The Ninth Circuit Court of Appeals was recently asked to address the issue of whether a foreign national, imprisoned abroad, is nevertheless protected by the Electronic Communications Privacy Act (ECPA). It resoundingly answered “yes.” In the case before the Ninth Circuit, the Plaintiff tried to obtain copies of emails from the email account of a foreigner imprisoned abroad – in other words, the only connection to the United States was the fact that he had a hotmail account, the contents of which were on a server located in the United States. Microsoft objected to providing the email account, and the Ninth Circuit agreed. Regardless of the nationality of an account holder, if their electronic communications reside on a server based in the United States, then the ECPA’s protections apply. Furthermore, the ECPA’s protections apply (even to non-citizens) regardless of whether the information sought is for civil litigation or law enforcement purposes. The Ninth Circuit has previously held that email interceptions occurring outside the United States are not protected by the ECPA. Suzion Energy Ltd. V. Microsoft Corp., Court File No. 10-35793 (9th Cir. October 3, 2011).
Many countries have privacy laws protecting their citizens’ privacy and/or information stored on servers located within their borders. When contracting with a vendor for cloud-based services or storage, it is best to ask the location of the server and investigate whether that country’s privacy laws are in keeping with your expectations about who can lawfully access the information, and any restrictions on its dissemination.