New Front In Data Privacy At The Supreme Court: Can U.S. Seize Emails Stored Abroad?
When you open your email today, consider this: on Tuesday, the U.S. Supreme Court hears arguments on a question that didn't exist just a few decades ago — does an email provider, faced with a search warrant issued in the United States, have to turn over a customer's email content when that data is stored outside the U.S.?
The case, United States v. Microsoft, involves a federal drug-trafficking investigation in which law enforcement obtained a warrant for all the data associated with a suspect's Microsoft account. In response, Microsoft turned over the user's account identification information that is stored in Redmond, Wash., but refused to disclose the content of the emails, which were stored in a data center in Ireland.
Microsoft argues that an international treaty between the U.S. and Ireland is the only correct way to obtain the emails, and Ireland agrees. The treaty is known as the Mutual Legal Assistance Treaty.
But the U.S. government argues that process is slow and cumbersome. Furthermore, it would prove highly problematic with providers such as Google, for example, which breaks up data and moves it around the world constantly.
The warrant in question was issued under the Stored Communications Act. Congress enacted the law in 1986 when email and the Internet were in their nascent stages, and the idea of data floating around the world was inconceivable.
Although the act was designed to address electronic communications, Congress did not predict the technological revolution, which has since poked major holes in the legislation.
Siding with Microsoft in this case are a raft of major tech companies, including Amazon, Apple, Facebook and Google. They point out that the public did not even have access to the Internet until 1989 and the "World Wide Web" didn't exist until 1991. Nor were emails stored after they were received. So Congress could not have intended to cover data that is stored forever in a cloud.
Where does the search occur?
The Supreme Court has established a strong presumption against the extraterritorial application of a statute unless Congress expresses a clear intent to reach outside the U.S.
In this case, the government concedes that the Stored Communications Act does not express such an intention, but instead argues that because Microsoft would disclose the emails to law enforcement in the United States, the application of the act would be domestic. The idea is that since Microsoft already has custody and control of the data and is legally able to move the content back to the U.S., honoring a warrant would present no "meaningful interference" with the user's property interests.
Microsoft pushes back, contending that the whole purpose of the Stored Communications Act was to protect "communications in electronic storage" from government intrusion.
Privacy on the world stage
This is not the first time the Supreme Court has faced the question of privacy and technology this term. In November, the court heard oral arguments in a case testing whether the government may, without a warrant, search cell-phone location data to track a suspect's movements. That case, Carpenter v. United States, also concerned the Stored Communications Act, but the major question was whether a warrant was needed to get this sort of tracking information.
Microsoft extends the question of privacy into the international arena.
The company argues that allowing the U.S. to reach into foreign territory to retrieve a user's private emails, even with a warrant, would set a dangerous precedent for other countries to reciprocate. Disregard for another country's sovereignty could be seen as an open invitation to the rest of the world to look into American citizens' private emails, commencing a "global free-for-all."
The U.S. and European Union demonstrate different priorities when it comes to data protection. Privacy is enshrined as a fundamental right in Europe. Both the Charter of Fundamental Rights of the European Union and the Treaty on the Functioning of the European Union recognize a "right to the protection of personal data."
The U.S. Constitution contains no such corresponding right. The concept of privacy lies solely in the Fourth Amendment ban on unreasonable search and seizure. In contrast to the Fourth Amendment, which was adopted more than 200 years ago, the E.U. treaties had the advantage of being drafted in the 21st Century. Thus the E.U. framers not only had the telephone, electricity and automobiles in mind, but the Internet was alive and well.
In May, the E.U.'s General Data Protection Regulation goes into effect. It has few fans among major international companies. Fortune's Global 500 will spend an estimated $7.8 billion dollars to meet the E.U.'s strict privacy standards. Any company that processes the personal data of an E.U. resident is subject to the law.
The provisions include swift notification to users of data breaches, data minimization, (i.e. processing only absolutely necessary data) and the controversial "right to be forgotten," which confers a right to permanent deletion upon request. If a company is found in violation of the regulation, it could be subject to a fine of 4 percent of annual global turnover or €20 million (about $24.7 million), whichever is greater.
Article 48 of the regulation states that "any judgment of a court requiring a [provider] to transfer or disclose personal data may only be recognized or enforceable ... if based on an international agreement."
So, Microsoft is in something of a bind. If the E.U. considered Microsoft's disclosure of a resident's emails a significant breach of the regulation, Microsoft would be fined $3.6 billion for this breach alone.
According to Jan Philipp Albrecht, the rapporteur of the G.D.P.R., "It is almost certain" that the fine would be imposed.
Bipartisan support for privacy
In a rare convergence of opposing ideologies and bitter competitors, Fox News, CNN, the ACLU, Republican and Democratic senators and congressmen, Apple and Microsoft agree: The U.S. government should not unilaterally seize data stored in a foreign country. Doing so, many say, would mark a disregard for the sovereignty of other nations and infringe on privacy laws that explicitly forbid such action.
The U.S. government, on the other hand, dismisses these concerns, noting that when served with a warrant, Microsoft could, by tapping a few keys, transfer the information back to the U.S. from the stored data center in Ireland, thus avoiding international complications.
To rule otherwise, the government suggests, would require a lengthy process that would involve the State Department seeking the information via international cooperation. And that, says the Trump administration and, previously, the Obama administration, would provide a roadmap for criminals and terrorists to shield email communications from law enforcement authorities in this country.
Now, it's up to the Supreme Court to decide.