Summary

It’s well known that the National Security Agency (NSA) doesn’t limit its monitoring and collecting of data to the US. But it’s unclear whether other (non-intelligence) US authorities have similar powers. A recent ruling of a New York magistrates’ court points in that direction. So, as well as the NSA other US authorities – for example public prosecutors, the US Department of Justice and the Federal Trade Commission – may have the power to investigate data stored outside the US.

Does the US have unlimited access to data?

Microsoft took legal action to block a court order demanding that it hand over a Hotmail email account stored on a server in Dublin, Ireland, to an investigative authority. The US government wanted the emails as part of a criminal investigation. 

The court held that the order against Microsoft was lawful because an authority’s power to demand access to (digital) information – unlike a search warrant, which entails a physical search of premises – is not limited to the US. According to the judge, what matters is who controls the data, not where it is stored. The Chief District Judge upheld the decision on 31 July 2014. Microsoft appealed, and the order was then temporarily stayed, pending a final ruling.

US data centres in the EU

Should the ruling be upheld, this would affect US companies that locate data centres in the EU to give their customers secure cloud server environments while adhering to EU data protection standards. Cloud service providers in the EU or elsewhere would then face a paradox. They would have to comply with strict EU data protection rules, while being unable to invoke those rules to defend against extraterritorial data requests from US. 

In short, they would be caught between a rock and a hard place, because no matter how the company decides, this would infringe either US or domestic member state law (so-called sanctions race). Since penalties for non-compliance with authority orders tend to be more severe in the US, companies may be forced to violate respective EU regulation. This again could have a detrimental effect on customer trust.

When disclosing data creates conflicts

There could also be a conflict with future EU legislation. The current draft proposal of the EU Data Protection Regulation, which might be enacted in 2016, provides that no judgment and no decision of an administrative authority of a country outside the EU, which requires a data controller or processor in the EU to disclose personal data, shall be recognised or enforceable. It remains to be seen how this conflict of laws will be resolved. 

On the other hand, if the decision gets quashed, in principle, US authorities would have to rely on international judicial assistance from foreign authorities to investigate data stored abroad. Such procedures are usually lengthy and not always successful. Companies might then be able to circumvent access by US authorities by choosing server locations in specific jurisdictions.

Scope of law enforcement measures

The territorial scope of law enforcement measures like searches and requests for information is not only disputed in the US. Similar legal issues crop up in other jurisdictions. In Germany, for example, there’s not much relevant case law, but the practice of agencies such as the public prosecutors and of competition and tax authorities seems to head in the same direction as the New York Magistrates’ Court. For this reason, German authorities also tend to request and seize data that may be located outside domestic territory. 

No matter how courts in the US decide, companies that are subject to a request for information should always check whether disclosing any data may conflict with data protection law. If it’s unlawful under data protection regulations to give investigative authorities access to data, it may have to be withheld or the company may need to appeal against respective authority orders.