Gregory P. Bufithis, Esq.
6 February 2017 – Google will have to comply with FBI search warrants seeking access to customer emails stored on servers located outside the United States, Judge Thomas Rueter ruled on Friday. The decision diverges from an opposite verdict given in a similar case against Microsoft Corp in July last year.
In the ruling on Friday, the judge wrote that there was “no meaningful interference” in the account holder’s “possessory interest” in the data sought in the warrant. The judge said the requested messages would only be opened in the US, so it wasn’t, in his opinion, a foreign search and thus it falls under U.S. jurisdiction, and the search warrants pursue suspects living in America:
“Though the retrieval of the electronic data by Google from its multiple data centres abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States”.
Google, though, does not plan to give up the data or the fight to protect it just yet. The company said in a statement last night:
“The magistrate in this case departed from precedent, and we plan to appeal the decision. We will continue to push back on overbroad warrants”.
The decision is in stark contrast to the decision in Microsoft’s case in which a federal judge had ruled that Microsoft and other companies could not be forced to turn over customer emails stored on overseas servers to the FBI.
Both cases are based on warrants issued under the Stored Communications Act, 1986, considered outdated by many technology companies.
Professor Orin Kerr of the George Washington University Law School, an expert on these matters, noted on his blog over the weekend:
“The court suggests that bringing a file back to the United States is not a seizure because Google moves data around all the time and ‘this interference is de minimis and temporary’.
I don’t think that works. Google is a private company not regulated by the Fourth Amendment, so whether it moves around data is irrelevant. And I don’t see what is ‘de minimis and temporary’ about the government ordering Google to make a copy of your email pursuant to a court order.
It certainly may be a reasonable seizure, but I think it’s still a Fourth Amendment seizure.”
The decision also comes on the heels of President Donald Trump’s Executive Order on Public Safety which denies privacy protections to non-Americans. The order ostensibly calls for European regulators to cancel an agreement between the European Commission and the U.S. government called the Privacy Shield, which allows U.S. companies to transfer customers’ data across the Atlantic.
Hunton and Williams published a blog which concludes that “the Order should not impact the legal viability of the Privacy Shield framework”. This conclusion is reached because, in the blog’s view, EU nationals still have access to USA courts by the Judicial Redress Act which is unaffected by the Executive Order (unless this access is revoked by the U.S.)
But if you had the opportunity to attend any of the EU data privacy sessions at Legaltech 2017 last week in NYC you heard another argument: that while many agreed with the blog’s conclusions relating to the Judicial Redress Act, few were convinced that will overcome the main data protection problem associated with this Order. This is because implementation of this Order requires enhanced data sharing between Federal Agencies in the U.S. As this data sharing involves EU nationals it directly raises the question: “whether or not the provisions of USA’s Privacy Act 1974 itself offers an adequate level of protection for transfers of personal data to the USA?”
The EU Commission itself has its doubts. Last Friday (it was a busy day!) the EU Justice Commissioner Vera Jourova told the press that “I need to be reassured that the Privacy Shield can remain, is viable”. EU Commission officials are working at a feverish pace this week seeking “clarifications”.
Bottom line? If I were a data controller relying on Privacy Shield, I would look at contingency arrangements just in case this Order (or another “Trumpian policy”) goes horribly pear-shaped. If the agreement is cancelled, the European data protection laws could act as a significant trade barrier to American companies operating in Europe.
For the full Rueter opinion on Google click here.