Passage of the CLOUD Act in the U.S. and the subsequent dismissal of the "Ireland Warrant" litigation raises two important questions. First, does the law grant sweepingnew powers to reach data stored abroad? The reality is that it does not because governments have long claimed such authority. Second, does the CLOUD Act, along with the proposed eEvidence Regulation in the EU, offer hope of a future where the rules for cross-border data demands are more rational, proportionate, predictable, and transparent? There is more work needed to ensure that these policies function effectively for law enforcement while protecting civil liberties. But we certainly hope so. In order to advance the conversation, Cisco commits to updating our transparency report to reflect more information about the nature and number of cross-border demands we receive for customer data.
On the first question about whether the CLOUD Act makes U.S. lawmore sweeping in its reach, we believe the answer is no, for three reasons.
This debate highlights the possibility that companies may find themselves in the untenable position of being required under one country's laws to produce data - and prohibited from doing so by the laws of another. In the U.S., the Department of Justice long ago adopted a policy requiring that federal prosecutors coordinate with headquarters before issuing so-called "Bank of Nova Scotia" demands. However, Cisco firmly believes that governments around the worldshould go further and spell out the specific criteria upon which a cross-border demand will be premised, how such determinations are made, who has the authority to authorize them, and how often such approvals occur.
This brings us to the second major point - we hope that these new laws and regulations will lend clarity, predictability, and rationality to requirements for cross-border data demands between like-minded governments. To the extent authorities around the world spell out the circumstances under which they will directly compel providers to produce data stored beyond their borders, it is essential that they also address the potential conflicts of law with third countries. This should include adopting meaningful safeguards for fundamental rights of individuals, which will benefit from more transparency around cross-border demands for data.
We also believe that transparency is a two-way street. Cisco publishes a transparency report where we provide aggregate data about the nature and types of law enforcement demands we receive seeking customer data. Given recent changes in the law adopted in the U.S., and pending in the EU, Cisco will update our transparency reporting accordingly. We commit on a going-forward basis to track and report cross-border demands for data in our transparency report found at trust.cisco.com.
There is a role for each of us - governments, technology providers, and customers - in balancing the needs of enterprise data security with the need to support law enforcement efforts aimed at fighting crime. At Cisco, we are doing our part by evolving the scope of our transparency reporting. Governments need to step up by rationalizing their systems for cross-border data demands. Customers should look for providers that deliver transparency around their processes and also demand more clarity and coordination from governments about their policies for cross-border data demands.
For more information, visit trust.cisco.com.