Last week, the United States Court of Appeals for the Second Circuit heard arguments in Microsoft’s litigation with the U.S. government over data stored in its Ireland data center. Cisco joined together with Verizon, HP, eBay, salesforce, and Infor to file an amicus (friend of the court) brief in support of Microsoft’s position. The Government of Ireland along with Apple, the ACLU, the Electronic Frontier Foundation, Fox News, and NPR also supported Microsoft’s argument.
The case turns on whether or not the U.S. government can serve a warrant at a location in the United States demanding access to data stored abroad. (The specific facts involve a warrant for the contents of a Hotmail account hosted in Ireland sought as part of a narcotics investigation).
The case is important to Cisco because it demonstrates our commitment to protecting European data privacy.
Here we are supporting the notion that Europeans who store data within their own region can rightfully claim the protections of their own laws against foreign (in this case U.S.) government demands for access.
The brief Cisco joined makes four arguments:
-
- There is a presumption against giving U.S. laws extraterritorial reach where Congress hasn’t explicitly expressed that intention or where the law would create significant conflicts of law with other countries. (Both are true here).
- Allowing the U.S. government to compel data from foreign storage locations would put U.S. providers in a bind—potentially subjecting them to civil and criminal liability abroad for complying with U.S. law.
- The U.S. government view would ignore Mutual Legal Assistance Treaties (MLAT) treaties, infringe on the sovereignty of Ireland, and empower foreign governments to compel access to data owned by American citizens and businesses.
- Even if the law allows the U.S. government to reach data in the possession and control of companies doing business in the United States, it should not reach data owned by Europeans who happen to be customers of such providers.
Important updates to U.S. laws that limit governmental access to electronic communications in criminal cases are needed. We are optimistic that a combination of decisions by U.S. courts and action by Congress can help create a modernized framework for protecting privacy and managing cross-border governmental data demands. We support codifying Electronic Communications Privacy Act (ECPA) reform so that U.S. law explicitly requires warrants for content stored in the cloud. Cisco also supports of a proposed legislative fix offered by U.S. Senators Hatch (R-UT), Heller (R-NV), and Coons (D-DE) called the LEADS Act, which would limit the reach of ECPA warrants obtained by U.S. law enforcement and update the MLAT process. These changes will allow governments to seek information necessary to investigate and prosecute crimes in an efficient manner without violating reasonable expectations of privacy—or trapping providers between competing legal requirements.
This week Cisco signed onto an amicus “friend of court” brief along with Amazon, Apple, and Microsoft in litigation between the U.S. Department of Justice (DOJ) and Google over data sought via a search warrant. The case is another in a series that turns on whether the Stored Communications Act (SCA also commonly referred to as ECPA) enables the U.S. government to demand access to data stored outside the territorial boundaries of the United States.
As noted in my blog from last year, Cisco previously signed briefs in support of Microsoft in litigation before the U.S. Court of Appeals for the Second Circuit in New York. In that case, Microsoft claimed and the Court agreed that:
1) The data demanded by DOJ was localized in a data center in Ireland;
2) SCA warrants are territorial in nature and cannot force a company to assist in retrieving data physically stored elsewhere in the world;
3) DOJ should have used a Mutual Legal Assistance Treaty (MLAT) to seek data from the Government of Ireland, which also supported the Microsoft view.
4) If Congress wants the law to reach data in foreign data centers, it must say so explicitly.
A magistrate judge in the current Google matter held that while the law may not have extraterritorial reach, the privacy invasion demanded by DOJ would actually occur in the US. By contrast, amicus brief supporters assert that when a provider can show that data does have a location and that this location is outside the US, then a search and seizure of that data would occur in a foreign territory. In such instances, the U.S. government should use an MLAT when demanding access because SCA warrants do not have extraterritorial reach. We argue that this is a function of how the current law was written by Congress. Therefore, only Congress is properly positioned to balance the needs of law enforcement against the risks that companies will be subject to conflicting legal requirements in different countries.