The U.K. Pleads with Congress to Change an Outdated Privacy Law to Help Fight Terrorism

As law enforcement officials scrambled this week to connect the dots after a deadly terrorist attack in Manchester, U.K., the country’s deputy national security advisor traveled to the United States to urge Congress to change a 30-year-old law he says routinely hinders criminal investigations.

Paddy McGuinness—the first sitting U.K. government official ever to testify in Congress—told members of the Senate Judiciary Committee on Wednesday that he came to Washington because Prime Minister Theresa May has “assured the British people that we will take every measure available to us to provide every additional resource we can to the police and security services as they work to protect the public” against future attacks.

McGuinness pleaded with Congress to make a “technical adjustment” to the Electronic Communications Privacy Act (ECPA), which among other things prohibits U.S. technology companies from disclosing stored communications to foreign governments. Instead, foreign law enforcement officials must request that data via the time-consuming Mutual Legal Assistance Treaty process, which can take months.

McGuinness said that since many criminals in the U.K. communicate using products and services made by U.S. companies, this “arbitrary” legal hurdle is causing crimes to go unsolved and criminals unpunished (see “Why Congress Can’t Seem to Fix This 30-Year-Old Law Governing Your Electronic Data”).

Changing ECPA would open the door for a bilateral law-enforcement data-sharing agreement between the U.S. and U.K, said McGuinness, appealing to the special relationship between the two countries. He assured lawmakers that such an agreement would not allow the U.K. to target U.S. citizens or anyone in the U.S.

American companies dominate the global marketplace for social media and cloud services, and a number of countries in addition to Britain are growing frustrated at their inability to access data during investigations.

Last year, Brazilian law enforcement arrested Facebook’s regional vice president after the company refused to turn over WhatsApp messages during a criminal investigation. Some countries are responding by passing laws that force companies to keep a copy of their citizens’ communications within their borders. If Congress doesn’t change ECPA, governments may also resort to surreptitious methods to access data, like hacking, Jennifer Daskal, a professor at American University Washington College of Law, warned the committee.

U.S. investigators could also benefit from revising the law. Last summer, a federal appeals court ruled that a search warrant issued under ECPA did not extend to data stored outside the U.S.—in that case, Ireland. New legislation could extend that warrant authority beyond U.S. borders. Congress “should resist the false promise of any simplistic or quick fix, however, argued Microsoft president and chief legal officer Brad Smith in his own testimony. “Our laws can no longer ignore the technological progress made over the past three decades,” and failure to enact a comprehensive new framework “will ultimately undermine U.S. interests,” Smith said.