The ongoing conflict in the United-States between law enforcement and companies collecting personal data has led to increased awareness on the protection of personal data. For example, Microsoft and Google have both taken strong stands by refusing to comply with government warrants requiring the disclosure of personal data stored abroad. Both cases turned around the interpretation of the Stored Communications Act (SCA, 18 U.S. Code §§ 2701 et. seq.).
This conflict in now in the midst of the coming into effect of the General Data Protection Regulation (Regulation n°2016/679, GDPR) on May 25th, 2018. Companies based in the United-States may be subject to the GDPR and may be subject to new obligations regarding the protection of personal data. This element is important to keep in mind when considering the legislative turmoil and the numerous cases arising concerning personal data in the United-States.
In this context, it is hard to clearly establish what has been happening across the Atlantic and to assess the current situation. Mathias Avocats examines key points and sums up the major events taking place.
What is the SCA?
The SCA applies to stored wire and electronic communications and transactional records access. It was passed in 1986 to extend the Fourth Amendment’s protection to emails. It is worth repeating that the Fourth Amendment prohibits unreasonable searches and seizures of property, life and liberty by the government.
The Act imposes general obligations of non-disclosure on service providers and creates several exceptions to this obligation. For example, the SCA entitles a governmental entity to require disclosure by a provider of electronic communication services of the contents of a wire or electronic communication (18 U.S. Code § 2703). This disclosure can be requested by a warrant issued according to the Federal Rules of Criminal Procedures and thus the Fourth Amendment.
Disputes have arisen between leading technology companies and the Justice Department regarding the SCA and more specifically the section mentioned. As previously stated, this namely occurred in the widely advertised Microsoft and Google cases.
It must be underlined that the issues raised are not limited to the United-States. Indeed, if companies based in the United-States must comply with warrants, should the foreign law be considered? What happens if the warrant is in violation of the foreign law? Must the applicable legislation on the protection of personal data be considered?
Does the Act apply extraterritorially?
In the case United-States v. Microsoft (Case 14‐2985), Microsoft was served a warrant pertaining to a user whose data was stored abroad in Dublin, Ireland. The company moved to quash the warrant on the grounds that the SCA did not cover data stored outside of the United-States whereas the government contended that the warrant had an extraterritorial scope. The Court of Appeals of the Second Circuit sided with Microsoft.
The judges took up the two-part analyse set down by the United-States Supreme Court (USSC) in Morrison v. National Australian Bank Ltd., n°08-1191 (2010): (1) there is a presumption against extraterritoriality which can only be overcome if there is a clear congressional intent of the contrary and (2) the determination of the territorial events or relationships which are the “focus” of the relevant statutory provision. In sum, if the statute does not have an extraterritorial scope because the presumption cannot be overcome, it may still apply in a particular case because the conduct of the subject to the statute’s focus occurs domestically.
In the case at hand, the presumption against extraterritoriality was not overcome seeing as there is no indication within the SCA that Congress had intended a foreign application of the Act’s provisions. Regarding the “focus” of the law, the judges held that it is the protection of the privacy of the content of a user’s stored electronic communication. The warrant requires disclosing the content of users stored in Dublin. The disclosure would occur outside the United-States within the jurisdiction of a foreign sovereign and would violate the user’s privacy. Thus, the Court held that the Act does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers.
However, the dispute is far from being resolved. On October 16th, 2017, the USSC agreed to decide whether federal prosecutors can force technology companies to turn over data stored outside the United-States.
Moreover, the European Commission decided to submit, on behalf of the European Union (EU), an amicus brief to the United States Supreme Court. The amicus brief will not be in support of either party. Instead, the Commission seeks too make sure that that EU data protection rules on international transfers are correctly understood and taken into account by the US Supreme Court given that the transfer of personal data by Microsoft from the EU to the US would fall under the rules.
The Microsoft case has nonetheless become a cornerstone for personal data electronically stored abroad. In re Search Warrant n°16-960-M-01 to Google (2017), the latter complied with a search warrant as to data stored in the United-States yet refused to disclose electronic data stored on servers located in Dublin, Ireland. It justified its position and supported its arguments with the Microsoft case.
However, the judges did not side with the company. They concluded that the presumption against extraterritoriality could not be overcome but did not agree with the purpose found in the Microsoft case. They held that the purpose of the SCA is to protect private communications and that its focus is to achieve the purpose by controlling access to private communications. The warrant would give the government access to the data stored on Dublin servers. Google would disclose the data to the government domestically. Thus, the Court deemed that Microsoft’s conduct, which is the subject of the statute, occurs domestically. As such, the statute applies despite the presumption against extraterritoriality not being overcome. The court ordered Google to comply with the search warrant.
What will happen next?
Following these cases, businesses were unsure of how to respond to warrants issued under the SCA. The USSC’s decision will resolve uncertainty regarding the SCA’s scope and will have important impacts on the protection of personal data. It has also been argued by the Department of Justice and several businesses to update the SCA and adapt its provisions to modern technology.
Furthermore, the Department of Justice has recently changed its policy concerning gag-orders (18. U.S. Code § 2705) when companies are compelled to disclose user data to the government. They will now be time limited and the users will be notified. This is a step toward transparency.
In this context, it should be underlined that Section 702 of the Foreign Intelligence Surveillance Act may be renewed until December 21st, 2025. Communications of foreign persons, other than of American citizenship, located abroad may be targeted and searched without a warrant. If companies were so adamant about protecting personal data on foreign servers, will the same issue arise for foreign data on American servers? The Foreign Intelligence Surveillance Court should render its decision concerning the Act’s legality before the end of the month.
Mathias Avocats will keep you informed of any further developments regarding these issues.