Thought Leadership and Industry Trends
Companies Beware: Privacy and Cross-Border Data Issues Hit the US Supreme Court
By William Belt, Director of Enterprise Development, CDS.
Many U.S. companies store data outside the country, which increasingly is causing problems in legal cases. One issue is about to be heard in the US Supreme Court and it has potentially broad implications especially since the European Union will be changing its data privacy laws next year. How should companies deal with the changes?
The upcoming Supreme Court matter arises out of a drug trafficking case. The US government requested a warrant under the Stored Communications Act (SCA) seeking emails from Microsoft. Microsoft stores customer emails in data centers all over the world. While the record does not indicate that the customer was an EU citizen, Microsoft stated that it tries to store data near the location where customers indicate they live. Of course, that may not be dispositive, but it is likely that the customer was an EU resident.
In any event, unlike many warrants, the warrant under the SCA is served on a third party (Microsoft or other Internet Service Provider) and the third party is required to provide the data, much like a subpoena in a civil matter. The warrant at issue was served on Microsoft in Redmond, Washington for data stored on a server in Dublin, Ireland. Microsoft moved to quash the warrant and the motion to quash was heard and denied by Judge Francis, a well-respected Magistrate Judge with a strong understanding of eDiscovery and litigation technology related court rules and matters.
On appeal, a panel of three US Court of Appeals judges for the Second Circuit overturned the decision. The Supreme Court now is faced with deciding whether to quash the warrant or reinstate the requirement that Microsoft collect the emails from Ireland for the US based criminal matter.
This case is important because it is being argued, appealed and decided in the context of a larger development – the evolution of European privacy regulations and their impact on US privacy laws. You might think that the US goes to greater lengths to protect privacy as the development of US privacy laws has been a central focus of Constitutional law scholarship and case law. Not so. The EU protects privacy of EU citizens to a much greater extent. As a result the EU is quite upset that US courts would force (or even allow) Microsoft (or Google or other US based company) to pull private emails from servers in the EU and turn them over to US courts. Basically, it is a “clash of legal systems” on the issue of privacy.
Now, we in the eDiscovery world deal with subpoenas in civil matters all the time. Civil litigators are also used to the rules that Judge Francis followed requiring companies to produce information that is in the “possession, custody, and control” of a plaintiff or defendant in a civil matter. And according to the appellate court, Judge Francis’s original opinion rests on the idea that this warrant under the SCA should be handled like a subpoena. No law enforcement officers need to go on the premises of Microsoft. Instead the warrant requires the company to deliver data in its control. However, the Second Circuit disagreed with the lower court’s treatment of the warrant.
The question is whether the Supreme Court will agree that this is a warrant in a law enforcement matter and does not follow the “possession, custody or control” rules. However, even if that’s how the Supreme Court rules, the case is still of critical importance for several reasons:
- The underlying facts of this case highlight the degree to which legal matters rely on electronic evidence. We are dealing with a “brave new world” of technological and legal challenges and companies and litigators need to adjust.
- The case underscores the differences in US and EU privacy laws and the way those differences impact individual cases and privacy Law in general (which must account for data that crosses borders with such frequency).
- The ruling will impact two critical, and in many ways, conflicting concerns behind privacy protections. Allowing the US government to collect the emails helps fight nasty activities (drug trafficking in this matter), but it also degrades the privacy rights of the individual customer (in this case the accused drug trafficker), particularly from the perspective of the EU courts.
- Next year, the EU will implement new privacy regulations approved in the General Data Protection Regulation (GDPR) and how those regulations will impact issues of privacy in US court matters will be closely watched. The Supreme Court’s Microsoft decision will therefore be carefully scrutinized for its tone and posture toward the EU privacy regulations.
Regardless of the decision, companies and litigants should look to experienced eDiscovery service providers who are knowledgeable about international laws and can collect data in compliance with those laws.
Contact CDS today for a consultation with our cross-border data experts.