Gregory T. Nojeim is senior counsel and director of the Freedom, Security and Technology Project at the Center for Democracy and Technology.
On February 27, the Supreme Court will hear oral argument in a case with global implications for privacy and data protection. In United States v. Microsoft, the U.S. Department of Justice claims that warrants issued by a U.S. judge or magistrate can compel a U.S. communications service provider to disclose communications content the provider stores abroad – in this case, in Ireland. My organization, the Center for Democracy Technology, filed a brief in favor of Microsoft, which is resisting the warrant. We did so out of concern that if the DOJ position prevails, it will be adopted by foreign governments and create chaos, as those governments will insist that their process compels disclosure of content in the U.S. despite the provisions of the Stored Communications Act governing those disclosures. We also argue that if the court adopts the DOJ position, it would damage the cloud-computing industry.
Would compelled disclosures from abroad violate the EU’s GDPR?
On May 18, 2018, the European Union’s General Data Protection Regulation will come into force. The GDPR will permit cloud providers to transfer data from the EU to the U.S. only in certain circumstances. If one of those circumstances does not include compliance with a U.S. warrant, a company that complies with a warrant compelling a disclosure from a data center in the EU faces penalties of up to four percent of its worldwide annual revenues. Obviously, this is a critically important question for providers, many of which have lined up behind Microsoft because they are concerned about such conflicts of law.
Article 48 of the GDPR indicates that foreign court orders to remove personal data from the EU are operative only if based on an international agreement such as a mutual legal assistance treaty, unless there are other grounds for transfer in the GDPR. Although there is an MLAT between Ireland and the U.S., the transfer of personal data in this case would occur outside the MLAT. The question then becomes whether there is another ground for transfer.
Article 49 of the GDPR contains other grounds for transfer that include: (i) “important reasons of public interest” recognized by EU or member state law, and (ii) transfers “necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests of rights and freedoms of the data subject.” The European Commission argues that, depending on the circumstances, the fight against serious crime could qualify under the first ground, and the interest of the tech company – in not being subject to legal action for failure to disclose – could qualify under the second.
In contrast, leading architects of the GDPR in the European Parliament argue, as did Privacy International and a group of digital rights organizations and legal scholars, that such transfers would violate European Union law. In addition, 21 scholars of data protection and privacy from the EU write that such disclosures “would likely” violate the GDPR. They maintain that the Article 49 public-interest derogation applies only to the interests of an EU member state or the EU itself, and not to, for example, the U.S. government’s interest in fighting serious crime. They also point out that if a provider’s interest in complying with a U.S. warrant is sufficient to overcome the bar to disclosure in compliance with a foreign court order in Article 48, the Article 49 exception would entirely swallow the rule in Article 48. These arguments seem compelling.
One of the DOJ’s strongest arguments is practical, not legal: Communications service providers are interpreting the U.S. Court of Appeals for the 2nd Circuit’s decision in favor of Microsoft in a way that effectively prohibits the government from obtaining some communications content from other leading U.S. providers – including the communications of Americans in the U.S.
According to court documents, Microsoft stores Hotmail communications content on a static basis. When the user signs up for the service, she declares her country of residence and Microsoft stores her data at a nearby data center in order to reduce network latency. Microsoft has approximately 100 data centers in 40 countries. For a network architected like Microsoft’s, a location-based rule can work well, with predictable results.
Google, Yahoo and other providers store data differently – they break data into “shards,” such that one part of a user’s email inbox might be in one country and another part in a different country, and the text of an email message might be in one data center in one country and an attached photo in another data center elsewhere. As 51 computer scientists state emphatically in their brief, every piece of data “always has a specific physical location.” However, a single account with data in multiple locations in multiple countries is more than a headache for law enforcement, which would be hard-pressed to file an MLAT request in each and get a timely response to each in order to conduct its investigation.
How could the Supreme Court deal with this reality? It could decide the case based on the facts in front of it: The data at issue are stored statically outside the U.S. in one country. Perhaps more importantly, it could limit its decision to that factual circumstance, and leave to Congress and other legal proceedings the resolution of the issues around network architectures different from Microsoft’s.
Both parties to this litigation agree, based on the 2016 case RJR Nabisco v. European Community, that a statute has no extraterritorial application “absent a clearly expressed Congressional intent to the contrary,” and that Congress expressed no such intent in the SCA. Under the RJR Nabisco precedent, whether a statute is being applied domestically depends on the “focus” of the statute: If the conduct relevant to the statute’s focus occurred in the U.S., the statute is being applied domestically. The government argues that the “focus” of the SCA is “disclosure” to the government of communications content under 18 U.S.C. 2703, and that because the disclosure occurs in the U.S., the focus of the statute is domestic. It also argues that, even if the focus of the statute is privacy, any invasion of privacy occurs in the U.S.
This argument is weak on its face, and potentially disastrous in its application. As pointed out by the 2nd Circuit, the SCA is part of the Electronic Communications Privacy Act, enacted in 1986 for the express purpose of protecting the privacy of electronic communications, such as email, when they are in electronic storage. The disclosure provisions on which the government relies are simply exceptions to the overall focus of the statute on privacy, rather than the focus of the statute itself.
Moreover, if, as the government argues, the invasion of privacy is found to have occurred in the U.S. only when the data are disclosed to the government, then the government could compel providers to copy all of their electronic communications without violating the Fourth Amendment. The Brennan Center, American Civil Liberties Union and others emphasize the danger of this approach. They describe it as the modern equivalent of a general warrant, and persuasively urge the Supreme Court to find that the act by the provider of seizing and copying email content as an agent of the government interferes with a person’s privacy and possessory interests in the data, triggering the Fourth Amendment.
How would other countries respond to a decision in favor of the DOJ?
If the Supreme Court rules that U.S. warrants can compel the disclosure of communications content stored outside the U.S., it could set a global precedent. As we pointed out when this case was pending in lower courts, other countries would insist that their legal process can compel the disclosure of communications content stored inside the U.S. Many amici supporting Microsoft made this argument. It is not speculative: Belgian courts have twice ruled that communications content stored in the U.S. is subject to Belgian legal process, Brazilian judges have jailed executives of U.S. providers for failure to turn over such data, and the U.K. in this case signals its view that its Investigatory Powers Act, which governs disclosure of communications for law enforcement in the U.K., has extraterritorial reach.
This would seem an important consideration for anyone concerned with the privacy of Americans in the U.S.: Foreign legal process that compels disclosure of communications content is typically issued without the same strong level of proof required in U.S. law – probable cause. Perhaps the most surprising treatment of this issue comes from the brief that state attorneys general filed in the case: They ignore it. Though statutes in many states give state AGs significant responsibility for protecting the privacy of the states’ residents, the AGs’ brief does not address the risk that a ruling in favor of the DOJ would pose to the privacy interests of those residents with respect to other governments.
However the Supreme Court rules, it is likely that both courts and policymakers will be dealing with the processes by which information flows between nations for the foreseeable future.
Symposium: Four important questions for the court to consider,
SCOTUSblog (Feb. 7, 2018, 2:25 PM),