Where is the Data Located?
The U.S. Federal Courts are currently struggling with what may seem like a simple question before the internet and cloud computing: where is the data located? Back in the age of paper, this question was easy to answer. Yes, there may have been copies. But for the most part, the definitive answer was: where the paper is physically located.
Today, the Federal Courts are assessing where documents stored in the cloud are located for jurisdictional purposes. There are three important opinions from there different circuits, and all interpreting the Stored Communications Act (“SCA”), 18 U.S.C. Chapter 121 §§ 2701–2712. Specifically, the cases deal with Section 2703 which authorizes law enforcement to obtain various court orders, subpoenas or warrants compelling private companies to disclose user data. The question is whether this provision applies extraterritorially, to data stored in the cloud outside the United States. And now, it appears the the Supreme Court may decide to weigh-in on this discussion.
Important to note about the SCA: it was passed in 1986, way before cloud computing and the explosion of the internet. Further, it is silent as to international storage of data. While there are attempts in Congress to address these issues, it appears that the courts may get there first.
First up: the Second Circuit in Matter of Warrant to Search a Certain EMail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197 (2d Cir. 2016). In this case, the government attempted to compel Microsoft to provide emails subject to a search warrant. While Microsoft complied with certain aspects of the search warrant, Microsoft declined to turn over emails and content that was stored overseas, in its data center located in Dublin, Ireland. The District Court held Microsoft in civil contempt for its failure to comply with the warrant.
The Second Circuit reversed the District Court, denying the government’s request to enforce the search warrant for data stored on Microsoft’s servers located in Ireland. The Second Circuit first reviewed the language of Section 2703 of the SCA and found that Congress did not expressly contemplate the extraterritorial application of the SCA. Second, the Court found that the “focus” of the SCA is user privacy, and as such, compliance with the search warrant would result in an invasion of the user’s privacy for data seized overseas.
The Second Circuit’s opinion hinged largely on how Microsoft stores its customers’ data. Microsoft stores its data in 100 discrete data-centers worldwide. And, unlike Google (discussed further in this post), Microsoft does not break the data apart in its storage process. A user’s data is assigned a “country code” and, once the data is transferred overseas to a data center, it is removed from servers located in the United States. The Second Circuit found that because a warrant has domestic boundaries, it could not reach into Dublin and obtain the documents that were wholly stored in that jurisdiction.
Next, the Eastern District of Pennsylvania (located in the Third Circuit), addressed a similar issue in In re Search Warrant No. 16-960-M-01 to Google, Feb. 3, 2017. In this case, Google partially complied with the government’s warrants by producing data that is within the scope of the warrants that it could confirm is stored on its servers located in the US, but Google refused to produce other data required to be produced by the warrants that was stored on servers located out of the United States.
Disagreeing with the Second Circuit, Magistrate Judge Thomas J. Rueter, who sits in the Eastern District of Pennsylvania, ordered Google to comply with a search warrant to produce foreign-stored emails, disagreeing with the Second Circuit. Judge Rueter’s opinion hinged on where the infringement of privacy would take place. In contrast with the Second Circuit’s conclusion of where the seizure would occur, Judge Rueter reasoned that “[e]ven though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States.”
Further, the technology used by Google in the storage of its user’s data distinguished it from Microsoft. Because Google transfers data between its domestic and foreign data centers all the time, a transfer of the user’s information from Google’s overseas servers to its U.S. based data center “does not amount to a ‘seizure’ because there is no meaningful interference with an account holder’s possessory interest in the user data.”
Third, the Northern District of California (located in the Ninth Circuit), recently addressed a warrant served on Google, in In re: Search of Content that is Stored at Premises Controlled by Google, Case No. 16-80263 (N.D. Cali., Apr. 19, 2017). The government issued a search warrant seeking the production of information from specific Google email accounts. Google produced data “confirmed to be stored in the United States” including emails, but did not include the attachments for emails because they were not “confirmed” to be stored in the U.S.
Google then moved to quash the subpoena for the data that was not confirmed to be in the U.S. The Court denied Google’s motion and ordered the production of all content responsive to the search warrant that is retrievable from the United States, regardless of the data’s actual location, concluding that “the disclosure is a domestic application of the SCA.” Interestingly, the Court noted that “Google has a distributed system where algorithms determine how it sends and stores data — in packets or component parts — in aid of overall network efficiency.” Similar to Judge Rueter’s opinion, the Court seemed to focus on how the technology worked to determine whether the court had jurisdiction over the data.
So, where does this leave us? While these cases were decided in the context of a criminal subpoena, they have potentially ramifications for civil litigation. First, as mentioned above, these decisions seem to hinge on the technology employed by these two major corporations to store data. Microsoft keeps the data together, and moves it as a unit to an overseas data center. Google breaks the data into component parts then constantly transfer between data centers. While Microsoft can argue that the data is located in one spot for jurisdictional purposes, applying that same analysis to Google could result in the data stored by Google avoiding attachment to any jurisdiction from a legal perspective. This has implications for the type of network system that a business or individual decides to implement -- and how they can protect that data from government interference with that network system.
Second, all three of the court opinions look at the privacy violation associated with warrant compliance. While privacy is a hot topic in Europe -- and gaining awareness in the US -- it is still not an established right in the US. Interestingly, the Second Circuit seemed to find that a user’s privacy would be violated if the data was accessed within the US. The other two decisions did not have the same concerns. This gives rise to the questions currently being voiced from the EU: is an individual’s privacy adequately protected in the US courts? The fact that the Second Circuit seemed to believe that the user’s privacy was better protected by maintaining the data in Ireland evidences that this privacy debate is making its way to the US.
Regardless, if the SCOTUS decides to take up this issue, it could have wide-reaching ramifications both in the criminal and the civil context: where data is located for jurisdictional purposes could greatly alter how we decide to store data and set up our network systems. Stay tuned!
* * * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.