those provided by the Act.

Why Cross-Border Government Requests for Data Will Keep Becoming More Important
Peter Swire
Lawfare Blog, May 23, 2017
Technological developments are driving fundamental changes in the importance of cross-border government requests for data. There are multiple institutional mechanisms for possible reform, entirely apart from the traditional approach of Mutual legal Assistance Treaties (MLATs). And the resolution of MLA issues will have broader implications, on whether multiple nations push for strict data localization laws, and for the ongoing debates about government laws to limit strong encryption and to authorize greater government hacking of computers for law enforcement purposes.

A ‘Qualified SPOC’ Approach for India and Mutual Legal Assistance
Peter Swire & Deven Desai
Lawfare Blog, March 2, 2017
There has been growing legal, policy, and academic attention to the topic of Mutual Legal Assistance (MLA), the mechanisms for evidence held in one country to be provided to a different country for law enforcement purposes. This post summarizes recent developments and proposes a new mechanism for MLA that could be used for the important country of India, and also more generally.

Reforming Mutual Legal Assistance Needs Engagement Beyond the U.S.
Ian Brown, Vivek Krishnamurthy, and Peter Swire
Lawfare Blog, March 1, 2016
In this short post, the three authors – who have each written on the subject of MLA reform and who have each convened meetings on the subject (from Washington to Brussels) – stress the importance of a better understanding of both the strengths and weaknesses of each of the countries involved in MLA to avoid distrust based on misunderstanding.  Most basically, the three advocate for MLA reform in the US as well as in Europe and globally.

The Cross-Border Requests for Data Project is made possible by: