Chapter 3: Lawful Access Challenges
Special Report on the Lawful Access to Communications by Security and Intelligence Organizations

Cross-border Nature of Digital Data: Impact and Mitigation Activities

121. CSIS and the RCMP contend that the global nature of the internet presents significant jurisdictional challenges and delays. Although Internet platforms and real-time communications services have “assumed a critical role in facilitating network-enabled communications services,” they are “rarely Canadian-based, deploy varying degrees of encryption, may establish differing standards for law enforcement disclosure, and frequently issue expansive transparency reports.” ^{Footnote 282}

122. Many of the most popular communications services used by Canadians are based in the U.S. (e.g., Google, Facebook, and Apple), as illustrated in Figure 3.5. ^{Footnote 283} Under the U.S. Stored Communications Act, it is illegal for U.S. companies to disclose the content of communications to foreign authorities unless an order is served on them through the U.S. court system. ^{Footnote 284}

123. If digital information is required from a company based outside Canada, the RCMP may request it through a mutual legal assistance treaty (MLAT), where one is in place. ^{Footnote 286} For example, if the RCMP requires information from Facebook or Apple, it sends a request to Canada’s Department of Justice (DoJ), which sends it to the U.S. Department of Justice. After a request is accepted by the U.S. Department of Justice, an Assistant U.S. Attorney makes an application before a U.S. judge to obtain a warrant for the information. The FBI may execute the warrant after it is issued by the U.S. judge. ^{Footnote 287} Once the company provides the FBI with the information, it makes its way back to the RCMP via the two Justice departments. Even if the legal process is successful, if a company does not have a data retention policy, the content sought by an investigator may be deleted before the legal request arrives. ^{Footnote 288}

124. According to the RCMP, the MLAT process can take three to six months, and that delay can have an impact on investigations. ^{Footnote 289} In 2016, the U.S. Department of Justice described the MLAT process as “an important but often labor intensive mechanism for facilitating law enforcement cooperation, [and it] must contend with the challenges posed by significant increases in the volume and complexity of requests for assistance made to the U.S. in the Internet age” when many leading global CSPs are based there. ^{Footnote 290} *** the MLAT process was not designed to process “a very large number of electronic evidence requests at speed.” ^{Footnote 291}

125. MLATs are not an option for CSIS. *** ^{Footnote 292} *** ^{Footnote 293} *** ^{Footnote 294}

126. Both RCMP and CSIS see a potential solution to jurisdictional issues with a U.S. nexus by leveraging the U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act). Enacted in 2018, the CLOUD Act seeks to expedite access to electronic information held by U.S.-based global CSPs. ^{Footnote 295} Canada and the U.S. are currently negotiating a Data Access Agreement to allow their respective law enforcement and security agencies to request data, including communications content, from each other’s service providers (discussed further in Chapter 4).

127. Apple, Facebook, Google, and Microsoft publicly support the CLOUD Act’s approach to cross-border data sharing, noting it would “allow law enforcement to investigate crossborder crime and terrorism in a way that avoids international legal conflicts.” ^{Footnote 296} *** ^{Footnote 297} *** ^{Footnote 298}

128. Some Canadian CSPs have expressed concern about how they will be able to respond to incoming requests from the U.S. when and if a bilateral Data Access Agreement is approved, particularly in light of the absence of a legal framework for intercept capability. ^{Footnote 299}