Location, Location, Location: Why Data Privacy In The Cloud May Never Be The Same
When it comes to your data, does location really matter? Well, not if the (US) federal government has anything to say about it. At the end of February 2018, the (US) Supreme Court heard oral arguments in a case that has far reaching implications for the privacy of data housed abroad. At issue is none other than whether the federal government can compel technology companies to hand over data held overseas on their servers. If you send email through an internet service provider, or otherwise use cloud-based services like Google Docs, then this case may alter your expectation of privacy in and to your (or your customer’s) data. If this doesn’t sound like a big deal to you, it should. Simply put, the privacy of such data is at stake, and the stakes are high.
How this case came about is not as important as the fact that it was inevitable. As microprocessor speeds have increased, so has memory density and speed. With this increase in performance, however, came a decrease in costs relative to performance, creating powerful new architectures leveraged by technology companies (such as cloud computing) to provide easily accessible and highly useful applications to the masses. This very “perfect storm” of performance, access, and capability helped spur Google’s well known Gmail and Google Docs, as well as infrastructure services like Amazon Web Services. These platforms and services, however, are not limited to the United States — they are globally-available platforms that house data on servers worldwide. So, the data you send in Gmail, or save in a document on Google Docs, is not necessarily housed in the U.S. While this may be seamless to the user of such services, it is anything but when it comes to U.S. law.
In United States v. Microsoft, the government sought and obtained a search warrant for emails and other pertinent information as part of a criminal investigation into drug trafficking in 2013. After serving the warrant on Microsoft, Microsoft turned over relevant data on its servers in the United States, but refused to do so for data housed on its servers located in Ireland (apparently, the subject to the investigation lived in Dublin when he signed up for an Outlook account). In fact, the content of the emails sought appears to have been entirely housed in Ireland. The Second Circuit in New York rejected the lower court’s approval of the warrant, holding that the government could not seize the data housed in Ireland. Specifically, the appellate court held that domestic search warrants obtained under the 1986 Stored Communications Act (SCA) could not reach the emails held abroad. Now SCOTUS is hearing the case, and it seems to pivot on whether the SCA — a statute passed in 1986 before the advent of the internet (or cloud computing for that matter) — should apply to extraterritorial data.
It is important to note that the government is not foreclosed from obtaining this email data through other means — the United States and Ireland have a Mutual Legal Assistance Treaty (MLAT) whereby they have agreed to cooperate in criminal matters. In essence, the Department of Justice (DOJ) in this case could operate under the MLAT with Irish authorities to obtain the data. The DOJ, however, has taken a different position (driven in no small part by its desire to not involve foreign authorities) — it believes that since Microsoft can reach across the Atlantic electronically to retrieve the data from the U.S., the warrant is valid. Think about that for a minute — the DOJ is essentially arguing that remotely retrieving the emails housed in servers outside the United States under a U.S. warrant is not an unreasonable search and seizure.
Believe it or not, I am sympathetic to the DOJ’s position. Given the nature of cloud computing and attendant service architectures, it is foreseeable that such data could be housed in multiple foreign jurisdictions. In such cases, the DOJ would be forced to work with each foreign government under separate MLATs or other treaties, which may be unworkable. That said, does that mean that your (or your company’s) rights under the Fourth Amendment should be curtailed simply because an MLAT or a 1986 statute doesn’t really fit data in the information age? Microsoft’s Chief Legal Officer, Brad Smith, put it quite succinctly in a blog post he wrote in October 2017 (emphasis added): “We believe that people’s privacy rights should be protected by the laws of their own countries and we believe that information stored in the cloud should have the same protections as paper stored in your desk.”
Whether SCOTUS will rule on this matter or punt the issue to Congress to amend the SCA has yet to be seen, but this case is definitely cause for concern. Oddly, the entire case may be rendered moot if Congress passes The Cloud Act — a piece of legislation introduced by Senator Orrin Hatch of Utah that, if passed, would state that SCA warrants would not apply to data housed abroad, but also allow technology companies to challenge such warrants should they perceive that the laws of the country where data is hosted are violated by them. With this Congress, I remain skeptical of passage in its current form, but it’s a start and, well, hope springs eternal.
Given the tone of oral arguments, there is a possibility that SCOTUS will defer to Congress to amend the SCA. In fact, SCOTUS may be hoping that The Cloud Act passes so as to render a decision moot. In any event, companies housing data abroad need to keep vigil over this ruling — Microsoft has already changed its policy of housing email content from the location closest to the country of residence declared by the user to the user’s most frequent location. It doesn’t solve the issue, but it may just be a step in the right direction. Make no mistake, data privacy law is being shaped in this case, so pay attention — your (and your customer’s) data is in the cross-border fire as a result.