Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy, Privacy & Security Litigation

Unsurprisingly, U.S. Court Rules that Cloud Provider Must Produce Data Stored Abroad

On July 31, a U.S. District Court judge ruled from the bench that Microsoft could be forced to turn over customer emails in the context of a law enforcement investigation even though those emails were stored on servers located in Ireland.  Microsoft had contested the government’s request, arguing that the data was subject to Irish law and that the U.S. government was required to utilize law enforcement treaty channels to obtain the data.  Microsoft has appealed the ruling, which now will be heard by the Second Circuit court of appeals.

Since the ruling, I have had a number of conversations, mostly with lawyers located outside of the U.S., expressing surprise that the ruling gave such seemingly expansive jurisdiction to the U.S. government. But it shouldn’t come as a surprise to those who follow these issues, including readers of Hogan Lovells’ white papers on government access, that U.S. law enforcement can compel companies subject to its jurisdiction to produce data stored abroad, and that many other countries’ governments provide the exact same authority.

When deciding whether to issue a court order to enforce a government request that seeks the production of documents or data located abroad, U.S. courts historically have analyzed whether the domestic entity has sufficient “possession, custody, or control” over the documents or data at issue.  This analysis typically hinges on whether, viewing the totality of the circumstances, the domestic company has the practical ability to obtain the documents.  In sum, the long-standing test is “control, not location.”  In making this determination, the factors that U.S. courts have considered include:

  • the degree of ownership and control exercised over the foreign entity (such as whether the domestic entity is legally entitled to elect and/or give instructions to the foreign entity’s board; examine and approve the foreign entity’s reports and annual accounts; adopt the foreign entity’s bylaws; establish company-wide policies applicable to the foreign entity; or approve major business endeavors outside of the foreign entity’s normal course of business);
  • whether the entities operate as and observe the legal formalities of distinct companies, such as negotiating transactions on an arm’s length basis (as opposed to sharing managers or employees; having managers or employees of one entity report to the other; the foreign entity acting as an agent of the domestic entity; or the foreign entity primarily performing services for the domestic entity);
  • whether the domestic entity has a legal right to the documents at issue; and
  • whether the domestic entity has access to the foreign entity’s documents or data in the ordinary course of business.

In a scenario where a non-U.S. data center is operated by an entity that is under the effective control of an entity subject to U.S. jurisdiction, then the entity subject to U.S. jurisdiction typically cannot refuse to comply with the law enforcement request on the basis that the data is held in a data center located outside of the United States.

This approach was embodied in the April opinion of the lower Magistrate Judge in this case.  In that opinion, which was upheld by the July 31 District Court ruling, the Magistrate acknowledged that “it has long been the law” that a government request for information “requires the recipient to produce information in its possession, custody, or control regardless of the location of that information,” and that a “basic principle” of government investigations in the U.S. is that “an entity lawfully obligated to produce information must do so regardless of the location of that information.”

Other countries take a similar approach to these issues. In the 2012 Hogan Lovells white paper, A Global Reality: Governmental Access to Data in the Cloud, Hogan Lovells partners Winston Maxwell and Chris Wolf conducted a study of the laws a number of different countries across North America, Europe, and Asia, concluding that in the vast majority of those countries, if a Cloud provider operating within the country stores data on servers located in another country, the laws where the provider operates permit law enforcement there to require the Cloud provider to access and disclose the data stored elsewhere from terminals located within the country.  And just last month, Chris and I published Pan-American Governmental Access to Data in the Cloud, which drew similar conclusions about a number of Latin American countries.

All told, the two white papers examined the laws of 17 countries, concluding that 12 of the 17 countries allowed law enforcement to remotely access data stored in the Cloud located on servers in another country:  Australia, Brazil, Canada, Colombia, Denmark, France, Ireland, Mexico, Peru, Spain, the United Kingdom, and the United States.  Of the countries examined, only Argentina, Chile, Germany, Japan, and Panama’s laws do not permit the government to systematically demand data stored in the cloud extraterritorially without the cooperation of the foreign government where the data is stored.

It will be interesting to see how the Second Circuit rules on appeal.  It would be a shift in the law – although one that is possible upon appeal – for U.S. courts to hold that a company subject to jurisdiction in the U.S. (including non-U.S. entities) can avoid complying with a lawful U.S. government request where the data requested resides on an overseas server under that company’s control.  While there may be compelling policy reasons to limit a country’s ability to compel the production of information stored abroad, the reality is that most countries do not impose such limits, and so it should not come as a surprise that the U.S. is not unique in that regard.