Supreme Court Will Decide If US Government Can Request Data Stored Overseas

Over the past few years, the U.S. government has continued to request more and more data about tech companies’ users. Disregarding any surveillance that may or may not happen against foreign targets, the U.S. government has more recently also started asking for warrants to data that's stored overseas, too, even if the data belongs to foreign citizens and not Americans. The U.S. government’s argument is that because the data is held by American companies, that gives it the right to ask for all of these companies' data.

In a previous case involving Microsoft, the Court of Appeals for the Second Circuit overruled a lower court judge and agreed with Microsoft that the U.S. government can’t request foreigners’ data. However, the U.S. government continued to fight, so now the case has ended up at the Supreme Court.

In a way, this is not all good news, because Microsoft had effectively already won the case when the Appeals Court agreed with the company in its ruling. The Supreme Court could overturn that ruling now and set a new precedent in favor of the government. On the other hand, if the Supreme Court rules the other way, it could make it quite explicit that the government can’t request foreigners’ data from American companies.

Obsolete ECPA At Fault Again

The law that the U.S. government thought allows it to obtain foreigners’ data was the Electronic Communications Privacy Act, a three-decade piece of legislation that Microsoft, other companies, as well as many civil liberties groups and the U.S. House are fighting to update and modernize.

Microsoft believes that as far as the law is concerned, there shouldn’t be a difference between the papers on your disk and your digital files stored in the cloud. The government should still have to go straight to the user with a warrant to obtain someone’s digital files, just like it needs to come with a warrant to search that person’s house.

Similarly, the FBI can’t go into another country to search someone’s property and take their documents, even if their home was built by an American company, so it shouldn’t be able to do the same to foreigner’s data online. Just like in the offline world, the FBI would first need to obtain permission from that country’s government to obtain someone’s data, and that country’s government would also be bound by its own laws.

What about Privacy Shield?

The Microsoft case involved a person from Ireland, which is a European Union member. The EU now has a data transferring deal with the U.S. that gives American companies the permission to transfer EU citizens’ data to the U.S. as long as that data is (supposedly) protected by the same privacy rights from which EU citizens benefit when it's on EU soil.

The deal has been criticized as ineffective, largely due to the fact that the U.S. continues its mass surveillance operations unabated and because of overreaches such as the one in the Microsoft case.

The U.S. government also seems to want to put Americans under the same type of mass surveillance with the recently introduced “USA Liberty Act.” Given that the U.S. government intends to actually expand its surveillance operations even against its own citizens, there’s not much hope that EU citizens’ data will be treated any better--Privacy Shield or not.

Between A Rock And A Hard Place

American companies’ ability to send EU citizens’ data to the U.S. will also be put once again under scrutiny by the Court of Justice of the European Union (CJEU), which could soon decide potentially new limits of those data transfers in the context of U.S. mass surveillance.

If the CJEU does enact new limits, while the U.S. Supreme Court rules that the U.S. government is allowed to obtain foreigners’ data, including EU citizens’ data, that could further complicate the relationship between the U.S. and the EU. Technology companies will be caught between a rock and hard place, having to follow the law of the land in both places, even if those laws are in conflict with each other.

Another outcome of the Supreme Court ruling in favor of the government in this case, which would be even worse, is that other countries could make similar demands of U.S. companies:

“It puts everyone’s emails at risk,” said Microsoft in a recent blog post. “If the U.S. government can unilaterally use a warrant to seize emails outside the United States, what’s to stop other governments from acting unilaterally to seize emails stored inside the United States? At a time when countries are rightly worried about foreign government hacking, the DOJ’s interpretation would open the door to accomplishing the same thing,” added the company.

Time For Congress To Act

Microsoft believes that instead of fighting with U.S. federal agencies over interpretations of a three-decades-old law applied to today’s world of cloud services, it would be better if Congress worked to modernize the law.

The company said that Congress should support the International Communications Privacy Act (ICPA) of 2017, which was introduced in Congress this past July. This bill clarifies when governments can access data across borders in a reasonable way and with permission from the respective countries, when required by international law.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • vern72
    How the heck does the U.S. Supreme Court have jurisdiction outside of the U.S.? It doesn't seem viable.
  • derekullo
    Nothing illegal about this.

    The Supreme Court is simply answering the question;

    "Is the United States legally able to ask nicely for information stored in other countries or foreign companies that pertains to a citizen of the United States"

    Countries and other foreign companies not under US jurisdiction are free to say no.

    Russia: "Laughs hysterically"

    North Korea: "Seething" NO DOTARD!!!

    European Union: Do you want in xml or docx?

    If anything the other countries might take it as a compliment that the NSA doesn't already have all the information it wants.
  • jasonkaler
    That can request all they want, but if the country they're requesting from does not have a treaty specifying that the data must be supplied, this is pretty much useless.

    Just a step in the wrong direction towards a brick wall.
  • Olle P
    20280086 said:
    "Is the United States legally able to ask nicely for information stored in other countries that pertains to a citizen of the United States"
    Countries are free to say no.
    20280655 said:
    That can request all they want, but if the country they're requesting from...
    They're not asking a foreign country, they're asking a domestic company to provide (a copy of) information stored abroad.
    The country in which the data is stored doesn't get involved in any way!

    Getting a go-ahead here should off course trigger the response to ban non US local and national governments from having any connection to US IT companies such as Microsoft, Google, Facebook, Yahoo, Amazon, etc. (Just like US officials are now banned from using Kaspersky products.)
    And also, off course, a recommendation for regular citizens not to use these products.
  • th3p00r
    this is a very bad idea.