Mutual Legal Assistance Treaties (MLATs) — Cross-Border Evidence
Mutual Legal Assistance Treaties are the primary legal mechanism for gathering evidence across national borders in criminal investigations — and their notorious average processing time of 12 to 24 months has made them effectively obsolete for digital evidence in a world where data moves in milliseconds. The U.S. maintains approximately 60 bilateral MLATs, plus commitments under multilateral conventions, through which prosecutors can compel foreign governments to gather bank records, take witness testimony, search premises, and seize assets abroad. The system was designed for a world of paper records and physical evidence; it was not designed for a world in which a murder investigation may require email records stored on servers in Ireland, financial records in Singapore, and phone records in Canada — all of which the suspect could delete before a 24-month MLAT request returns. Congress responded in 2018 with the CLOUD Act, which authorizes bilateral executive agreements allowing direct law enforcement requests to tech companies in partner countries — faster, but with fewer procedural protections. As of 2026, the U.S. has CLOUD Act executive agreements in force with the UK (Oct 2022) and Australia (Jan 2024); negotiations with Canada and the EU remain ongoing without final agreements.
Legal Authority
- 28 U.S.C. § 1782 — Authorizes U.S. district courts to compel testimony or document production for use in foreign or international proceedings; alternative civil-discovery mechanism that bypasses MLAT channel; used by private parties and foreign courts directly
- 18 U.S.C. § 3512 — Domestic implementation authority for executing foreign MLAT requests in U.S. courts; authorizes federal courts to issue orders, warrants, and subpoenas to fulfill treaty obligations when another country requests U.S. assistance
- 18 U.S.C. § 2523 — CLOUD Act executive agreement authority; authorizes the Attorney General and Secretary of State to enter bilateral executive agreements allowing direct law enforcement requests to electronic communications providers in partner countries, bypassing the MLAT channel
- Treaty power (Art. II § 2) — MLATs are Article II treaties ratified by the Senate; they are the primary binding legal framework; CLOUD Act agreements are executive agreements that do not require Senate ratification
Key Mechanics
The U.S. Central Authority for MLATs is the DOJ Office of International Affairs (OIA), which routes outgoing U.S. requests to foreign counterpart authorities and receives incoming foreign requests for U.S. assistance. A domestic prosecutor needing foreign evidence submits a request through OIA, which transmits it through diplomatic channels to the foreign Central Authority; the foreign government then uses its own domestic legal process to compel the evidence. Incoming foreign requests similarly route through OIA to federal courts, which issue orders under 18 U.S.C. § 3512. The framework is built on dual criminality — the requesting country typically must demonstrate that the underlying conduct constitutes a crime in both countries. Average processing time is 12–24 months, making MLATs unsuitable for rapidly evolving digital investigations. The CLOUD Act (2018) addressed this gap by allowing bilateral executive agreements under which law enforcement in partner countries can request electronic data directly from U.S. tech companies (and vice versa), with the companies serving as the compliance point rather than governments routing through diplomatic channels. CLOUD Act agreements must include data protection standards approved by the Attorney General and are not Article II treaties. The Budapest Convention on Cybercrime (60+ parties, U.S. ratified 2006) provides a multilateral MLAT-like framework specifically for electronic evidence. The private-sector alternative — 28 U.S.C. § 1782 — allows foreign litigants and government bodies to petition U.S. district courts directly for discovery assistance; the Supreme Court's ZF Automotive v. Luxshare (2022) narrowed § 1782 to public international tribunals, excluding private arbitral bodies.
Key Commitments & Structure
| Parameter | Value |
|---|---|
| Treaty type | Article II Senate-ratified bilateral treaties |
| U.S. network | ~60 bilateral MLATs + multilateral conventions |
| U.S. Central Authority | DOJ Office of International Affairs (OIA), Criminal Division |
| Average processing time | 12-24 months (often longer for complex requests) |
| Domestic authority | 18 U.S.C. § 3512 (foreign requests to U.S.); 28 U.S.C. § 1782 (civil discovery alternative) |
| CLOUD Act alternative | 18 U.S.C. § 2523; executive agreements in force with UK (Oct 3, 2022) and Australia (Jan 31, 2024); EU framework and Canada negotiations ongoing as of 2026 |
| Budapest Convention | Council of Europe Convention on Cybercrime; U.S. ratified 2006; 65+ parties |
What MLATs Cover
MLATs are bilateral treaties that obligate each party to provide specified forms of legal assistance to the other in criminal investigations and prosecutions. Standard MLAT coverage includes:
- Compelled production of records: Banks, telecom providers, businesses — the central authority obtains court orders to compel production of records held in the requested country
- Witness testimony: Taking sworn statements from witnesses who cannot be compelled to travel to the requesting country
- Service of process: Serving subpoenas, summons, or other legal documents on persons in the requested country
- Search and seizure: Executing search warrants and seizing evidence under the requested country's legal authority
- Asset tracing and restraint: Identifying and temporarily restraining assets subject to potential forfeiture
- Prisoner transfer for testimony: Arranging temporary transfer of incarcerated persons to testify in proceedings abroad
MLATs do not cover extradition (governed by separate extradition treaties) and typically exclude political offenses, military offenses, and requests where compliance would harm "essential interests" — a provision that can block sensitive national security requests.
The MLAT Process — Why It's Slow
A typical MLAT request flows:
- Requesting country (e.g., a U.S. federal prosecutor) prepares a formal request through DOJ OIA
- OIA review: OIA reviews for legal sufficiency, dual criminality, and treaty compliance; may take weeks to months
- Foreign Central Authority: OIA transmits to the foreign country's Central Authority (Ministry of Justice or equivalent)
- Foreign legal process: The foreign authority must obtain court orders, execute searches, or compel testimony under its own law — which may require judicial proceedings that take months
- Return: Evidence is transmitted back through the chain; authentication may require additional steps
The process was designed for serious, long-term investigations — major organized crime, terrorism financing, international fraud — where months of delay were acceptable. It is entirely inadequate for: fast-moving cybercrime (ransomware, fraud), investigations where evidence is volatile (cloud storage subject to deletion or overwriting), or cases where time-sensitive operational decisions depend on foreign intelligence.
The CLOUD Act — The Modern Alternative
The Clarifying Lawful Overseas Use of Data Act (2018) addresses the specific problem of U.S. law enforcement seeking data stored abroad by U.S.-based tech companies (and vice versa). It has two components:
Domestic component: Clarifies that U.S. providers must respond to U.S. legal process for data they control, regardless of where it is stored — resolving United States v. Microsoft (which the Supreme Court rendered moot after CLOUD Act passage).
Executive agreement authority: Authorizes the Attorney General, with Secretary of State concurrence, to negotiate bilateral executive agreements with "qualifying foreign governments." Under such an agreement:
- Foreign law enforcement can serve legal process directly on U.S.-based tech companies for data about their own citizens, without going through the MLAT
- U.S. law enforcement can similarly access data held by providers in the partner country
CLOUD Act agreements in force (as of 2026):
- UK (entered into force October 3, 2022 — first operational agreement): Full bilateral access
- Australia (signed December 15, 2021; entered into force January 31, 2024)
- Canada: negotiations ongoing since March 2022; no agreement as of mid-2026
- EU: U.S.-EU negotiations on a framework agreement remain ongoing; no agreement signed
CLOUD Act agreements are faster — requests are served directly on providers, who must respond within days — but they have fewer judicial oversight requirements than MLATs and limit data use to specified offenses.
Budapest Convention — Cybercrime
The Council of Europe Convention on Cybercrime (Budapest Convention, 2001) is the primary multilateral framework for cybercrime cooperation. The U.S. ratified it in 2006. It provides:
- Common definitions for computer crimes (unauthorized access, data interference, system interference, computer-related fraud, child pornography)
- Expedited preservation orders: a requesting country can ask a foreign party to preserve specific data for 60 days while a full MLAT request is prepared — addressing the deletion problem
- 24/7 network: member states must designate a 24/7 contact point for urgent cybercrime assistance
- 65+ parties including most EU/NATO countries; Russia and China have not joined (Russia objected to sovereignty concerns; China criticized it as Western-centric)
A Second Additional Protocol (Bucharest Protocol, 2022) expands subscriber data sharing and direct-to-provider cooperation even without CLOUD Act agreements — providing some of CLOUD Act's speed benefits within the multilateral framework.
28 U.S.C. § 1782 — The Civil Alternative
Section 1782 allows any person involved in a foreign or international tribunal to petition a U.S. federal district court to compel production of evidence located in the U.S. for use in the foreign proceeding. Unlike MLATs (criminal investigations only), § 1782 is available for commercial arbitrations, civil litigation, and administrative proceedings. The Supreme Court in ZF Automotive v. Luxshare (2022) limited § 1782 to governmental or intergovernmental adjudicative bodies — excluding private commercial arbitrations like ICSID and ICC, significantly narrowing its scope.
FATF and Financial Intelligence Sharing
The Financial Action Task Force (FATF) and the Egmont Group of Financial Intelligence Units provide a parallel framework for sharing financial intelligence outside the MLAT system. FinCEN (the U.S. Financial Intelligence Unit) exchanges Suspicious Activity Reports and other financial intelligence directly with foreign FIUs under the Egmont secure network — without MLAT process. This is faster but covers only financial intelligence, not compelled production of records.
How It Affects You
<!-- pria:personalize type="impact" -->If you are a citizen or voter: MLAT delays have allowed suspects in ransomware, child exploitation, and fraud cases to evade accountability while evidence is preserved but unreachable for months or years. The CLOUD Act accelerates cooperation with close allies but creates privacy concerns — data about U.S. persons may be shared with foreign law enforcement under conditions with fewer protections than MLAT processes. Both systems primarily affect criminal defendants and victims of transnational crime.
If you are a business or multinational: Tech companies and financial institutions are the primary recipients of MLAT-enabled compelled production requests. Under CLOUD Act agreements, companies receive orders directly from foreign law enforcement and must respond on accelerated timelines — without the government-to-government intermediary layer that MLATs provided. Companies must maintain legal teams capable of assessing foreign legal process for validity under applicable CLOUD Act agreement terms.
If you work at a federal agency or in government: DOJ OIA coordinates all outgoing MLAT requests and incoming foreign requests for U.S. judicial assistance. FBI Legal Attachés (Legats) stationed abroad facilitate operational cooperation. DEA, IRS-CI, HSI, and Secret Service each have substantial international investigative footprints that depend on MLAT and informal cooperation networks. FinCEN manages Egmont Group FIU cooperation.
If you are a lawyer, researcher, or policy analyst: MLATs are self-executing as to the obligation to provide assistance; the specific mechanisms of compulsion use domestic law in the requested country. U.S. courts enforce foreign MLAT requests under 18 U.S.C. § 3512. The intersection of MLATs with attorney-client privilege, Fifth Amendment rights, and discovery obligations in parallel civil litigation is a complex area of international criminal procedure. § 1782 remains available for governmental adjudicative bodies after ZF Automotive.
<!-- /pria:personalize -->Recent Developments
- 2025 — DOJ OIA reports continued MLAT backlog; cybercrime request volume has grown faster than processing capacity; CLOUD Act agreements seen as primary near-term solution
- 2024 — U.S.-Australia CLOUD Act agreement entered into force January 31, 2024 (signed December 15, 2021)
- Ongoing (2025-2026) — U.S.-Canada CLOUD Act negotiations continue without finalization; concerns about compatibility of Canadian and U.S. digital surveillance frameworks have slowed progress
- 2022 — Budapest Convention Second Additional Protocol open for signature; significantly expands direct-to-provider access and subscriber data sharing; U.S. signs
- 2022 — ZF Automotive v. Luxshare (SCOTUS): § 1782 does not extend to private commercial arbitrations; limits a widely used discovery tool in international litigation
- 2022 — UK-U.S. CLOUD Act agreement takes effect; first operational agreement; UK providers respond directly to FBI and other U.S. law enforcement requests
- Ongoing — Negotiations for CLOUD Act agreements with additional countries; EU-U.S. negotiations complex due to GDPR adequacy and data sovereignty concerns; no agreement with major non-Five Eyes partners yet