• Amendment to Criminal Procedure Rule 41 Impacts Data Privacy in U.S. and Abroad
  • December 6, 2016 | Authors: Mark D. Herlach; Francis X. Nolan; Robert D. Owen; Phillip E. Stano; Mary Jane Wilson-Bilik
  • Law Firms: Sutherland Asbill & Brennan LLP - Washington Office; Sutherland Asbill & Brennan LLP - New York Office; Sutherland Asbill & Brennan LLP - Washington Office
  • On December 1, 2016, amended Rule 41 of the Federal Rules of Criminal Procedure (FRCP) went into effect, thus expanding federal law enforcement’s power to search and seize electronic data. The new rule will allow law enforcement to seek a warrant from a “magistrate judge with authority in any district where activities related to a crime may have occurred” and use that warrant to legally access and copy data from any computer system that may be “concealing” electronically stored information (ESI) pertinent to, or damaged by, the crime. The rule has caused consternation among privacy activists and technology companies, and may ultimately clash with international privacy laws.

    Prior to the rule change, federal law enforcement agencies were required to obtain a warrant from a magistrate with jurisdiction over the location where a computer system was physically located. This requirement proved challenging for law enforcement because computer locations can easily be hidden or “masked” over the Internet using tools like Virtual Private Networks or secure browsers that anonymize Internet traffic. While these tools can be used for legitimate purposes, the Department of Justice (DOJ) cited the increased use of masking by criminals to conceal themselves to justify the need for expanded warrant power. The DOJ also pointed out that the rise of botnet attacks—where a host computer takes control of other Internet-connected devices for nefarious purposes—justified the rule change. Proponents of the change have also argued that the rule merely addresses venue and does not create or alter substantive rights or duties (which would violate the Rules Enabling Act).

    Not surprisingly, opponents of the rule change fear it will place unchecked power in the hands of law enforcement agencies. This could lead to innocent individuals, many not even aware that their devices participated in an attack, being “hacked twice”—once by the attacker and once by the government. Opponents are concerned that in an effort to combat cybercrime, law enforcement could ultimately compromise data integrity and further erode privacy on the net.

    Additionally, the rule change is raising privacy concerns overseas, particularly within the European Union. The E.U. Data Protection Directive (Directive 95/46/EC) prohibits the processing or transfer of personal data to a country outside the European Economic Area (EEA). On October 6, 2015, the U.S.-E.U. Safe Harbor framework, which allowed for data transfer between the EEA and the U.S., was invalidated after a finding by The Court of Justice of the European Union that certain U.S. surveillance practices infringed upon Europeans’ rights and freedoms in regard to the processing of personal data. The Privacy Shield framework, enacted to replace Safe Harbor and restore legal data transfer, has come under fire for not containing adequate privacy safeguards.

    While Rule 41 does not mention access to data in foreign countries, it appears to give U.S. federal law enforcement agencies global authority over all computer systems that have been hacked or are acting as repositories for illegal ESI. If the rule is used to access computer systems abroad, the U.S. government may encounter pushback from international organizations and European citizens alike, further endangering the Privacy Shield framework.

    The amendments to the FRCP, approved by the U.S. Supreme Court and sent to Congress on April 30, 2016, were met with some skepticism from at least two Senators. A group of 50 U.S.-based organizations, led by Google, PayPal and the ACLU, among others, also raised concerns about the breadth of the rule change and what it would mean for clients’ privacy. Perhaps given the chaotic election, those concerns and skepticism were not enough to garner support for a delay to the rule change.

    Sutherland will continue to monitor amended Rule 41 FRCP related issues and report on significant developments in this area. Meanwhile, entities should reexamine their privacy practices and protections with the compliance challenges of newly amended Rule 41 FRCP in mind.