Sen. Orrin Hatch Proposes Changes to Obtaining Data Stored Abroad
The Justice Department, Microsoft, and Ireland are still locked in a showdown over which country's laws control the fairly common modern situation of a company's data being physically stored abroad.
Ars Technica reports that Sen. Orrin Hatch (R-Utah) plans to reintroduce the Law Enforcement Access to Data Stored Abroad Act, which would limit the government's ability to access foreign-stored data.
Let's Fix Those ECPA Problems
Hatch already introduced the bill in September, The Hill reports, but once the 113th Congress ended, any unsigned bills automatically died and had to be reintroduced. The previous version of the bill would have amended the Electronic Communications Privacy Act to require the government to obtain a warrant for all electronically stored communications. Currently, ECPA allows the government to use a subpoena to get data that have been in storage for more than 180 days.
Hatch's bill would prevent the government from compelling a storage provider to turn over data stored in a foreign country unless the provider was a U.S. corporation. The provider would be able to object to the warrant on the ground that compelling production would violate the laws of the country in which the data are located.
A Little Help for Microsoft
The legislation is a fairly direct response to the Justice Department's (so far successful) attempts to get Microsoft to turn over data that's stored in a Microsoft-controlled data center in Ireland. Microsoft insists that turning over the data would violate Irish law, but the Justice Department says that doesn't matter because Microsoft is the one in control of the data.
My initial reaction to this issue last year was: "Who cares? Obviously the physical location of the data don't matter. They're still under Microsoft's exclusive control." But of course, if the tables were turned, things would be different. Imagine if the Chinese government demanded information stored in the United States by an American branch of a Chinese corporation. All of us in the blogging world would laugh at the idea that China could make such a demand. The Justice Department is asking for the same authority.
Even if the subpoena were for paper documents, which can't be shuttled around the world with the ease of digital information, the result would be the same: Sure, a court could order the company to produce the documents, but those documents would be subject to privacy laws of the foreign country. As the New York Law Journal observed in 2011, a party enforcing an order to remove documents from the UK would be subject to the UK's Data Protection Act.
Hatch's bill seems like it strikes that balance between law enforcement and the logistical problems of negotiating different countries' data privacy laws.
Related Resources:
- Neither Warrants nor Subpoenas Should Reach Data Stored Outside the US (Center for Democracy and Technology)
- 5 Reasons Microsoft's Battle to Protect Cloud Data Matters (FindLaw's Technologist)
- Fitbits, Wearable Tech, and the Impending E-Discovery Deluge (FindLaw's Technologist)
- The ECPA is So Bad Republicans, ACLU, Unify to Fix It (FindLaw's Technologist)