The extraterritorial reach of domestic criminal investigations is marred by a lack of clarity. Similar questions arise in both the United States and the United Kingdom about the extent to which law enforcement agencies can use domestic search warrants to capture data that is accessible from the property but which is stored on a server based in another country. The lack of clarity can be attributed at least in part to the age of the applicable legislation, which does not reflect the current state of technology.
The difficulties are of heightened importance in the current climate where law enforcement officials emphasise the ever more urgent need to obtain electronic data during their investigations and large bodies like the European Union continue to take steps to protect individual privacy.
The legality of a warrant which purports to cover data held by a US company on an overseas server is currently being considered by the US courts in Microsoft v. United States. As part of a narcotics investigation, the Department of Justice served a warrant on Microsoft relating to an email account “stored at premises owned, maintained, controlled, or operated” by Microsoft. Microsoft produced the address book contacts stored in the email account, which were located on a US-based server, but refused to produce emails from the account, which were stored at a data centre in Ireland. The District Court for the Southern District of New York upheld the validity of the warrant and Microsoft appealed. The Second Circuit Court of Appeals heard the appeal in September and a judgment is expected shortly. It is anticipated that the case will ultimately reach the US Supreme Court.
Among other points, Microsoft contends that the statute which authorises the DOJ warrant does not have extraterritorial effect, citing the presumption that statutes do not apply extraterritorially unless they explicitly say so. The statute was enacted in 1986 and it has not been amended since that time. The Court of Appeals referred to the difficulties associated with the age of the statute during the September hearing.
Microsoft also contends that the DOJ should seek to obtain the emails through a formal request to the Irish Government for mutual legal assistance. It took issue with the District Court’s finding that the mutual legal assistance process is generally “slow and laborious.” The Irish Government filed a brief in the proceedings in which it noted, among other things, that any request for mutual legal assistance could be dealt with “as expeditiously as possible.”
The outcome of the case will have significant ramifications not only for US law enforcement but also further afield. The case reflects the tension between the need for law enforcement authorities to access electronic data as part of their investigations on the one hand and the application of other jurisdictions’ data protection legislation on the other. The decision could also have a significant effect on the relevance of mutual legal assistance processes when electronic data is being sought.
The UK Regulation of Investigatory Powers Act (RIPA) authorises certain public agencies to intercept communications and/or obtain “communications data” (essentially metadata). It is explicitly stated to apply extraterritorially. Thus, a RIPA warrant or notice may relate to conduct outside the UK and may be served on any person outside the UK. It is not clear whether or how the UK Government could enforce obligations on overseas providers to comply with RIPA warrants or notices.
RIPA imposes various controls on the circumstances in which law enforcement agencies can intercept communications or obtain communications data. At present, the Secretary of State must authorise warrants to intercept communications and is only empowered to do so if the interception is required in the interests of national security, to prevent or detect serious crime, to safeguard the economic wellbeing of the UK or to give effect to a request for mutual legal assistance. Less stringent controls apply to authorisations to obtain communications data. The current RIPAsafeguards are likely to become more stringent under the draft Investigatory Powers Bill, which is expected to be laid before Parliament shortly.
In addition to the wide powers under RIPA, criminal law enforcement agencies have additional powers of search and seizure under the Police and Criminal Evidence Act (PACE). There is no obvious dividing line between PACE and RIPA. Data that is susceptible to a RIPA warrant or notice could also be subject to a PACE production order or search warrant.
Section 20 of PACE provides that every power of seizure includes the power to require that any information stored in electronic form which is accessible from the premises is produced in a form in which it can be taken away. This power is very broad and has been used to capture data stored on a server located abroad if the data can be accessed from the premises to which the search warrant or production order relates.
Section 20 does not explicitly state that it has extraterritorial effect even though it plainly does and there is surprisingly little case law on this point.
Section 20 is yet another example of the failure of legislation to keep pace with developments in technology: the current wording was introduced in 2001 and despite the significant changes in technology over the past 15 years, it has not been updated to reflect the tendency since 2001 of corporations and people to store data not just at a different site but in a different jurisdiction.
Given the critical role of electronic data in many criminal investigations, and in light of the increasing importance of data protection legislation, the extraterritorial reach of domestic law enforcement statutes is likely to remain a complex issue which is exacerbated by out of date legislation.