Nishimura Institute of Advanced Legal Studies (“NIALS”) Report by the “CLOUD Act Study Group” (Ver. 2.0)
- LEGAL ANALYSIS AND PROPOSALS ON CRIMINAL INVESTIGATIONS OBTAINING DATA HELD BY COMPANIES -
In recent years, data accumulation in companies has progressed and active cross-border data transfer has taken place more frequently. There have been many cases where a crime is committed in Japan, and data which is important evidence in the subsequent criminal investigation is held by a company on servers located in foreign countries. Therefore, it is increasingly important not only to obtain data stored on the terminals of suspects, but also to obtain data held by companies in Japan and in foreign countries. In these circumstances, considerations are underway in countries around the world regarding obtaining data held by companies in Japan and in foreign countries, and in March 2018, the Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”), which clarifies procedures in the United States when an investigating authority issues an order to disclose data that a company stores on servers located outside of the U.S., was enacted.
In March 2019, NIALS established the CLOUD Act Study Group (the “Study Group”), with George Shishido, Professor, The University of Tokyo Graduate Schools for Law and Politics as the Chairperson as well as Yurika Ishii, Associate Professor, Department of International Relations, National Defense Academy, Ministry of Defense of Japan and Go Naruse, Associate Professor, The University of Tokyo Graduate Schools for Law and Politics as the members. The Study Group handles Japan’s response to the U.S. CLOUD Act, to begin, as well as analyzes legal issues relating to obtaining data held by companies for criminal investigations. The Study Group summarized the results of its discussions in “Nishimura Institute of Advanced Legal Studies ‘Report by the ‘CLOUD Act Study Group’ — LEGAL ANALYSIS AND PROPOSALS ON CRIMINAL INVESTIGATIONS OBTAINING DATA HELD BY COMPANIES —” (this “Report”) and published it in December 2019.
Nishimura Institute of Advanced Legal Studies (“NIALS”) Report by the “CLOUD Act Study Group” — LEGAL ANALYSIS AND PROPOSALS ON CRIMINAL INVESTIGATIONS OBTAINING DATA HELD BY COMPANIES — (December 2019)
Furthermore, as there were various movements in Japan and in foreign countries concerning obtaining data held by companies for criminal investigations after this Report was published, in August 2022, the Study Group began its review to update this Report and completed the update in April 2023. The pillars of the proposals of the updated Report are summarized below.
1. Further Use of Existing Investigative Methods for Obtaining Data Held by Companies, and Considering New Systemic Designs
In recent years, data accumulation in companies has progressed, and it is necessary for investigating authorities to obtain data held by companies efficiently and effectively through cooperation with companies, while taking into account the interests of Data Subjects and companies. A system exists under current laws for seizure via an order to produce a copy of records, to ensure this cooperation, and it is expected that this system will be used actively; however, there are also issues with this system. Under these circumstances, the Criminal Law (pertinent to information and communications technologies) Subcommittee of the Legislative Council of the Ministry of Justice currently is holding discussions to promote digitized or online warrant proceedings and to establish a system for Orders to Produce Electromagnetic Records. If these goals are realized, it is highly expected to promote efficient, effective data acquisition through smooth cooperation between investigating authorities and companies. There are various issues to consider when designing these systems, such as ensuring security when presenting an online warrant to a company holding data, and when submitting data, ensuring the fairness and transparency of procedures for prior or subsequent notice to Data Subjects, expansion of the system to impose confidentiality obligations and similar restrictions, and analyzing relationships with other laws and regulations relating to data protection. It is necessary to advance discussions on these issues while considering technological innovations and sophisticated criminal investigations, domestic and foreign companies’ response policies and actual responses, and movements in foreign countries and international forums, with the aim of strengthening both investigating authorities’ investigative capabilities and protecting the rights of relevant persons.
Another method for investigating authorities to obtain data held by companies is to access the server, where the data is stored, by themselves (i.e. remote access). While this investigative method is useful in different ways from the method of asking companies to submit data, it is advisable to examine the design of the system further, to give consideration to the interests of Data Subjects and the companies that are server-managing entities, as well to guarantee due process of law in the future.
In addition, the prospect of the data so obtained being used in a criminal trial should be considered. In this respect, the relevant Subcommittee of the Legislative Council of the Ministry of Justice has considered the examination methods for trials where data is presented as evidence; however, moving forward, it is advisable to establish certain objective indices (standards or criteria) in order for courts to appropriately evaluate the authenticity and probative value of the data presented as evidence.
2. Deepening Discussions Regarding Trans-border Data Access for Investigative Purposes From the Perspectives of International Law, and Participating in the Establishment of a Cross-national Framework
There are ongoing domestic and international discussions regarding the legality of obtaining data stored outside the territory of an investigating authority. Under international law, if a state exercises its jurisdiction in the territory of another state, such an act infringes upon the other state’s sovereignty. However, it is also possible to conclude that obtaining data stored on servers located in the territory of another state for investigative purposes, for example, through the issuance of a data production order against a domestic company with regard to its data stored overseas, does not necessarily constitute an unlawful exercise of the investigating country’s jurisdiction in the territory of another state, depending on the method employed. In Japan, the 2021 Supreme Court Decision triggered discussions on the methods and limits of trans-border data access; however, given the importance of obtaining data stored abroad appropriately and swiftly, Japan should endeavor to deepen discussions of investigative methods that accord with international law while maintaining Japan’s policy of respecting the sovereignty of other states.
In addition to building multinational frameworks, such as the Convention on Cybercrime and the Second Additional Protocol, international collaboration can be achieved and advanced through the establishment of bilateral (or multinational) frameworks as envisioned by executive agreements pursuant to the CLOUD Act. As a first step, it is considered effective for Japan to build this type of bilateral (or multinational) framework with like-minded countries with which Japan shares internationally recognized principles, for example, the OECD Government Access Declaration concerning access by public bodies to data held by companies (government access), and a common sense of values, in accordance with the trustworthy concept of Data Free Flow with Trust, while also participating in discussions toward building a multinational framework. If development of a system for Orders to Produce Electromagnetic Records, or other systems, progresses in Japan (see Proposal 1), this will lead to establishment of a foundational system that will allow for bilateral (or multinational) collaboration with like-minded countries, including the U.S.; therefore, it is advisable to proceed with necessary discussions on legal issues to execute bilateral international agreements with like-minded countries.
3. Promoting Companies’ Efforts to Ensure Transparency of Government Access
In order to obtain a deeper understanding from Data Subjects and civil society regarding obtainment of data held by companies for investigative purposes, in addition to government-level efforts, it is important that companies and industries also make voluntary efforts to ensure transparency regarding government access, such as releasing transparency reports that aggregate responses to requests for government access, and preparing and releasing response policies.
These efforts will allow companies to provide a sense of security to users who are Data Subjects and to improve civil society’s trust in each company, and will contribute to the competitiveness and interests of companies in the long run. Therefore, companies and industries are also expected to advance discussions on specific efforts to ensure the transparency of government access (disclosing response policies and actual responses to investigating authorities’ requests for disclosure of information) and to make increased efforts in this regard.