Bringing the law into the internet era.
On Monday, the Supreme Court announced that it will be taking up a case that will determine the reach of government when issuing warrants for information not held in the United States. Specifically, the Court agreed to address the issue of whether a warrant served to an American company requires it to turn over data stored in another country. The case has substantial implications for privacy and the continued migration to cloud-computing, where information tends to ignore traditional borders.
The internet poses a host of challenges with respect to privacy, and the nation’s laws desperately need updating to reflect current practices. The cyberworld is dynamic and in a constant state of transformation. Sadly, laws and regulations have not kept pace with the internet’s evolution, and, more often than not, we are stuck with laws aimed at yesterday’s problems rather than today’s realities. For example, the major law governing privacy and the government’s ability to access personal data online — the Electronic Communications Privacy Act — was written in 1986, when most Americans did not own a cell phone and most people had never even heard of email.
Today, Congress is struggling to modernize outdated laws that are ill-suited for today’s digital world. The Electronic Communications Privacy Act, in particular, sorely needs an upgrade. Yet the global increase in terrorism and the rise of international criminal activity has made reform difficult and slow-going as questions of criminal activity and national security are balanced against questions of privacy. And now, the Supreme Court is weighing in, not only to clarify the reach of warrants, but also in another case it has agreed to hear, where it will address whether a warrant is required for data that provides the location of cell phone users.
In the case involving warrants for data stored abroad , American law enforcement officials served Microsoft with a warrant to turn over personal data stored on a server in Ireland. The company partially complied with the warrant by providing some non-content data that was stored on servers in the United States. But Microsoft objected to the extraterritorial aspects of the warrant and refused to turn over data that was on the servers in Ireland. Typically, without explicit authorization from Congress, warrants cannot reach beyond the nation’s borders. The issue wound up in court, where a federal judge in New York sided with the government and held Microsoft in contempt for not providing the data from the server in Ireland. On appeal, however, the lower court ruling was overturned. The Second District Court of Appeals noted that “warrants traditionally carry territorial limitations” (page 5). And now, at the urging of the Department of Justice, the Supreme Court will review the case, with a decision expected in June.
This uncertainty casts shadows that make American firms less competitive in the global market for cloud computing. And it raises concerns about “data localization,” a practice that could impede the global flow of data. Not only in the United States, but across the globe, policymakers are considering a host of different policies that would tether data to the country of its origin, drastically reducing the efficient exchange of information across the world. Should the court determine that an American company must divulge data even if stored in another country, other countries may reciprocate, demanding data held in the United States — even data held by Americans.
The resulting complexity and confusion would change the internet for the worse. Ultimately, more than a judicial interpretation of existing law is required. Indeed, appeals court Judge Gerard E. Lynch noted as much in his concurring opinion (page 20):
Although I believe that we have reached the correct result as a matter of interpreting the statute before us, I believe even more strongly that the statute should be revised, with a view to maintaining and strengthening the Act’s privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications and other data where compelling interests warrant it, and clarifying the international reach of those provisions after carefully balancing the needs of law enforcement (particularly in investigations addressing the most serious kinds of transnational crime) against the interests of other sovereign nations.
Some in Congress have noted these concerns and have drafted legislation to address the problem. The International Communications Privacy Act (ICPA) has been introduced in both the House and Senate to modernize our privacy laws for the global web economy. ICPA seeks to address privacy concerns while also establishing procedures for legitimate law enforcement needs to access data that may be stored anywhere in the world.
First, ICPA requires a warrant for any content sought by law enforcement, even emails that are more than 180 days old. This updates previous law and removes the arbitrary distinction that allowed unwarranted searches on older data. It also establishes a transparent process for law enforcement officials to request information about U.S. citizens regardless of where the data is stored. The legislation also reforms the current Mutual Legal Assistance Treaty process, which allows law enforcement officials to seek information across borders. Additionally, the process will be more transparent through a new publication by the Department of Justice that includes information on the number of MLAT requests made by the Department of Justice, and the number of MLAT requests to the Department of Justice from foreign governments, as well as the time it takes to process these requests both by the U.S. and by foreign governments.
Our current laws on privacy need an update, especially in a borderless world of cloud computing. The Supreme Court has agreed to review the law, but the law itself is outdated. It will be the job of Congress to revisit and revamp our laws for today’s online world. ICPA is one part of this process and an important step toward privacy protection for today’s internet.