The access of personal data stored abroad has become a crucial question in the United-States. Under the Stored Communications Act (SCA) of 1986 the federal government can require disclosure by a provider of electronic communication services of the contents of a wire or electronic communication. Mathias Avocats wrote an article describing the SCA more specifically.

However, the Act does not specify whether the federal government’s power extends beyond the United-States. This question is at the heart of the Microsoft v. United States case. It must now be decided by the United States Supreme Court (USSC).

Mathias Avocats reviews the various stages of the case and underlines the potential impact the USSC’s decision may have.

What are the facts?

The Microsoft case dates back to 2013. The Department of Justice requested that the company hand over emails relating to a drug-trafficking case. The prosecutor demanded all emails regarding the case during the investigation. Microsoft partially complied by handing over all information which had been stored on servers in the United-States but did not disclose the emails stored on servers abroad in Dublin, Ireland.

The company moved to quash the warrant on the grounds that the SCA did not cover data stored outside of the United-States whereas the government contended that the warrant had an extraterritorial scope. The Court of Appeals of the Second Circuit sided with Microsoft. This is a landmark case in the sense that the Court agreed that the federal government’s power regarding personal data is limited to the United-States and cannot be exercised abroad. Thus, the SCA does not have an extraterritorial scope.

However, the dispute is far from being resolved and the cornerstone set by the Microsoft case may not hold. Indeed, the USSC agreed to decide whether the United-States federal government can use a search warrant to force a company to seize a customer’s private emails stored abroad and import them to the United-States. Nearly 300 companies,groups and individuals from the United-States and abroad filed amicus briefs with the USSC supporting Microsoft’s position.

The USSC will hear arguments on February 27th, 2018.

What will be the potential impact of the USSC’s decision?

If a United-States federal entity is allowed to seize foreign customer’s email from other countries, it may be in conflict of their treaties or internal law or even of international law. How will the foreign country’s applicable law regarding privacy and personal data be respected? How will tech companies be able to respect their obligations under foreign and United-States law? What about customers?

Furthermore, if the United-States government can seize information and/or personal data abroad, will foreign countries want to do the same? What will this imply for the customers’ privacy?

These issues are all the more important in the light of the coming into application of the General Data Protection Regulation (GDPR, regulation n°2016/679) on May 25th, 2018. The Regulation will impose new obligations on data controllers and data processors when they process personal data of data subjects in the European Union. Thus, it will be applicable to entities outside of the European Union.

If the SCA applies beyond the borders of the United-States, how will the principles of the GDPR be complied with (ex: transparency, accuracy and security)? How will data subject to able to exercise their rights?  How will the supervisor authorities and federal entities work together?

Mathias Avocats will keep you informed of any further developments.