The EU General Data Protection Regulation is now a fully functioning six-month old creature, which has brought with it significant evolutionary changes. One of the most notable innovations of the new European data protection framework is its ambitious extra-territorial application. The introduction of brand new grounds for the applicability of the law was a major development. As a result, and as essential as this is, the GDPR’s territorial scope of application has become one of the most difficult issues to pin down. Therefore, the publication of the European Data Protection Board’s draft guidelines on the territorial scope of the GDPR marks an important milestone in understanding the implications of this influential framework.
A three-judge panel of the U.S. Court of Appeals for the Second Circuit today unanimously reversed a lower court’s denial of Microsoft’s motion to quash a warrant seeking the content of emails for a customer of its Outlook.com email service. The decision is surprising in that that U.S. courts, including the Second Circuit, have traditionally enforced government process seeking documents or data stored abroad from entities that have control over the information under the test of “control, not location.” This case could have a significant impact on cloud providers’ decisions to store information abroad. It also serves, in the midst of debates about the newly enacted Privacy Shield and the recent challenge to Standard Contractual Clauses now before the Court of Justice of the European Union, as a counterbalance to arguments that some make about the U.S. legal system not respecting personal privacy.