On Friday, the U.S. Department of Justice filed a petition seeking the Supreme Court to consider an ongoing legal case about access to data stored overseas. But the courts are powerless to craft a balanced policy for law enforcement access to data stored abroad. Only Congress can do it.
Last year, the 2nd Circuit Court of Appeals ruled in favor of Microsoft, concluding that U.S. warrants for customer email are unenforceable when the provider stores emails on a server outside the United States. The Second Circuit reasoned that the Stored Communications Act (SCA) only has territorial effect, and that means it doesn’t apply to email stored outside the United States. With this petition, DOJ is asking the Supreme Court to reconsider whether the statue has extraterritorial effect, as well as whether the case involves a domestic application of the statue.
Rather than diving into a drawn-out debate about territoriality of our current law, it’s more productive to assess what the possible outcome might be either way and why Congress is best suited to resolve the situation. As SIIA has opined in the past, the outcome of this case is a lose-lose for industry and law enforcement alike. For instance, consider the two outcomes if the Supreme Court takes this case:
A win for Microsoft, upholding the 2nd Circuit decision, would obviously be a serious setback for law enforcement, forcing them to pursue the inefficient Mutual Legal Assistance Treaty (MLAT) process that can take up to a year for access to critical data. But this decision would also have very negative consequences for U.S. cloud providers and the global internet, as it would create further incentives for data localization requirements by countries around the world seeking to shield their citizens data from the reach of the U.S. and other foreign governments.
On the other hand, a win by the DOJ would seem to solve the current challenges for U.S. law enforcement, but they would create an explicit conflict of law for U.S. technology companies storing data overseas. However, in this event, other countries and global customers would begin to shift away from U.S. cloud services, in favor of our foreign competitors, where U.S. warrants would not apply. Therefore, what might be a short-term win for law enforcement would dissolve over time.
Further complicating this situation, U.S. law also generally prohibits U.S. companies from disclosing electronic communications content to foreign governments. Rather than engaging in the ineffective MLAT process, various foreign governments are seeking extraterritorial application of their own laws that conflict with U.S. laws putting U.S. cloud providers of deciding whether to risk violating the law of the requesting country, or to risk violating U.S. laws.
Ultimately, our current international legal framework was built 30 years ago, in an era when the need for cross-border evidence collection was almost non-existent. Therefore, it’s truly unfortunate that DOJ has appealed this case to the Supreme Court.
This is why Congress needs to act to fix the outdated legal framework. In the last Congress, Senators Orrin Hatch (R-UT), Chris Coons (D-DE), and Dean Heller (R- NV), and Representatives Tom Marino (R-PA) and Suzanne DelBene (D-WA) joined forces to introduce the International Communications Privacy Act (ICPA) to update our legal framework so that the location of the data does not determine access via a U.S. warrant.
SIIA held a Capitol Hill event in March to highlight ongoing discussions to update this legislation to adequately support law enforcement (both U.S. and with our allies around the world), while preserving consumer privacy. At the event, Senator Hatch urged DOJ to work with him and other leading members of Congress to fix this issue for good. There was an excellent discussion, and despite a diverse panel representing industry, law enforcement, and civil society, there was also much agreement on the need for a legislative solution, and that can be done while preserving global privacy rights. Over the last month, hearings in both the House and Senate have reinforced the bipartisan desire for a legislative solution. And last week, Google unveiled a thoughtful framework for digital security and due process, which proposes for countries to commit to baseline privacy, due process, and human rights principles in order to make direct requests to ICT providers in other democratic countries.
While the courts can often provide clarity in current laws, sometimes the laws simply need to be updated. SIIA and the U.S. ICT industry is committed to working with legislators, regulators, civil society, academics, and other companies to progress these proposals and make sure that we get this right.
David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPolicy.