Brazilian courts and legislation, for example, assert the authority to compel U.S. tech companies to disclose the contents of users’ communications to local law enforcement, even if the data is located in other countries, according to Microsoft. The company stores the data in the U.S. and under the ECPA it would be illegal for it to hand over the data even if it belonged to a Brazilian user.
Brazil has refused to seek the information through a MLAT citing time sensitivities, Smith said. The Brazilian government has levied fines against the company's local subsidiary and in one case arrested and charged criminally a local employee, when Microsoft refused to violate U.S. law by complying with the Brazilian orders.
The need to reform MLAT was brought up in other testimonies as well. Jennifer Daskal, assistant professor at the American University Washington College of Law, said the MLAT process can be laborious in the U.S. and the range of responses to this by foreign countries include mandatory data localization requirements, unilateral assertions of extraterritorial jurisdiction, compulsory anti-encryption and even threats to local employees of the U.S. firm.
Another wrinkle for data transfer is likely to be the European Union's upcoming implementation of the proposed General Data Protection Regulation, which is expected to come into force in the spring of 2018. "Once the GDPR comes into force, the conflict between EU law and U.S. requirements will become even more stark," Smith said.
Sign up for CIO Asia eNewsletters.