- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
At the first session of the 2016 Forum on Internet Freedom in Africa, questions about cross-border data access—usually a dry topic—took center stage. The moderator and participants grilled representatives from Google and Facebook about the fairness of limited African access to African data held by U.S. companies, invoking the need for greater “internet sovereignty.” These remarks contrasted with one year ago, when I could find no one at this forum talking about African data access problems. Africans are now thinking about this issue, but the U.S. government is not really considering Africa as it debates the future of cross-border data requests. The standards outlined in the Obama administration’s draft proposal will be most easily met by favored U.S. partners; the United Kingdom appears to be first in line for a deal. Left-out countries will have few viable options for accessing data and may turn to damaging alternatives.
Background: A Year of MLAT Reform
The past year brought cross-border data access into the limelight. Countries have grown frustrated with the primary mechanism for accessing data held by U.S. tech companies: Mutual Legal Assistance Treaties (MLATs). As communications increasingly depend on U.S. tech companies, data needed for run-of-the-mill criminal investigations often resides in the United States, and countries turn to MLATs for access. MLATs with the United States generally require countries to meet U.S. legal standards when seeking data stored in the United States.
The MLAT process is usually slow and opaque, frustrating countries using it. It can take six weeks to ten months to process requests, depending on the request’s complexity and compliance with U.S. legal standards. Countries also take issue with U.S. law essentially dictating global practices. Countries have sought other troubling means of accessing data, with the UK seeking extraterritorial powers, Russia exploring data localization, and Brazil threatening companies with legal action.
Over the past year, efforts to reform cross-border data access have progressed. The United States and the United Kingdom have negotiated a proposed agreement, and the Department of Justice released draft legislation to make such agreements possible for approved countries. (The legislation is unlikely up for consideration until after the U.S. election.)
Africans Want Improved Data Access
Although Africa currently has low levels of internet penetration, it also has some of the highest internet use growth rates. Internet policy issues are increasingly important to Africans, and African internet policy wonks are joining the call for cross-border data access reform. Tefo Mohapi, the moderator of the opening panel, asked company representatives about building mirror datasets in African countries to allow African countries greater access to data held by U.S. companies, a form of data localization. “It all goes back to internet sovereignty,” Mohapi argued. “You operate with legal impunity without regard for state sovereignty.”
Participants continued to criticize the United States, adding that, “America has ceased to be the shining jewel of internet freedom” post-Snowden. African countries are often portrayed as untrustworthy and undeserving of data, even by the company representatives at this conference. Post-Snowden, African countries “want the discourse to expand beyond bad African governments, with the kind United States coming to save us.” African governments should have the same access as the now-untrustworthy United States, participants argued.
The company representatives responded to these criticisms by highlighting ongoing cross-border data access reform efforts. They emphasized that existing cross-border data access procedures are burdensome, and that they are in conversation with governments to change the process. They eagerly pointed out that ultimate responsibility for fixing this problem rests with governments, not companies.
Only two African countries, South Africa and Egypt, currently have MLATs with the United States. The proposed U.S. legislation could allow countries without MLATs to gain legal access to data (see Section 4), in theory addressing African concerns. In practice, however, it could be difficult for some African countries to meet the legislation’s legal standards. The United States must determine that a country has an independent judiciary, adequate substantial and procedural cyber laws, and adequate international human rights practices. The lack of adequate cyber laws alone would be enough to thwart most African data access agreements with the United States. More generally, the United States will likely not consider countries without MLATs a priority for new data access agreements. African countries’ general lack of political pull could considerably slow or reduce new African data access agreements.
Left Out of MLAT Reform: Potential Consequences
Cross-border data access reform is generally portrayed as the solution to the data localization laws, prosecutions of tech companies, and extraterritorial application of laws that countries have pursued when frustrated with MLATs. Most countries who have been turning to these methods, however, at least have MLATs, while African countries do not. African countries will likely be last in line for new data access agreements. Being shut out of both data access options means African countries will be twice marginalized.
African countries lacking an MLAT and a data access agreement with the United States will have few options for pursuing data. Countries can submit emergency requests to companies or ask for a joint investigation with the United States. African countries are already sensitive to concerns that they lack autonomy, and autonomy-constrained states are often most motivated to protect their autonomy. African countries might respond to their double marginalization by enacting data mirroring requirements, as the moderator at the forum suggested. Another forum participant suggested that African governments might increase internet shutdowns if they lack post-hoc data access, as a way of preemptive control. Ironically, U.S. efforts to allow countries greater access to data in the United States may result in African citizens having less access to the internet.
Cross-border data access should not be extended without qualification. Still, current reform plans seem likely to place African countries in a difficult position on a policy area that is increasingly important to them. If the United States really seeks to limit the proliferation of damaging data-access workarounds, it should think about what will happen to those who are left out of cross-border data access reform.