Data stored abroad – who controls it and where is it stored?
It’s well known that the National Security Agency (NSA) doesn’t limit its monitoring and collecting of data to the US. But it’s unclear whether other (non-intelligence) US authorities have similar powers.
A July 2016 decision of the United States Court of Appeals for the Second Circuit – which overturned a 2014 ruling of a New York magistrates’ court – might provide clarity in this matter. On the new ruling, other US authorities – for example public prosecutors, the US Department of Justice and the Federal Trade Commission – do not have the power to investigate data stored outside the US.
No unlimited access to data
In 2014, Microsoft took legal action to block a court order demanding that it hand over a Hotmail email account stored on a server in Dublin, Ireland, to an investigative authority.
The US government wanted the emails as part of a criminal investigation, referring to the Stored Communications Act. The District Court held that the order against Microsoft was lawful because an authority’s power to demand access to (digital) information – unlike a search warrant, which entails a physical search of premises – is not limited to the US, claiming that what matters is who controls the data, not where it is stored.
The Court of Appeals did not follow this opinion, but instead stated that the law does not authorise courts to issue and enforce against US-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers. The court concluded that Congress did not intend the Stored Communications Act’s warrant provisions to apply extraterritorially.
While this decision provides some guidance regarding US data access to external servers, legal certainty on the issue will have to wait for a decision from the US Supreme Court.
Should the ruling be upheld, this would affect US companies that locate data centres in the EU. Most US authorities would have to rely on international judicial assistance from foreign authorities to investigate data stored abroad instead of requesting the disclosure of such data directly.
When disclosing data creates conflicts
The tech industry needs to be aware of the fact that the US Appeals Court’s decision is limited to the Stored Communications Act. Federal authorities may still find ways to obtain data on foreign servers, eg by using investigative powers under the Patriot Act, the USA Freedom Act, the Foreign Intelligence Surveillance Act or the Cybersecurity Act.
As a result, service providers in the EU or elsewhere might still face a paradox. In some cases they would have to comply with strict EU data protection rules, while still being unable to invoke those rules to defend against extraterritorial data requests from US.
In short, they might be caught between a rock and a hard place, because no matter how the company decides, this would infringe either US or domestic member state law (so-called sanctions race).
This conflict becomes even more severe with future EU legislation. The EU Data Protection Regulation, which comes into force in 2018, provides that no judgment and no decision of an administrative authority of a country outside the EU, which requires a data controller or processor in the EU to disclose personal data, shall be recognised or enforceable.
Scope of law enforcement measures
The territorial scope of law enforcement measures like searches and requests for information is not only disputed in the US.
Similar legal issues crop up in other jurisdictions. In Germany, for example, there’s not much relevant case law, but the practice of agencies such as the public prosecutors and of competition and tax authorities seems to head in the same direction as the New York magistrates’ court in 2014. For this reason, German authorities also tend to request and seize data that may be located outside domestic territory.
No matter how courts in the US decide in the future, companies that are subject to a request for information should always check whether disclosing any data may conflict with data protection law. If it’s unlawful under data protection regulations to give investigative authorities access to data, it may have to be withheld or the company may need to submit an appeal against the authority’s order to hand over data.