Data Protection

US Authorities granted power to search foreign servers

07 May 2014

3 min read

Last week a district judge in New York ruled that US authorities can access and search through electronic data stored by US companies on servers based outside the US.

During proceedings, Microsoft pleaded the territorial limitations of a warrant issued to it by US law enforcement in respect of data held by the company on servers based in Ireland. The district judge, however, referred to the nature of the warrant in question, as well as to the practical implications of Microsoft’s arguments, in rejecting this plea.

The technology mogul claimed that the powers granted to US authorities to search and seize data stored by US companies in virtue of a warrant in virtue of the provisions of the Stored Communications Act (SCA) do not extend beyond the “territorial limits of the United Stated”.

Judge James Francis, however, said that the ‘warrant’ contemplated by the SCA is not a conventional warrant, but is a hybrid: part search warrant and part subpoena. It is obtained like a search warrant, however it is executed like a subpoena, that is, it is served on the ISP in possession of the relevant information and does not involve physical access to the premises of the ISP or seizure of the relevant e-mail account in question by government agents.

The district judge continued that “it has long been the law that a subpoena requires the recipient to produce information in its possession, custody, or control regardless of the location of that information”.

He went on to remark on the practical difficulties which arise from Microsoft’s arguments. Accepting that the provisions of the SCA impose territorial restrictions on the power of US authorities to obtain information located outside the US would mean that the authorities would have to rely solely on mutual legal assistance treaties to obtain such information. This would entail a slow and laborious process, which may be ultimately unsuccessful in the event of the other country’s refusal to provide the requested information.

It was concluded that “[t]he practical implications thus make it unlikely that the Congress intended to treat [an SCA warrant] as a warrant for the search of premises located where the data is stored.” Thus, an SCA warrant is not subject to same territorial restrictions as a conventional search warrant.

This judgement comes hot on the heels of the recent data protection debate in Europe. In an effort to placate concerns regarding the privacy of private data, Microsoft expressed its intention earlier this year to offer businesses a chance to store their data on servers based outside the US. In light of the recent district court judgement, however, this offers little comfort insofar as the perceived threat to such privacy emanates from US authorities in possession of an SCA warrant.

For information relating to your obligations as a data processor, and for assistance in relation to notification with the Malta Data Protection Commissioner, kindly contact us here.