Organizations worried about the ability of American law enforcement agencies to get at electronic data in foreign data centres have at least some temporary relief after a U.S. federal appeal court ruled the government can’t force Microsoft to turn over a customer’s email held in Ireland.
In a decision released Thursday the court said a search warrant issued under the Stored Communications Act (SCA), which obliges U.S.-based service providers to hand over electronic records under certain circumstances, cannot apply to data held outside the United States and its territories.
Neither the SCA, nor its sister legislation, the Electronic Communications Privacy Act, implicitly or explicitly envision the application of warrants overseas, the appeal court ruled.
A lower court held Microsoft in contempt for refusing to obey the warrant following a long court fight that began in 2013 when the government sought email of a suspected narcotics dealer.
However, while the appeal court decision stands for now, the Obama administration could take the fight to the U.S. Supreme Court. And in an interview Halifax privacy lawyer David Fraser noted Congress could also amend the SCA to specifically say its warrants and subpoenas apply outside the U.S.
The ruling “is one which with I am pleased,” said Fraser, who acts for a number of U.S. technology companies in Canada who intervened in the case. “This is a very important case for determining some very important questions for determining, at least in this case, how far the United States government can reach through the Internet but outside the territory of the United States to compel access to content. But in the big picture it also relates to an will likely have an effect on the extent can other countries do the same sort of thing.”
He noted a growing number of privacy lawyers and professionals are watching this case, particularly after the revelations of former NSA contractor Edward Snowden on the electronic data gathering power of a number of countries, including Canada.
Dalhousie University law professor Robert Currie, who studies how countries co-operate in fighting cybercrime, said the decision is good although doesn’t go far enough. While it suggests Congress could fix the SCA by explicitly saying warrants apply outside the U.S., “there is a hard rule against one country executing something like a search on the territory of another country.” Many countries have agreed to co-operate to fight sex crimes and terrorism, they don’t agree to honour U.S. search warrants for electronic data, he pointed out.
As expected, Microsoft is pleased with the ruling. “The decision is important for three reasons: it ensures that people’s privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs,”chief legal officer Brad Smith said in a statement.
Attempts by American law enforcement to use the SCA and the U.S. Patriot Act to get at foreign data have made organizations outside the U.S. sensitive about storing data locally. As a result a number of companies, including Microsoft and IBM, have built data centres here to assure Canadian customers their data isn’t being held in the U.S. Similarly other data centre owners have been expanding their
In its decision the appeal court said the focus of the SCA is on customer privacy and not the disclosure of customer information. However, it is important to note that the appeal court only dealt with the SCA’s reach of its search warrant provisions. The legislation also gives the courts the power to subpoena electronic data, and the U.S. Justice Department argued there is no difference between a warrant and a subpoena. The appeal court disagreed but said its decision only applies to warrants — but it also hinted its decision on limiting jurisdiction to only the U.S. would apply to a subpoena as well.