Frequently Asked Questions

What are MLATs?

Mutual Legal Assistance Treaties (MLATs) are agreements between two or more countries, which create obligations under international law for governments to assist one another in criminal investigations and prosecutions. Law enforcement officers or prosecutors use them when they need help to obtain evidence from within another country’s jurisdiction.

What are the benefits of MLATs?

MLATs create a predictable process for sharing information across jurisdictions. Where MLATs do not exist, letters rogatory, formal requests for information to a foreign court, or informal requests are used, but they lack predictability and oversight.

Many MLATs also include protections to ensure respect for international human rights and domestic privacy protections (see below).

What MLATs are there?

MLATs can be bilateral or multilateral. There are regional MLA schemes within Europe, the Americas, Commonwealth countries, and South-east Asia. Some of the key regional MLATs include:

There are also many subject-specific conventions that include MLA provisions. Some of these conventions include: the UN Convention against Corruption; the UN Convention on Transnational Organized Crime; the OECD Convention on the Bribery of Foreign Public Officials; and the UN Convention on Psychotropic Substances. States that are party to these conventions can use the mutual legal assistance provisions for offences that are covered within those conventions.

What kind of assistance can be obtained under an MLAT?

Most MLATs are drafted broadly to facilitate a wide range of assistance. Many MLATs state near the beginning of the treaty that governments should provide ‘the widest possible measure of mutual assistance’. They typically provide an inclusive list of the types of assistance that can be provided. Common examples include:

  • obtaining witness testimony (either voluntarily or by compulsion)
  • executing search warrants
  • obtaining bank records
  • freezing or forfeiting the proceeds of crime.

Recently, there has been huge growth in MLAT requests to access online records. As criminals have gone online to communicate and store their data, government officials need to access this information to investigate and prosecute crimes. Very often, the electronic records are held by companies such as Google, Facebook, Yahoo[JBA1] ! or Twitter. These companies treat the vast majority of their data as being located in California and therefore subject to Californian jurisdiction. If the investigation or prosecution is happening in a country outside of the US, this means that there are multiple jurisdictions involved and an MLAT request may be necessary.

MLATs can be used to obtain a user’s online records; subscriber details, email content, metadata, social media.

What is the process for sharing information?

MLATs require a designated agency (“Central Authority”) in each State to handle requests, and some provide a timeline for the production of information. Each MLATs establishes its own procedure, but they generally work as follows:

  • The Central Authority in the requesting State requests information from the Central Authority in the requested State, using the format specified in the MLAT. MLATs usually specify what information the request needs to include, such as details of the crime under investigation, the name and address of the person under investigation, etc). Some MLATs, including the   MLAT  between India and Canada, require that each request contain the basis for believing the information will be located in the jurisdiction of the receiving state.
  • The receiving State determines whether there is a legitimate reason to deny the request for information. If not, they process the request.
  • Sometimes the requesting state seeks a witness for a trial. In such a case, the MLAT will generally establish guidelines for transporting the person or in some instances will provide procedures for remote testimony.

What if there isn’t an MLAT?

Just because there isn’t a formal MLAT between countries does not necessarily mean that they cannot provide mutual legal assistance to one another. Many countries, including the US, can provide or request mutual legal assistance without needing a formal treaty; it depends on each country’s domestic laws

MLA without a treaty is usually made on the basis of reciprocity. This is a formal undertaking that the country requesting assistance will provide assistance to the other government if the situation is reversed in the future (ie if the other government requires mutual legal assistance). The process for providing MLAT without a treaty is usually substantially the same as with a treaty. Without the formal framework of a treaty, the countries rely on their own domestic legislation. Some countries have mirrored the types of safeguards and procedures in their domestic legislation but others have not. In this way, mutual legal assistance that is provided pursuant to a treaty is easier to understand and more predictable to those who are outside of the system.

If the country is not able to conduct MLA without a treaty, it may be able to use the process of letters rogatory. This system predates MLATs but is still available in many countries as a parallel process. Letters rogatory are formal requests for assistance that are made to a judicial authority in another country. This differs from assistance under an MLAT because it is made straight to a court, rather than through the government’s designated central authority. Letters rogatory are usually available to both government officials and to individual defendants.

Is MLAT just for governments?

In the vast majority of cases, MLATs are used by and on behalf of government investigators or prosecutors. However, some MLATs specifically allow for defendants to ask that a request be made on their behalf. The request must still be made by the government. In other countries, including the US, defendants are not able to use mutual legal assistance and must instead use letters rogatory.

Who has an MLAT agreement with my country?

MLATs are publicly available; they’re formal treaties and therefore must be published and registered with the United Nations. However, it’s not always easy to find them, so we have been compiling links to MLATs as part of Access’ commitment to create a more informed, transparent discussion about MLATs.

Even if two particular countries do not have a bilateral MLAT, they may be able to use the mutual legal assistance provisions in multilateral conventions (see discussion above). These multilateral conventions are subject-matter specific, so MLA is only available for offences covered by that convention.

When do you need an MLAT request for online records held by a US Company?

The short answer is that there is no clear answer. The longer answer is that it depends on the nature of the information sought (e.g., content or non-content), the offence to which it relates (e.g., whether both the US and the foreign country could have jurisdiction), and which company holds that data.

Content

If the internet company is based in the US, a user’s data has all the protections of the Electronic Communications Privacy Act (ECPA) regardless of whether or not the user is physically in the US. Under ECPA, a company cannot disclose the content of a user’s account except in response to a warrant (or in emergency situations) and only US government officials can obtain such a warrant. This means that foreign governments can only obtain the content of a user’s account with the assistance of the US government. Usually, this will be through a full MLA request (or letter rogatory).

However, if US law enforcement obtains that user’s data as part of a US investigation or prosecution, that information may be able to be shared with foreign law enforcement through police-to-police cooperation. Police-to-police cooperation is governed by informal agreements and memoranda of understanding. The details of these agreements are often not publicly available and the processes are comparatively light on documentation and public oversight.

Some crime types such as online child pornography have an inherently international aspect and will often be able to be characterized as both a US offence and a foreign offence. They therefore lend themselves to this type of information sharing, which means that foreign law enforcement officers can obtain the information without going through a MLA arrangement. More conventional crime types (e.g., murder) will not usually be able to seen as a joint investigation and therefore the foreign law enforcement officers will have to obtain the information through MLA.

Content

The laws and policies on how foreign governments can access non-content information are unsettled and inconsistent. ECPA allows companies to disclose non-content information to non-government entities. However, it does not require them to disclose it or to recognize a foreign court order. This means that disclosure of non-content information is entirely at the discretion of the internet companies. Different companies adopt different policies on this issue. Dropbox and Google take opposite approaches, but both companies are refreshingly open explaining their policy. Other companies’ websites neatly sidestep the issue.

· Google: “On a voluntary basis, we may provide user data in response to valid legal process from non-U.S. government agencies, if those requests are consistent with international norms, U.S. law, Google's policies and the law of the requesting country.”

· Dropbox: “Dropbox currently requires data requests to go through the U.S. judicial system”.

· LinkedIn: “We disclose account records solely in accordance with our terms of service and applicable law. A Mutual Legal Assistance Treaty request or letter rogatory may be required to compel the disclosure of the contents of an account.”

· Twitter: “U.S. law authorizes Twitter to respond to requests for user information from foreign law enforcement agencies that are issued via U.S. court either by way of a mutual legal assistance treaty or a letter rogatory. It is our policy to respond to such U.S. court ordered requests when properly served.”

· Facebook: “We disclose account records solely in accordance with our terms of service and applicable law. A Mutual Legal Assistance Treaty request or letter rogatory may be required to compel the disclosure of the contents of an account.”

What precautions are taken to ensure the rights of privacy and due process are respected?

Some MLATs make clear that the procedural and substantive laws of both countries need to be considered when requests are made. The Inter-American MLAT, for example, indicates that the law of the receiving state should indicate the protections for third parties who have a stake in the requested items (e.g., the person under investigation or the private company holding the requested data).

The United States Code contains a provision to grant federal judges the power to issue search warrants based on applications they receive from foreign authorities through the Department of Justice. This ensures that investigations initiated by foreign authorities are subject to judicial oversight just as a traditional criminal investigation would be.

Other MLATs prioritize the sharing of information over domestic privacy law. For example, the US-EU MLAT establishes that the legal standards protecting personal data in the requesting state can’t be used by the receiving state as a basis to reject the request.

The Inter-American Commission (IACHR), a body that interprets regional human rights law, has said that MLATs need to conform to human rights by protecting privacy and due process. The IACHR also raised the issue of informal mutual legal assistance being used as a means to circumvent legal protections, violating individuals’ rights to security and liberty and tarnishing any legal proceedings resulting from these unfair practices.

All MLATs should operate in accordance with international law protections. The International Convention on Civil and Political Rights (ICCPR) is a treaty ratified by nearly all countries, and contains protections for privacy and due process. Specifically, Article 17 of the ICCPR protects against unlawful interference with an individual’s right to privacy, including in correspondence, and states that all people are guaranteed the protection of this right. Article 14 grants individuals the right to be informed promptly and in detail of any charges and to defend him or herself with legal representation of her or his own choosing.

Are there limits on how data obtained through MLATs can be used?

Some MLATs limit the use of data to the purpose stated in the request, but under some treaties, such as in the EU-US MLATs, data can be used for another purpose with the consent of the requested State.

When may a state refuse to comply with a request for information?

MLATs contain permissible reasons for rejecting a request for information. The UN Model MLAT includes many of the commonly provided reasons for properly rejecting information requests:

§ The request would interfere with the receiving state’s sovereignty, security, public order, or other essential public interest;

§ The offense is of a political nature;

§ There are substantial grounds to believe the prosecution is based on a person's race, sex, religion, nationality, ethnic origin or political opinions or they will be prejudiced on those factors;

§ The prosecution in the requesting state would interfere with the double jeopardy law of the receiving state;

§ The prosecution in the requesting state would interfere with the double jeopardy law of the receiving state;

§ The act is an offence under military law, which is not also an offence under ordinary criminal law.

What are some of the problems with MLATs when used for online records?

The MLAT system was designed for the 20th century and struggles to cope with the pace and complexity of data transfers across multiple jurisdictions. It can take a long time for law enforcement to be able to access evidence held online -- the President’s Review Group says the average is 10 months -- and sometimes in the order of years. There is uncertainty about when data can be shared, with whom, and on what terms, and it all happens with very little transparency or oversight. This is a problem for law enforcement who want to catch criminals, but also for users who are concerned about protecting their privacy and other important rights.

Access has prepared a discussion paper analysing the various problems with MLATs, which can be found [here]

What are the solutions to the problems with MLATs?

Access has prepared a discussion paper analysing a variety of proposed solutions to improve the MLAT system, which can be found [here].

What do the companies’ transparency reports tell us about MLAT requests?

Since Google first published a transparency report in 2009, other internet companies have gradually followed. Dropbox, LinkedIn, Microsoft, Twitter, Facebook, and Yahoo! all now publish transparency reports. Telecommunications companies are now finally starting to publish transparency reports too, with Verizon having published a first report, and AT&T and Vodafone signalling an intention to do so as well. These reports provide some insight into the number of law enforcement requests being made to internet companies and telcos. However, it is difficult to use these figures to draw any meaningful conclusions about MLAT requests.

The transparency reports show the number of requests from different foreign countries and then the number from within the US. However, the numbers provided for foreign countries only refer to direct requests made by foreign law enforcement; they do not include the number of requests received through the MLAT process. Instead, MLAT requests are included as part of the requests from US government. This distorts the number of US requests and means that it is impossible to tell how many MLAT requests are being made and from which countries. This problem arises because the companies do not see where an MLAT request originated; they only see the US court processes.

Where are the transparency reports from governments?

Good question. Some governments publish annual statistics on the number of MLAT requests made and received, but these reports are often buried in departmental annual reports and are difficult to find unless you know where to look. Many MLATs allow the requesting country to ask for the request to be kept confidential. Governments are often concerned that revealing information about MLAT requests could jeopardize investigations.

As part of the push for transparency, last year Access filed Freedom of Information Act requests with the U.S. Department of Justice and the FBI. The FOIA requests sought “any and all information pertaining to or documenting requests made by foreign countries through Mutual Legal Assistance treaties… with the U.S. that sought... electronic information.”

While we were initially told there were no responsive records to our request, the Department of Justice Office of Information Policy ruled positively on our appeal in late December, requiring the DoJ’s Criminal Division to do another search for this information. We are still waiting on the outcome of this revised search.

Who pays for all this?

Most MLATs specify that each country covers its own costs in processing requests (i.e., the requested country does not ask for any financial contribution from the country seeking assistance). In exceptional circumstances, such a particularly expensive request, the requested country can ask for financial assistance.