Territoriality will continue to be one of the most vexing problems for data regulation in 2018. One aspect of this debate relates to whether a U.S. judge can compel the disclosure of personal data located in Europe without using international treaty mechanisms. This issue is currently being considered by the United States Supreme Court in the case United States v. Microsoft. The case involves the question of whether a U.S. statute relating to search warrants can be interpreted as extending to a search for data located outside the United States; in this case, the data is located in Ireland. The U.S. Court of Appeals found that, in the absence of express wording in the statute relating to extraterritorial application, the statute should be interpreted as being limited to searches conducted within the territory of the United States. The Supreme Court is currently reviewing the case. In December, 2017, the European Commission filed an amicus brief urging the Supreme Court to give due consideration to the principles of international comity and territoriality when interpreting the U.S. statute.
According to the European Commission:
“any domestic law that creates cross-border obligations – whether enacted by the United States, the European Union, or another state – should be applied and interpreted in a manner that is mindful of the restrictions of international law and considerations of international comity. The European Union’s foundational treaties and case law enshrine the principles of ‘mutual regard to the spheres of jurisdiction’ of sovereign states and the need to interpret and apply EU legislation in a manner that is consistent with international law.”
The international law norms mentioned by the European Commission include territoriality and comity. The principle of territoriality means that police and courts have no legal authority outside the borders of their own country. The principle of international comity means that, when a court issues a decision having effects outside its own country, the court must take utmost account of the laws of the other affected nations, and wherever possible avoid conflicts with those laws. For international investigations involving data, the Commission points out that mutual legal assistance treaties (MLATs) “embody a carefully negotiated balance between the interests of different states that is designed to mitigate jurisdictional conflicts.” The European Commission said that MLATs permit international data searches to occur without violating international law or the European General Data Protection Regulation (GDPR).
Separately, Europe’s Article 29 Working Party issued a statement on data protection and privacy aspects of cross-border access to electronic evidence, warning that:
“the adoption of an instrument compelling organizations not subject to the jurisdiction of an EU Member State would conflict with the applicable law and jurisdiction of the country where the organization is established. The organization subject to a production request/order could indeed be facing a conflict of laws.”
The Article 29 Working Party concluded that extraterritorial data orders would constitute “an interference with the territorial sovereignty” and that MLAT procedures should be used.
On matters involving harmful content, the Council of Europe committee of experts on internet intermediaries issued in December draft guidelines urging “the development of common approaches and jurisdictional principles” to avoid conflicts of laws in international cases. The global nature of the internet makes it tempting for national courts to apply global remedies. Yet global remedies often conflict with the laws of other countries. The most well-known case on territoriality is the 2000 French Tribunal de grande instance decision involving Yahoo!’s online auction of Nazi memorabilia. The case had the potential of creating a conflict between French laws prohibiting hate speech and the U.S. First Amendment. Recognizing the geographic limits of its own power (principle of territoriality) and the risk of conflict with the laws of other sovereign nations (international comity), the French court in the Yahoo! case limited its blocking order to users on French territory. Since the Yahoo! decision, ISP blocking orders in Europe have generally been limited to users in the territory where the court has jurisdiction.
Given the global scope of cloud computing and digital services, international law principles are easily forgotten. The European Commission’s amicus brief is a useful reminder that international law principles form an integral part of both EU and U.S. law and need to be weighed in any case involving cross-border data disputes.