The Stored Communications Act, Extraterritoriality, and the Uncertain Future of U.S. Cloud Service Providers

Created on July 1, 2014

By: Scott Giordano, Esq.

Scott Giordano
Scott Giordano, Esq.

Should the U.S. government be able to compel U.S.-based cloud service providers to turn over electronically stored information (ESI) on servers located overseas with a warrant? At the moment, the answer seems to be “yes,” something that threatens their viability. On April 25 of this year, U.S. Magistrate Judge James C. Francis IV determined that the Stored Communications Act (“SCA”) did not prevent extraterritorial application of a warrant issued by the U.S. government upon a server owned by Microsoft and located in Ireland. He reasoned that although the order is a warrant in name, it functions much like a subpoena, and as such is not subject to the SCA’s requirements that government agencies must obtain a search warrant. Microsoft has appealed and Chief Judge Loretta A. Preska is scheduled to hear the matter at the end of July. Several companies, including Apple, AT&T, and Verizon, have filed amici briefs.

The SCA was passed as part of the Electronic Communications Privacy Act (“ECPA”) in 1986 in response to abuse by law enforcement agencies during searches and seizures of electronic information. Readers of this blog are likely familiar with the SCA given that it prevents litigants from serving third-party subpoenas upon telecommunications companies such as Verizon or T-Mobile (“electronic communication service” (ECS) providers, in ECPA parlance) or internet service providers, such as Microsoft or Google. Government agencies are required, for the most part, to get a warrant in order to compel disclosure of the contents of an ECS’s subscriber (the ECPA has many subtleties and intricacies, and so I’m simplifying here). Warrants cannot be applied extraterritoriality, given that prospect of conflict with foreign governments, so Judge Francis sidestepped this requirement by stating that it functions as a warrant/subpoena hybrid, obtained through a showing of probable cause and executed like a subpoena, compelling production of data in the recipient’s “possession, custody, or control regardless of the location of that information.”

Cloud SCAWhile Judge Francis may have articulated a reasonable interpretation (the ECPA has not been updated since its passage and presents difficulty in applying today), I believe he has missed the larger picture. One of the major benefits of cloud computing is the ability to dynamically add storage space without reference to a specific geography—space on different servers can be transparently combined to form one hard drive. Today, so much personal and institutional data is stored on servers far away from the data owners’ premises that a subpoena is now effectively a search warrant, and should be treated like one with respect to extraterritorial application. It’s a prime example of how our legal system has not kept up with changes in technology, and it poses a substantial risk to the ability of U.S. to compete in the global marketplace. Simply put, if foreign organizations and nationals cannot trust that U.S. companies will protect their data, they’ll take their business elsewhere. This isn’t a theoretical problem, either; just recently, the government of Germany declined to renew their contract with Verizon Communications as a result of last year’s revelations of spying by the U.S. government. Those revelations put the U.S. Safe Harbor program for transfer of ESI from the EU to the U.S. in jeopardy, a program that had previously been derided by EU data protection authorities as too weak, and Judge Francis has now added fuel to the fire. In fact, upcoming changes to data protection in the EU may well end the program. We can only hope that, until Congress can address the vagaries of the ECPA and bring it up to date, Judge Preska can offer some breathing room to U.S.-based cloud service providers. Given the pace at which the global economy is moving to cloud services, their ability to compete will depend on it.

Scott Giordano is corporate technology counsel for Exterro. An experienced attorney with more than 16 years of legal, technology and risk management consulting experience, Giordano serves as Exterro’s subject matter expert on the intersection of law and technology as it applies to e-discovery, information governance, compliance and risk management issues.