Accessing Digital Evidence Across Borders: How Does Japan Handle Investigations Involving Overseas Servers?

Cybercrime, by its very nature, is often borderless. Malicious actors can operate from anywhere in the world, and crucial digital evidence—emails, transaction logs, user data, illicit content—can be stored on servers located in foreign jurisdictions, far from where the crime's impact is felt or where investigators are based. This presents a profound challenge for national law enforcement agencies, including those in Japan: how can they lawfully access vital evidence stored overseas without violating international legal norms or the sovereignty of other nations?

The Fundamental Obstacle: Territorial Sovereignty in Criminal Investigations

A bedrock principle of international law is that states exercise exclusive sovereignty within their own territory. Consequently, law enforcement agencies of one state generally cannot conduct investigative activities within the territory of another state without the latter's consent. This principle extends not only to physical presence but also to actions taken remotely from within one's own country that have direct investigative effects in another, such as accessing a computer server located abroad. Unilateral, non-consensual access can be viewed as an infringement of the host nation's sovereignty.

International Frameworks: The Role of the Cybercrime Convention (Budapest Convention)

Japan is a signatory to the Council of Europe's Convention on Cybercrime (often referred to as the Budapest Convention), which is the most significant international treaty addressing cybercrime and electronic evidence. The Convention provides a framework for international cooperation and also contains provisions regarding certain types of transborder access to data.

Article 32 of the Budapest Convention is particularly relevant. It specifies circumstances under which a signatory state may access stored computer data located in another signatory state without necessarily going through the formal Mutual Legal Assistance (MLA) process:

1. Access to Publicly Available Data (Art. 32(a)): A party may, without the authorization of another Party, access publicly available (open source) stored computer data, regardless of where the data is geographically located.
2. Access with Lawful and Voluntary Consent (Art. 32(b)): A party may, without the authorization of another Party, access or receive, through a computer system in its territory, stored computer data located in another Party, if the accessing Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to it through that computer system.

The Explanatory Report to the Convention clarifies that Article 32 addresses situations where the drafters reached a consensus on permitting such access without prior authorization from the state where the data is located. It does not, however, explicitly prohibit other forms of transborder access, nor does it broadly authorize them, leaving many scenarios to be governed by other international agreements (like MLATs) or domestic law.

Japan's General Stance: Prioritizing Consent and Formal Cooperation

In practice, Japanese law enforcement authorities and courts have generally adopted a cautious approach to accessing data stored on overseas servers, particularly when the situation falls outside the explicit permissions of Article 32 of the Budapest Convention. The preferred methods are:

1. Mutual Legal Assistance Treaties (MLATs): Japan has MLATs with numerous countries. These treaties provide formal channels for requesting and obtaining evidence, including digital evidence, from foreign authorities. While often reliable, MLAT processes can be time-consuming.
2. Seeking Consent from the Foreign State: Obtaining explicit permission from the authorities of the country where the server is located.
3. Obtaining Lawful and Voluntary Consent from Data Controllers/Custodians: Aligning with Article 32(b) of the Budapest Convention.

This cautious stance is rooted in a desire to respect international law, maintain good diplomatic relations, and avoid actions that could be construed as infringing upon the sovereignty of other nations.

Judicial Perspectives in Japan: Balancing Domestic Law and International Comity

Japanese court decisions have shed some light on the complexities involved when investigations touch upon data stored abroad.

• The Tokyo High Court decision of December 7, 2016 involved a case where investigators, after seizing a laptop in Japan, later used it (or its forensic copy) to access an email server believed to be operated by a U.S. entity ("G-sha," likely Google). The access was done under a domestic "inspection warrant" (kenshō kyokajō, 検証許可状) for the laptop itself. The High Court found the access to the server illegal based on domestic procedural grounds, reasoning that an inspection warrant for a seized device does not authorize a separate investigative act against an external server, which could infringe third-party rights. Significantly, the court also commented that given the server was potentially located overseas, investigators should have considered utilizing international mutual assistance channels. This underscores a judicial preference for formal cooperation when foreign jurisdictions are involved.
• The Osaka High Court decision of September 11, 2018, dealt with a situation where investigators performed remote access from computers in Japan to servers, some of which were believed to be in the United States. The access was initially asserted to be based on user consent, though the court later found this consent to be involuntary, meaning the access was effectively a compulsory measure conducted under a domestic warrant for the local computers used for the access. The High Court acknowledged that such unilateral remote access to servers in a foreign country could potentially infringe that country's sovereignty under international law, terming it a possible "international illegality" (国際法上の違法, kokusaihō-jō no ihō).However, the Osaka High Court then made a nuanced, and potentially controversial, point regarding the admissibility of evidence obtained through such means. It suggested that even if an act of sovereignty infringement occurred, this "international illegality" might not, by itself, automatically render the obtained evidence inadmissible in a Japanese criminal trial, provided that Japanese domestic procedural laws concerning the defendant's rights were properly followed (e.g., the access from the domestic computer was based on a valid domestic warrant or other lawful authority). The court seemed to distinguish between a potential breach of international law (a matter between states) and a breach of domestic criminal procedure affecting the defendant's rights (which directly impacts admissibility). Nonetheless, even in this decision, the court reiterated that international cooperation remains the preferable and more appropriate course of action.

These rulings indicate that while Japanese courts are acutely aware of sovereignty concerns, their primary focus in determining evidence admissibility often remains on whether Japanese domestic law pertaining to the investigation and the defendant's rights has been adhered to. However, the strong preference for using established international cooperation mechanisms is consistently highlighted.

Practical Challenges in Transborder Data Access

Several practical and legal challenges complicate the accessing of overseas digital evidence:

1. Identifying Server Location: In many cybercrime cases, especially those involving sophisticated actors or complex cloud infrastructures, the precise physical location of the server storing the relevant data can be difficult, if not impossible, to determine. Data may be distributed across multiple servers in different countries, or its location may be deliberately obscured. If the location is unknown, pursuing an MLAT request or seeking consent from a specific foreign state becomes impracticable. Some legal commentators in Japan have suggested that if investigators, despite diligent efforts, cannot ascertain a server's foreign location, they might be justified in proceeding with remote access if they have valid domestic legal authority (e.g., a warrant for a domestic device being used to access the data), though this remains a legally unsettled area.
2. Timeliness of MLATs: Formal MLAT processes, while providing a legitimate channel, can be notoriously slow. In fast-moving cybercrime investigations where digital evidence can be quickly deleted or altered, the delays inherent in MLATs can be a significant handicap.
3. Consent Issues: Obtaining "lawful and voluntary consent" from a data controller or custodian (as per Article 32(b) of the Budapest Convention) can be challenging. Data controllers, especially large multinational corporations, may have complex internal policies and legal obligations regarding user data and may be hesitant to disclose data without a clear, legally binding order from a court in their own jurisdiction. The determination of who has "lawful authority to disclose" can also be complex.
4. Varying Legal Standards: Different countries have different laws and standards regarding data protection, privacy, and lawful access. What might be permissible under Japanese domestic law may not be acceptable in the country where the data resides, and vice-versa.

The Path Forward: International Cooperation and Evolving Norms

Given these complexities, there is a global recognition of the need for more efficient and effective mechanisms for lawful transborder access to digital evidence. Discussions are ongoing internationally regarding:

• Streamlining MLAT processes.
• Exploring frameworks for direct cooperation between law enforcement agencies and service providers in different jurisdictions, with appropriate safeguards.
• Developing clearer international norms and agreements that address the unique challenges posed by cloud computing and data stored across multiple jurisdictions.

Japan actively participates in these international discussions. While its domestic law provides certain tools like remote access (primarily designed for accessing networked storage from a lawfully seized domestic device), their application to data stored definitively overseas is approached with caution. The prevailing view emphasizes respect for territorial sovereignty and prioritizes the use of established international cooperation channels.

Some legal scholarship in Japan has explored whether certain types_of remote access to overseas servers – for instance, when Japanese investigators use valid credentials of a Japanese suspect (obtained lawfully under a Japanese warrant) to access that suspect's data stored on a commercial server abroad, where the server provider itself has no substantive rights or interest in the content of that data – truly constitutes a problematic infringement of the host state's sovereignty. The argument is that if no rights of the foreign server provider are violated and the intrusion is focused on the data of a national under investigation by their own authorities, the sovereignty concerns might be less acute. However, this is not yet a widely accepted international legal position, and Japanese official practice remains conservative.

Conclusion

Japan's approach to accessing digital evidence stored on overseas servers in cybercrime investigations is characterized by a careful balancing act. On one hand, there is the pressing need for investigators to obtain evidence that is often crucial for solving increasingly sophisticated and borderless crimes. On the other hand, there is a strong commitment to respecting principles of international law, particularly territorial sovereignty, and a preference for using formal channels of international cooperation like MLATs.

While the Budapest Convention provides some avenues for transborder access (public data and consent-based access), many scenarios fall into a greyer area. Japanese courts have acknowledged the potential for sovereignty infringement but have also indicated that such an "international illegality" might not automatically nullify evidence in domestic proceedings if Japanese procedural rules protecting the defendant were followed—though this remains a point of legal debate and international cooperation is consistently stressed as the preferred method.

As digital technologies continue to erase traditional borders, the challenge for Japan, like for all nations, will be to contribute to and adapt to evolving international norms and develop more agile yet lawful mechanisms for cross-border evidence gathering, ensuring that the fight against cybercrime can be pursued effectively without unduly compromising sovereignty or fundamental rights.