leidensecurityand­globalaffairsblog

Where are my data and why does that matter?

Where are my data and why does that matter?

The competence of police, prosecutors and judges to conduct criminal investigations is geographically limited to the territory of their country. But crime does not stop at the border of a country.

The competence of police, prosecutors and judges to conduct criminal investigations is geographically limited to the territory of their country. But crime does not stop at the border of a country. Neither does cyberspace. And neither do digital data that can provide in evidence for a criminal investigation. Decades ago, mechanisms were set up allowing authorities from different countries to exchange evidence. These mechanisms are now gradually being adapted to the exchange of digital evidence because digital evidence raises additional questions: relating to the storage of the data, the location of the storage facilities and the jurisdiction over those data. Since many Internet based companies used by EU citizens are American companies, we here zoom in on the cooperation of competent authorities of EU member states and their counterparts in a third state.

Questions concerning data storage and jurisdiction were at the heart of a legal battle between Microsoft and the U.S. government. Microsoft refused to transfer email account data stored in their Irish data center in response to a probable cause warrant issued by U.S. authorities.

The case was even heard by the U.S. Supreme Court. Although the parties in the case agreed that the warrant as such did not apply outside the territory of the U.S., the main question was whether the data stored on a server in Ireland but controlled by a U.S. company should be considered to be located in Ireland or in the U.S. In other words: is it the physical location of the data that matters or is it the control over the data that is the determining factor?

It should not be overlooked that the physical location of the data is far from obvious when companies use cloud storage. Companies’ data storage then consists of a number of servers accumulated in a building, potentially located abroad for reasons of a more beneficial legal regime, security or simply cost effectiveness. Facebook and Google have servers in a.o. the US and Europe. Aiming to ensure security and performance of their systems, Google declared in a case quite similar to the aforementioned Microsoft case that stored data are cut up in chunks and divided over different data centers. The body of an email may thus be sitting on a European server while the attachment is on an American server. To make it even more complicated, Google explained that the storage location of data chunks changes automatically. At the time of an authority’s request for data, its location can even be different from the location at the time the request is executed.

On 23 March 2018, both houses of the U.S. Congress passed a bill that is designed to solve the above questions concerning data location. The Clarifying Lawful Overseas Use of Data Act – fittingly known as CLOUD Act – provides in clarity for U.S. based companies who can now receive a warrant or subpoena from a U.S. authority for data they are storing anywhere in the world. Effectively, the aforementioned U.S. Supreme Court case hence was declared moot. This means that a U.S. warrant can trigger the retrieving of data from a European based server as long as the company is an American company.

The European Commission presented a similar legislative proposal on 17 April 2018 aiming to solve the conflicts of laws resulting from cross-border production orders for data issued on companies in third states who were not allowed to transfer the data in accordance with their national law. The proposed regulation on electronic evidence would be applicable to service providers offering services in the EU – that can include U.S. companies – and introduces a right for the company to object to the data transfer, followed by a judicial review. In future, when Microsoft would thus receive a U.S. warrant for data sitting on their Irish server, they should comply unless Irish law prohibits them to. In that case a court would decide.

Even when the EU regulation is still only a proposal, both the EU and the U.S. are adapting their laws to a new reality. With digital data being notoriously un-territorial – a fitting term coined by Jennifer Daskal - but criminal law and procedure being organized in a territorial manner, these new questions force legislators to rethink the traditional organization of criminal justice and offer clarity to the players in this field.