To Obtain Data Abroad, Government Just Googles It

by Bracewell LLP
Contact

Bracewell LLP

As technology companies expand globally they increasingly are storing customer electronic data in servers outside the United States. To keep apace, the Justice Department has become more creative in adapting existing legal instruments and more persistent in advancing arguments to encourage and in some cases, to compel, companies to turn over customer data stored abroad.  While courts, most notably the U.S. Court of Appeals in the Second Circuit in last year’s Microsoft decision,1 have resisted government efforts to compel the retrieval and production of electronic information stored overseas, a Pennsylvania federal court has departed from Microsoft and ordered Google to disclose internationally stored customer emails.

The Court Breaks from the Second Circuit in Microsoft
On February 3, 2017, Magistrate Judge Thomas Rueter held that Google was required to comply with warrants issued pursuant to the Stored Communications Act (SCA) that sought disclosure of emails held in the accounts of two targets of criminal investigations.2 Google had partially complied with the warrants, but refused to disclose certain user data, relying on Microsoft which held that SCA provisions do not apply internationally.  Breaking with the Second Circuit, the court applied the principles of more traditional Fourth Amendment jurisprudence to hold that no invasion of customer privacy would occur outside the United States.

In Microsoft, the Second Circuit engaged in a close analysis of the SCA’s use of the term “warrant,” ultimately holding that Congress did not intend for SCA warrants to have a broader – that is, extraterritorial – reach than traditional warrants.  The court then moved to the second step of the extraterritoriality analysis, which looks to the focus of the statute and whether there is a permissible domestic application of the statute even if other conduct occurred abroad.  The Second Circuit held that the critical invasion of customer privacy occurs when Microsoft accesses the protected content on the overseas server, an impermissible extraterritorial application.

The Google court did not dispute the Second Circuit’s determination of Congressional intent.  Instead, the court departed from Microsoft’s holding in the second step of the extraterritoriality analysis after a review of Fourth Amendment jurisprudence, which distinguishes between the possessory interest protected from an illegal seizure and the privacy interest protected from an illegal search.  First, the court held that transferring electronic data from an overseas server to a domestic data center is not a seizure that interferes with the customer’s possessory interest in the data.  The court analogized such a transfer to the movement of paper documents from one place to another or photocopying documents, which are not seizures in Fourth Amendment case law.  Next, the court held that the invasion of customer privacy, i.e., the search, occurs when law enforcement reviews the electronic data after the data have been accessed and disclosed by Google – that is, in Pennsylvania.

In the court’s view, key differences between the data at issue in Microsoft and in Google compelled a different result.  In Microsoft, the requested user data was housed in a data center in Ireland.  A Google user’s data, however, is stored in multiple locations; the components of a single user’s data might be stored in multiple locations, both within the United States and abroad.  Also, Google’s storage network automatically shifts data from location to location to maximize efficiency.  In other words, although Google is able to retrieve user data whether it is stored domestically, abroad, or both, it is not possible to determine the exact location of a user’s data at a given point in time.  This uncertainty makes it practically impossible for the government to obtain data through mutual legal assistance treaties, the alternative suggested by the Microsoft court.

At bottom, the court concluded that on Google’s facts – where the Google account holders were known to reside in the United States, unlike in Microsoft, and the alleged illegal conduct also took place here – the SCA, Fourth Amendment precedent, and practical considerations all supported production of the user data rather than allowing Google to shield the data behind ambiguities in location.  The court held that Google could not rely on extraterritoriality arguments and granted the government’s motions to compel Google to produce the requested data. 

Implications for Companies Maintaining Customer Private Data
Google has already announced that it will appeal the decision, so it remains to be seen if the district court will follow the lead of the Second Circuit in Microsoft or stake out its own course.  The Google decision may give companies emboldened by Microsoft pause in deciding whether to resist compliance with what they view as overly broad requests for customer data.  The different results in the cases, however, may serve as useful guidance for securing data abroad; clearly, with respect to search warrants, there can be value in the ability to precisely identify what data is stored in the United States versus abroad.   It may be that Congress will ultimately address the extraterritoriality issue in Google and Microsoft and clarify the scope of the SCA in a way that provides a clearer path forward for companies.

In the meantime, there is no doubt that technology companies have found themselves on the vanguard of Fourth Amendment law as they are forced to balance the competing needs of cooperation with law enforcement (both legal and strategic) and obligations to protect customer privacy (both legal and commercial).  Additionally, technology companies must take into account the practical management of business operations in the face of ever increasing requests for customer data.  Google stated that each year it receives an astounding 25,000 pieces of legal process from federal, state, and local government entities seeking disclosure of customer data in criminal matters.

The nature of technology is that it advances and changes.  Even if the narrow Google-Microsoft issue is resolved, companies will face other ambiguities that cloud their ability to clearly define their privacy policies and protocols.  Companies must be nimble in adapting to a changing legal landscape even as they remain committed to their organization’s core principles and practical about business realities.

The memorandum of decision is available here. Our more detailed discussion of the Microsoft case is here and here.

___________________________________________

1 In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., No. 14‐2985 (2d Cir. July 14, 2016).

2 In re Search Warrant No. 16-960-M-01 to Google, In re Search Warrant No. 16-1061-M to Google, Memorandum of Decision (Feb. 3, 2017).

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bracewell LLP | Attorney Advertising

Written by:

Bracewell LLP
Contact
more
less

Bracewell LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.