BERLIN – A Philadelphia court has made the unfortunate decision to reopen the legal debate on whether the United States has the right to access emails stored on foreign servers if they belong to U.S. companies.
If Magistrate Thomas Rueter’s ruling stands, anyone using U.S.-based internet companies will have to live with the knowledge that, as far as the U.S. government is concerned, it’s America wherever they operate.
That’s a dangerous approach that hurts the international expansion of U.S. tech companies. Privacy-minded customers in Europe are already suspicious of the U.S. government’s cooperation with the tech giants, revealed by National Security Agency leaker Edward Snowden. Nationalist politicians in some countries — for example, Marine Le Pen of the French National Front — want to ban cross-border personal data transfers, arguing that such data must be stored on servers inside the internet user’s country. That, however, does not appear to guarantee that the U.S. won’t get at it, either.
Last July, Microsoft won a landmark case against the U.S. government, in which it argued it didn’t have to hand over emails stored on a server in Dublin to investigators working on a drug case.
The U.S. Court of Appeals for the Second Circuit agreed with the corporation, ruling that the U.S. Congress never meant the Stored Communications Act to apply extraterritorially. Just two weeks ago, the court allowed the ruling to stand. The government may yet appeal it to the Supreme Court, but in the meantime U.S. internet companies have assumed that if communications are stored abroad, they are out of the U.S. authorities’ reach.
Acting on that understanding, Google refused to disclose two users’ data to the FBI, which went to court in Philadelphia. Unlike Microsoft, Google doesn’t even know the physical location of a file: Its artificial intelligence-based system constantly optimizes storage, so bits of one file can be stored in several geographic locations at once.
Judge Rueter refused to be bound by the Microsoft precedent. In his ruling, he disagreed with it, arguing that as long as an American Google employee gets the data using a computer located in the U.S., nothing extraterritorial is taking place: “When Google produces the electronic data in accordance with the search warrants and the Government views it, the actual invasion of the account holders’ privacy — the searches — will occur in the United States.”
Within that logic, any information, public or private, that the U.S. government can locate using computers on U.S. territory is fair game. And if the logic applies, the European Union wasted its time last year as it tried to establish an acceptable privacy standard for U.S. companies operating in Europe.
A new framework for these companies became necessary after the European Court of Justice struck down the EU’s so-called safe harbor agreement with Washington, which allowed internet companies to shuttle personal data back and forth between the two jurisdictions based on an understanding that the U.S. provided adequate protection for users’ privacy.
The so-called Privacy Shield, which replaced the “safe harbor” arrangement, is still pretty permissive, allowing companies to self-certify their commitment to user privacy, but it simplifies redress and gives European data privacy authorities more power over cross-border communication. If, however, the U.S. decides that it can just take the data from foreign servers, the new agreement will be rendered meaningless.
For U.S. companies, this will mean a need to invent new private arrangements to protect European customers, the kind Microsoft proposed in 2015. It appointed Deutsche Telekom “data trustee” for two data centers in Germany, making it impossible for anyone, including Microsoft itself, to obtain any information from the servers without the permission of the trustee and, ultimately, the client. Such tricks, however, may not stand up in U.S. courts, provided other judges agree with Rueter.
The U.S. Supreme Court will probably have to take a stand on the issue: Google has already decided to appeal Rueter’s ruling, and now that there are conflicting precedents, the government, too, will definitely want to pursue the battle to the bitter end.
Waiting for a decision, millions of non-U.S. citizens must decide whether to reduce their losses in this front of the online privacy wars: It may no longer be expedient to expose their lives to U.S. corporations.
Those who are uneasy about the degree of the U.S. government’s reach into their private files and communications need to start thinking about alternatives, no matter how hard it may be to replace Google, Microsoft or Facebook.
As the U.S. becomes more hostile toward foreigners under President Donald Trump, there’s no telling why the U.S. government may be asked to collect information. Some travelers to the U.S. are already being asked to reveal their social network histories in a broad search for terrorist connections. What if the government didn’t even have to ask?
Leonid Bershidsky is a Bloomberg View columnist. He was the founding editor of the Russian business daily Vedomosti and founded the opinion website Slon.ru.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.