A Galaxy S9+ smartphone. (David Paul Morris/Bloomberg News)

Lisa O. Monaco, a senior fellow at New York University School of Law’s Center on Law and Security, was homeland security and counterterrorism adviser to President Barack Obama from 2013 to 2017. John P. Carlin, chair of the law firm Morrison & Foerster’s global risk and crisis management group and the Aspen Institute’s Cybersecurity & Technology Program, was assistant attorney general for national security from 2014 to 2016.

How should law enforcement officials deal with digital data that happens to be stored in a different country? If FBI agents, pursuing a subject who committed a crime in the United States, serve a valid court order on an American company, the government shouldn’t have to wait a year because the company happens to store the information overseas. Likewise, if the London police are investigating a local murder, the fact that they are seeking phone records from a communications provider located in the United States should not block them from doing their job. 

That sounds like simple common sense. But in the modern world, law enforcement and national-security professionals are too often forced to use 19th- century tools in a global, 21st-century world. 

Currently, for too many cases, the only option for police and prosecutors trying to do their jobs is to use mutual legal assistance treaties. That cumbersome model dates back decades and is not designed for a digital age, when even purely local crimes might involve evidence located overseas. The process requires lengthy reviews at both ends; picture layers of lawyers and diplomats, memorandums with multiple official seals and the occasional broken fax machine. For example, the average response time for a routine request to Ireland — a country where many U.S. tech companies store their data — is 15 to 18 months.  Worse, as data storage moves across the cloud, and where one email can consist of data stored in multiple places at once, it can be difficult or impossible to determine exactly where information resides at any given moment. 

We served as law enforcement and national security professionals across multiple administrations, including in leadership roles at the FBI, the Justice Department and the White House. Both of us have witnessed these problems firsthand. We have seen investigations stalled, and we have heard tech companies express concerns that they are stuck in the middle of outdated, unclear and even contradictory legal regimes as they do business around the globe. 

The fallout from this antiquated and unwieldy situation is seen on multiple continents. The Supreme Court recently heard oral arguments in a case involving whether the U.S. government can force Microsoft to turn over data stored overseas. How the court will rule is unclear, but justices across the ideological spectrum — as well as the parties on both sides — agreed that Congress should update our laws governing access to data held overseas. And no matter how that case goes, it will not determine whether U.S. companies can comply with foreign governments’ requests for data stored in this country. Meanwhile, the European Union is weighing legislation to require companies operating within the E.U. to turn over data stored in another country — even if doing so might violate that country’s laws. 

This is not a tenable situation. A promising solution is the Cloud (Clarifying Lawful Overseas Use of Data) Act, introduced by a bipartisan coalition in the Senate last month. The Cloud Act provides two critical fixes: First, it enables U.S. law enforcement agencies to access data held by U.S. companies that is stored overseas. It would do so by amending federal law to clarify that companies served with legal process in the United States for stored communications and related data must disclose records within the provider’s possession, custody, or control — regardless of where those materials happen to be stored. 

Second, it would allow our government to enter into agreements — subject to review by Congress — to permit U.S. companies to respond to the same type of legal orders from countries that share our values and have legal systems that provide equivalent protection for civil rights and liberties. This provision is carefully crafted to allow companies to seek to block requests for information in situations that could threaten another country’s sovereignty and to ensure the protections of U.S. citizens. If other countries want data that is stored in the United States, their requests must relate to serious crimes and use legal processes that share basic features of a U.S. search warrant. 

U.S. officials attempting to investigate crimes and national-security threats in the 21st century should not be required to chase down evidence from cloud to cloud in what one U.S. court described as a “global game of whack-a-mole.” Our counterparts in like-minded countries should not have to face the same problem. And tech businesses should not be caught between conflicting legal regimes in which one country demands data while another country’s laws forbid providing it. 

In short, only Congress can provide a unified policy framework for addressing this and other issues, including conflicts of law. Without a viable solution, countries will continue to move toward “data localization” laws requiring companies to keep their data onshore — a requirement that is bad for business, bad for civil liberties and bad for public safety.