In a major development for cloud and other data storage providers, and further complicating the legal landscape for the cross-border handling of data, a Federal Magistrate Judge in the Eastern District of Pennsylvania ruled for the Department of Justice and ordered Google, Inc., to comply with two search warrants for foreign-stored user data. The order was issued on February 3, 2017 pursuant to the Stored Communications Act, (SCA), and the reasoning of the Court rested heavily on the court’s statutory analysis of the SCA. The ruling is a marked departure from a recent, high-profile Second Circuit decision holding that Microsoft could refuse to comply with a similar court order for user data stored overseas.
The SCA regulates how service providers like Google and Microsoft who store user data can disclose user information. The Magistrate Judge issued two warrants under the SCA for emails sent from Google users in the United States to recipients in the United States. Google refused to fully comply, invoking Microsoft, and the Government moved to compel. In its briefing, Google argued that the SCA can only reach data stored in the United States and that, because Google constantly shuffles “shards” of incomplete user data between its servers across the world, Google could never know for certain what information is stored domestically and what is stored overseas. Therefore, Google argued, the data sought under the warrants was beyond the reach of the SCA.
The Court ordered Google to comply with the warrants. Citing Microsoft, the Court began by noting that the focus of the SCA was to preserve the privacy of individuals’ communications, and that the SCA—and any warrant issued pursuant to it—applies only within the United States. The key inquiry, the Court reasoned, is where the “relevant conduct” affecting privacy takes place. On this, the Court “respectfully disagree[d]” with the Second Circuit’s reasoning. In Microsoft, the seizure of data in Ireland was deemed the relevant conduct. But as for Google, the Court found, the relevant conduct was “the actual invasion of the account holders’ privacy—the searches—[that] will occur in the United States.” Transferring the data to the U.S. would not constitute an illegal seizure under the Fourth Amendment, the Court reasoned, because “there is no meaningful interference with the account holder’s possessory interest in the user data.” That leaves only “a permissible domestic application of the SCA, even if other conduct (the electronic transfer of data) occurs abroad.”
The Court was critical of two aspects of Google’s position in particular. First, if the certain location of user information was never known, then Google could not specify which foreign sovereignty would be violated by accessing the data. Second, access to a user’s data when it is segmented and constantly crossing borders would be impossible under a Mutual Legal Assistance Treaty, the potential availability of which played key a role in the Microsoft ruling.
The decision demonstrates that the Department of Justice is continuing to press arguments that did not win over the Second Circuit in the Microsoft case, and underscores that the Second Circuit’s approach may not hold sway elsewhere as other U.S. courts apply the SCA to companies’ increasingly complex data-handling practices. The decision further muddles the status of cross-border data transfers, as U.S.-based cloud services providers may have a more difficult time representing whether data based in the European Union is exposed to U.S. government access. In addition to compounding the uncertainty of the legal landscape in this area, it increases the possibility that these issues may one day be headed to the U.S. Supreme Court.
* * *
For other Socially Aware posts addressing user data and the Stored Communications Act, please see the following: Second Circuit: Email Stored Outside the U.S. Might Be Beyond Government’s Reach; and We’ve Come for Your Tweets: Twitter to Appeal Denial of Its Motion To Quash District Attorney’s Subpoena.