Google is planning to appeal a ruling made Friday that it must comply with search warrants involving customer data stored on servers outside of the United States. The case is similar to an earlier case involving Microsoft. In July 2016, the 2nd U.S. Circuit Court of Appeals in New York said Microsoft could not be forced to turn over emails stored on a server outside of the US. Now, however, Magistrate Judge Thomas Rueter in Philadelphia has taken the opposite view with Google.
Both cases involve search warrants issued under the 1986 Stored Communications Act (SCA). Microsoft was also initially ordered to comply. It appealed, and eventually Judge Susan Carney of the appeals court said that the SCA does not give US courts authority to force internet companies in the United States to seize customer email contents stored on foreign servers. At the time, Microsoft chief legal officer Brad Smith said, “It makes clear that the US Congress did not give the US Government the authority to use search warrants unilaterally to reach beyond US borders.”
Google expected this precedent to be upheld in its own refusal to comply with a similar search warrant. The government’s key argument is that no search is undertaken on foreign soil — the data is lawfully brought back to the US, and the search is lawfully conducted within the US. For Microsoft, this argument was rejected; but for Google it has been accepted.
“Though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States,” Rueter wrote.
Google has said it will appeal the ruling. “The magistrate in this case departed from precedent, and we plan to appeal the decision. We will continue to push back on overbroad warrants,” it said in a statement.
If the appeal process fails, the case could have serious implications for US/EU business relations. EU data protection laws prevent the export of European personal information to any country that does not have adequate (that is, equivalent) data protection laws. That exclusion would include the US were it not for the special agreement known as Privacy Shield. It is the Privacy Shield that allows US tech giants such as Google and Facebook to operate in Europe; but it also allows any US commercial business to trade with the European Union.
Many commentators believe that Privacy Shield will fail European constitutional examination. It currently exists largely because of the political will on both sides to make it exist; but that will is already being eroded by new President Trump’s apparent isolationism and support for US law enforcement.
Speaking to SecurityWeek about the effect of President Trump’s executive order titled ‘Enhancing Public Safety in the Interior of the United States’ might have on Privacy Shield, David Flint (a senior partner at the MacRoberts law firm) commented, “It is unclear at this stage…” But he also added, “The more concerning issue for Privacy Shield is that there is a possible carve out for national security and similar issues and it remains unclear as to the extent that the new Administration will seek to define all foreigners’ PII as ‘a security issue’.”
Privacy Shield, he explained, “is a complex interconnected matrix of law, policy and ‘comfort letters’; absent any of these three legs, it is likely that some national data protection authorities may consider that there is no longer confidence in the implementation of that matrix (of which many were skeptical) and declare the US as having inadequate protection – now, and certainly after GDPR implementation.”
Poland-based privacy consultant Alexander Hanff was more forthright. “Trump’s Executive Order has accelerated the demise of a transatlantic lie – a lie which would have been exposed eventually by the CJEU [the Court of Justice, Europe’s ultimate constitutional court] anyway; a lie which circumvents the constitutional rights of EU Citizens.”
With such concern over an executive order that does not directly deal with European PII, it is difficult to see how US government access to European data directly from US companies — especially when the data may be physically stored in Europe — can withstand a legal challenge to the European courts. It is fair to say that in the current climate, if Google is forced to hand over foreign data on the basis of a search warrant, it could prove the end of Privacy Shield. Search warrants and the FBI could be as toxic to Privacy Shield as Prism and the NSA were to its predecessor Safe Harbor.