CIOs and CSOs have some concerns about their enterprises storing data offshore, particularly in the U.S., over worries that there’s a risk sensitive corporate or customer data can’t be protected from government reach.
They often cite the Patriot Act, which gives law enforcement agencies there broad power to get after data. There are those — including respected former Ontario privacy commissioner Ann Cavoukian, who dismiss fears about the Patriot Act, arguing that U.S. authorities have many other (legal) ways of getting data held on American servers than that piece of legislation.
A prime example is going on now in New York, where the U.S. Justice department is in court arguing that Microsoft has to comply with an American court order and hand over email in a specified account stored on servers in Ireland. Microsoft has appealed the decision, which will be heard July 31.
As an article in Ars Technica notes, the implication of the government’s position is that U.S. law applies anywhere.
The piece quotes the Justice department arguing that the U.S. Constitution’s Fourth Amendment, which protects citizens against unlawful search and seizure, doesn’t apply in this case. The information wanted is not physical, but digital. In addition, the law under which the subpoena says Microsoft has to turn over the information doesn’t limit data that is held only within the United States.
That legislation (the Stored Communications Act, get familiar with it) “orders service providers to disclose records upon receipt of a warrant or other
appropriate legal instrument,” says the government in a court brief. “Nothing in the text or structure of the statute carves out an exception for records stored abroad, and none exists in precedent construing the scope of compulsory process.”
True the account is in Ireland, but, the Justice department argues, “all Microsoft account data, whether stored in the United States, the Dublin datacenter, or in any of Microsoft’s many other locations located throughout the world, are under the control of and readily available to Microsoft’s employees in the United States.
By the way, apparently an Irish lawyer on behalf of the courts there has written the American courts that instead of using a warrant to get the email, there’s a mutual legal assistance treaty between the two countries that could be used.
Privacy advocates complain that this is (another) example of the U.S. trying to impose a domestic law in a foreign country. Others say international law is vague on this and is still being sorted out.
The point is that CSOs trying to advise chief executives of risk have to take note of this case. Their advice should be that all data going offshore has to be encrypted.