in re Warrant

gavel By Mackenzie Olson

Companies like Microsoft and Google store a lot of customer data in storage centers overseas. As of July 2016, 2nd Circuit precedent indicated that, due to the foreign location of those centers, the U.S. government could not compel these companies to turn over data, even by issue of a search warrant. The case that rendered this decisions was In the Matter of Warrant to Search a Certain E–Mail Account Controlled and Maintained by Microsoft Corporation. (But also take note of the dissent in the denial of en banc review). As the Southern District of New York adjudicated the Warrant case, the Second Circuit Court of Appeals was its final arbiter. Accordingly, the Court of Appeals’ judgment only controlled as precedent in that jurisdiction. And though its opinion has been persuasive elsewhere, at least one judge, based in the Third Circuit, now disagrees with its outcome.

On February 3, 2017, Magistrate Judge Thomas J. Rueter of the Eastern District of Pennsylvania issued an opinion and subsequent orders compelling Google to turn over certain data stored in overseas facilities, per the request of two previously issued search warrants.

In his opinion, Judge Rueter explains that, “the present dispute centers on the nature and reach of the warrants issued pursuant to section 2703 of the Stored Communications Act, 18 U.S.C. §§ 2701 (“SCA”).

He frames the relevant issues as follows: “The court must determine whether the [g]overnment may compel Google to produce electronic records relating to user accounts pursuant to search warrants issued under section 2703 of the SCA, or in the alternative, whether Google has provided all records in its possession that the [g]overnment may lawfully compel Google to produce in accordance with the Second Circuit’s ruling.” Rueter ultimately holds that “compelling Google to disclose to the [g]overnment the data that is the subject of the warrants does not constitute an unlawful extraterritorial application of the [SCA].”

In its reporting of the decision, news outlet Reuters particularly emphasizes Judge Rueter’s reasoning that “transferring emails from a foreign server so FBI agents c[an] review them locally as part of a domestic fraud probe d[oes] not qualify as a seizure . . . because there [i]s “no meaningful interference” with the account holder’s “possessory interest” in the data sought . . . [the retrieval] has the potential for an invasion of privacy, [but] the actual infringement of privacy occurs at the time of disclosure in the United States.”

Orin Kerr, law professor at The George Washington University School of Law, notes numerous problems with Judge Rueter’s decision. “The issue in this case is statutory, not constitutional. Even if you accept the (wrong) framing of the issue as being whether the SCA applies outside the United States, the answer has to come from what Congress focused on, not where the constitutional privacy interest may or may not be. Where you place the Fourth Amendment search or seizure strikes me as irrelevant to the extraterritorial focus of the statute.”

Kerr further contends that, “Even accepting the court’s framing, I don’t think it’s right that no seizure occurred abroad. As I see it, copying Fourth Amendment-protected files seizes them under the Fourth Amendment ‘when copying occurs without human observation and interrupts the stream of possession or transmission’. . . . That test is satisfied here when the information was copied. The court suggests that bringing a file back to the United States is not a seizure because Google moves data around all the time and ‘this interference is de minimis and temporary.’ I don’t think that works. Google is a private company not regulated by the Fourth Amendment, so whether it moves around data is irrelevant.”

It will come as no surprise that Google plans to appeal the Third Circuit decision. Likely a slough of other tech and media companies that previously filed amicus curie briefs in the Microsoft case will file briefs again, such as Apple, Amazon, AT&T, eBay, and Verizon.

Key questions that remain, then, are what will the Third Circuit decide on review?

Will the court follow the precedent set by the Second Circuit in Warrant?

Will it adopt the reasoning of the dissenters in the denial of Warrant‘s en banc review?

Will it follow Judge Rueter’s reasoning in the case at bar?

Or will it render an entirely novel opinion?

And though we can be sure that the losing party will petition the Supreme Court, one also must consider whether a final player emerge, in the form of Congress directly intervening? After all, the SCA was enacted in 1986, and many consider it not only out of date, but also relatively unworkable for modern technological issues. The time certainly seems ripe for a statutory update.

Image Source

By Jason Liu

The United States will be filing an amicus brief in the ongoing EU case between privacy activist Max Schrems and Facebook. Although not filed yet, the brief will provide vital information on the U.S.’ stance on privacy and international data transfers.

The case comes about because the Data Protection Commissioner of Ireland sought a declaratory action in the Irish High Court, alleging that Facebook was illegally transferring EU citizens’ data to the U.S. under EU law.

Past Privacy Actions in Europe

In the related pivotal case invalidating the U.S.-E.U. Safe Harbor agreement, Max Schrems, an Austrian privacy activist and attorney, brought a prior complaint with the Data Protection Commission (in Ireland) that Facebook was illegally transferring EU citizen information to the U.S. Schrems claimed that the personal data he provided to Irish Facebook servers was also transferred to the U.S.

But what is the Safe Harbor in question? EU privacy law forbids the movement of its citizens’ data outside of the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those of the EU. The prior Safe Harbor agreement allowed U.S. companies to transfer EU citizen data to the U.S. if the U.S. government promised to protect the data.

Schrems claimed that the U.S. failed to provide legal protections against U.S. surveillance of data on U.S. servers. These claims were supported by the Edward Snowden revelations of 2013. The Snowden revelations included the NSA PRISM program that provided the U.S. government access to private industry servers of tech companies such as Google, Facebook, or Apple. Snowden also revealed surveillance of world leaders, XKeyscore (internet activity logging program), and various NSA practices used to overcome encryption and hacking methods.

Ultimately, the European Union Court of Justice (EUCJ) ruled that the Safe Harbor agreement was invalidated due to inadequate protection of EU citizens’ data to the U.S. in light of the Snowden revelations.

What is going on now?

Following the case, the Irish Data Protection Commissioner referred Schrems’ original complaint against Facebook to the Irish High Court and also the EUCJ. The current case is about Standard Contractual Clauses and the ability of tech companies to contract with EU citizens to have their data stored in U.S. servers. U.S. companies have argued the “model clauses” from template agreements provided by the EU Commission let EU member states send personal data to countries lacking “adequate levels” of protection under the 1998 Data Protection Act.

In response, Shrems stated that:

I see no way that the [EUCJ] can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see how there could be a solution.

What will be the U.S.’ amicus position?

Although unwritten, the U.S.’ amicus brief may contain stances from the U.S.-EU Privacy Shield that was recently ordered by the EU Commission. Notably, the new Privacy Shield will provide:

Strong obligations on companies and robust enforcement;
Redress options;
Clear safeguards and transparency obligations on U.S. government access; and
Annual joint review monitoring.

However, because the EU Order providing for the Privacy Shield was EU-centric, it has been difficult to discern which particular points are emphasized by the U.S. Thus, the amicus brief may be a unique opportunity to learn about the most compelling arguments of the U.S. in light of the new Privacy Shield.

Furthermore, although the amicus brief will be directed at international data transfers, it may also prove an important way to gauge how the U.S. views the domestic regulation of data. Through the Cybersecurity National Action Plan, the Obama administration has shown support for protecting privacy rights through the creation of the Federal Privacy Council.

Of course, any further insight into the U.S. treatment of consumer information is always welcome.

Image source: Pixabay

Washington Journal of Law, Technology & Arts

Are My Emails Beyond the Grasp of the U.S. Government?

EU Privacy Litigation: United States Now Filing An Amicus Brief in Facebook Case

Share this:

Like this:

Share this:

Like this: