Terrorist attacks, most recently in London and Manchester, England, have raised the pressure on law enforcement and lawmakers in countries like the U.K. and the U.S., to proactively intercept and interrupt terrorist communications. On May 24, members of the Senate Judiciary Committee’s Subcommittee on Crime and Terrorism addressed practical issues regarding warrants for overseas data in a hearing titled “Law Enforcement Access to Data Stored Across Borders.”
In the U.S., law enforcement efforts to obtain email communications have been limited by a case decided last summer by the U.S. Court of Appeals for the Second Circuit, Microsoft Corp. v. United States. There, the Second Circuit held that the Stored Communications Act did not allow the government to execute a warrant for data stored by a U.S. internet service provider on a server located in a foreign country. The court held that the Stored Communications Act, a law adopted in 1986 as part of the Electronic Communications Privacy Act (“ECPA”), does not apply extraterritorially. As we discussed in a New York Law Journal article last fall, the effect of the ruling is that the government cannot use a U.S. warrant to obtain electronic data held in a foreign country.
In the wake of Microsoft, the physical location of the server used to store electronic data has become a focal point in the debate over the appropriate restrictions on law enforcement’s ability to access data—especially data arbitrarily or strategically stored offshore by U.S.-based technology companies.
The Subcommittee on Crime and Terrorism’s May 24 hearing featured representatives from the Attorney General’s office, the U.K. government, the private sector (Microsoft), as well as from academia. Senators and panelists raised a host of issues, but chief among them was the perceived absurdity that a U.S. enforcement agency that has a U.S.-issued warrant based on probable cause for the data of a U.S. citizen who is suspected of committing a crime in the U.S. against a U.S. victim will not be honored by a U.S. ISP if that individual’s data happens to be stored on a server in Ireland (or anywhere other than the U.S.). In a world in which terrorism knows no borders, those facts are further magnified in the context of the internet age. Relevant electronic data can be stored almost anywhere, in multiple places, and can be moved at lightning speed.
Reforming the ECPA appears to have attracted strong bipartisan support. Senators participating in the hearing readily welcomed arguments that Congress should change the ECPA in a way that would (a) overturn Microsoft and return to the prior status quo, where warrants served on U.S. ISPs are honored even if the data is stored on a server located abroad, and (b) lift the restrictions in the EPCA that prevent U.S. ISPs from turning over data pursuant to foreign warrants (like those issued in the U.K.). The panel focused on the differences and similarities between data security laws in the U.S. and U.K., and in particular, discussed a proposed bilateral agreement between the countries that would essentially allow each country to honor the other’s search warrants. Senators asserted that information critical to preventing terrorist attacks can sometimes escape the reach of law enforcement simply by virtue of where the relevant electrons happen to reside.
It will be interesting to see lawmakers come together in a bipartisan manner to bring the ECPA in line with modern realities and how they will attempt to achieve a balance between the two critical, and sometimes in tension, interests of privacy and security.