Cloud computing provides unprecedented opportunities for innovative small businesses to flourish in Minnesota, across the United States and around the globe. As the owner of Cybersimple Security, a small data privacy and security consulting firm, my clients frequently provide cloud-based services to global customers. Modern cloud services are an undeniably critical, cost-effective platform for small business technology operations. However, our country’s laws have not evolved to solve new technology challenges introduced by cloud services impacting U.S. growth and security, and this inaction has serious implications for America’s tech community.
In 1986, Congress passed the Electronic Communications Privacy Act to address limits on federal wiretapping activities, and is still being used to guide law enforcement actions today. Three decades ago, our congressional representatives could not have possibly predicted how data would be stored and accessed around the world, and unfortunately ECPA does not consider the modern realities of business transactions, nor does it specify parameters for U.S. law enforcement access to data for criminal investigations.
American law enforcement agencies’ current interpretation of ECPA allows U.S. warrants to be served for data stored overseas, even if that data pertains to foreign persons or conflicts with the laws of the country where the data is stored. This creates a precarious, and sometimes criminally liable, situation for American businesses offering global services to an international consumer base.
The ambiguity codified in the ECPA hurts the ability of American companies to participate in international business ventures and often dissuades international partners from storing data in the United States. This week, the House Judiciary Committee has an opportunity to support changes to the statute and lead Congress to clear rules that balance government, privacy and business interests.
From a government perspective, surveillance requires a healthy balance between law enforcement processes and individual privacy rights protected by the U.S. Constitution. Legally obtained access to technology for surveillance purposes, such as wiretapping or accessing mobile device data, can dramatically improve law enforcement’s ability to keep our communities safe.
From a privacy perspective, consumers in countries outside of the United States increasingly are protected by robust privacy laws, such as the General Data Protection Regulation in the European Union. Under these laws, small businesses handling EU personal information may be subject to fines of 4 percent of revenue. Many other international privacy laws carry fines or individual legal rights; some even include criminal charges for mishandling personal information.
From a business perspective, unfettered law enforcement access to foreign data creates substantial challenges. My clients have unfortunately lost global business opportunities because of a perceived overreach by U.S. surveillance agencies on foreign business operations or consumers. The examples, and consequences, are many — one client recently lost a lucrative bid with a European company because it could not guarantee the protection of foreign consumer data, and another’s highly competitive bid was rejected because of U.S. surveillance concerns.
With congressional action, we can align our laws with the realities of our modern connected world. Last year, Sens. Orrin Hatch (R-Utah), Chris Coons (D-Del.) and Dean Heller (R-Nev.) introduced legislation called the International Communications Privacy Act to update and clarify the law. This legislation would help clarify the responsibility of small business when faced with U.S. warrants for overseas data by requiring law enforcement to follow existing mutual legal assistance treaties. The United States and other countries negotiate MLATs to codify U.S. law enforcement procedures to access foreign data. ICPA, or legislation modeled after it, would improve the balance between government, privacy and business interests, enabling American small businesses to increasingly support a global customer base, improve revenue and grow jobs at home.
As a small business owner and affiliated law school professor, I believe a bipartisan agreement on this issue is vital to the success of businesses in Minnesota and across the country, as well as our nation’s relationship with foreign governments. Congress cannot ignore this opportunity to protect American businesses, improve our relationships with foreign governments and support law enforcement’s ability to keep us safe.
Charlotte A. Tschider leads a cybersecurity and privacy consulting business, Cybersimple Security, and has worked in information technology, cybersecurity and privacy for more than 16 years. She is also an Affiliated Professor with the Mitchell Hamline School of Law, where she teaches for the Cybersecurity and Privacy Law program.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.