A simple flaw in federal law has led to a series of setbacks for both U.S. companies and law enforcement. Believe it or not, the law is not settled on whether or how U.S. law enforcement can access data stored overseas by a U.S. company. The answer depends on whom you ask and which federal circuit you’re in. The problem can be traced to ambiguity in a federal statute written in 1986, long before the internet became a commercial phenomenon. Simply put, the Electronic Communications Privacy Act (ECPA) does not clearly say how law enforcement may access data stored by an American company overseas.
According to the Department of Justice (DOJ), U.S. law enforcement may obtain the content of communications stored overseas using a warrant or subpoena under ECPA, even if the communications belong to someone who is neither a U.S. citizen nor a U.S. legal permanent resident. Governments (including ours) generally view data pertaining to their citizens—and stored within their borders—to be subject to their jurisdiction. The DOJ’s view of its cross-border authority and foreign governments’ jurisdictional views are in direct conflict. This jurisdictional clash puts companies that are the subject of such requests in an untenable situation—companies must either break the law of the country where the data is stored to comply with the U.S. warrant; or ignore U.S. law enforcement requests and abide by the other country’s laws.
This isn’t to say DOJ’s position is meritless or impossible to understand. If it can’t access data overseas with a warrant, DOJ is forced to make a request of the foreign government under rules set forth in the mutual legal assistance treaty (MLAT) the United States has with that country. Unsurprisingly, this process can be time-consuming and, when dealing with an uncooperative country, fruitless. On top of this, many existing MLATs are thought to be just as out-of-date as U.S. law in this area. If ECPA gives DOJ extraterritorial reach, many of these difficulties are mitigated.
But the reality isn’t so simple. The conflict has come to a head in the Second and Third Circuits, which have thus far reached different conclusions. In the first case, U.S. law enforcement sought an Irish citizen’s communications, stored by Microsoft in servers based in Ireland. Microsoft disputed the warrant, arguing that it threatened its core business, Ireland’s sovereignty, and the privacy and security of consumer data. A three-judge panel of the Second Circuit ruled for Microsoft in July 2016, quashing the warrant, and a split circuit denied an en banc rehearing on January 24, 2017. Conversely, a magistrate judge in the Third Circuit on February 3, 2017, ordered Google to comply with warrants issued under ECPA regarding data stored overseas. As a result, at least one magistrate judge in the Third Circuit sides with DOJ’s view that it can obtain communications stored in jurisdictions outside the United States, while the Second Circuit would quash a warrant seeking access to data overseas.
So what does this mean for U.S. companies that store data abroad? For one thing, it means their obligations are unclear when U.S. law enforcement seeks that data. Separately, when such a request is made, a company must be prepared to fight whichever government’s laws it chooses to ignore. This is especially difficult for small- and medium-sized businesses, like many App Association members, that often don’t have the extra resources necessary to take on sovereign governments in court. As Chairman of the House Judiciary Committee, Bob Goodlatte, said in 2016, “The result of these conflicts is that U.S. technology companies find themselves with a Hobson’s choice. Either comply with U.S. law, or comply with foreign law. But, it is increasingly impossible to comply with both. This is an untenable situation for U.S. tech companies.”
The problem Congress needs to solve is twofold: 1) U.S. law is written for old technology, making it ambiguous enough to permit conflicting interpretations; and 2) DOJ’s current interpretation is apparently inconsistent with foreign jurisdictions’ laws. Representative Tom Marino (R-PA-10), Senator Orrin Hatch (R-UT), Senator Coons (D-DE) and Representative DelBene (D-WA-1), developed laudable solutions last year. Although these measures apparently failed to satisfy DOJ, they garnered significant support among tech groups and other Members of Congress. The App Association strongly supported the 2015 Law Enforcement Access to Data Stored Abroad (LEADS) Act—which had 137 cosponsors in the House—as well as its next iteration, the International Communications Privacy Act (ICPA). Both measures would have clarified the rules of the road for U.S. law enforcement agencies as they seek to obtain communications stored abroad in a manner that is reconcilable with foreign jurisdictions’ laws. This year, we are looking forward to the introduction of the next version of these measures. And we are happy to support the policymakers who are working on a solution that respects foreign sovereignty while empowering DOJ to effectively investigate international criminal enterprise.
Written by Graham Dufault