BERLIN: A Philadelphia court has made the unfortunate decision to reopen the legal debate on whether the US has the right to access e-mails stored on foreign servers if they belong to US companies. If Magistrate Thomas Rueter’s ruling stands, anyone using US based internet companies will have to live with the knowledge that, as far as the US government is concerned, it’s America wherever they operate.
That’s a dangerous approach that hurts the international expansion of US tech companies. Privacy-minded customers in Europe are already suspicious of the US government’s cooperation with the tech giants, revealed by National Security Agency leaker Edward Snowden. Nationalist politicians in some countries want to ban cross-border personal data transfers.
Last July, Microsoft won a landmark case against the US government, in which it argued it didn’t have to hand over e-mails stored on a server in Dublin to investigators working on a drug case. The US Court of Appeals for the Second Circuit agreed with the corporation, ruling that the US Congress never meant the Stored Communications Act to apply extra territorially.
Just two weeks ago, the court allowed the ruling to stand. US internet companies have assumed that if communications are stored abroad, they are out of the US authorities’ reach.
Acting on that understanding, Google refused to disclose two users’ data to the Federal Bureau of Investigation, and the FBI went to court in Philadelphia. Unlike Microsoft, Google doesn’t even know the physical location of a file: its artificial intelligencebased system constantly optimises storage.
Judge Rueter refused to be bound by the Microsoft precedent. In his ruling, he said : “When Google produces the electronic data in accordance with the search warrants and the Government views it, the actual invasion of the account holders’ privacy -the searches -will occur in the United States.“ Within that logic, any information, public or private, that the US government can locate using computers on US territory is fair game. And if the logic applies, the European Union wasted its time last year as it tried to establish an acceptable privacy standard for US companies operating in Europe.
A new framework for these companies became necessary after the European Court of Justice struck down the EU’s so-called safe harbour agreement with the US, which allowed internet companies to shuttle personal data back and forth between the two jurisdictions based on an understanding that the US provided adequate protection for users’ privacy.
The so-called Privacy Shield is still pretty permissive, allowing companies to self-certify their commitment to user privacy, but it simplifies redress and gives European data privacy authorities more power over cross-border communication.
US court may snatch privacy rights on Facebook, Google data
If, however, the US decides that it can just take the data from foreign servers, the new agreement will be rendered meaningless. For US companies, this will mean a need to invent new private arrangements. It appointed Deutsche Telekom “data trustee“ for two data centres in Germany, making it impossible for anyone to obtain any information from the servers without the permission of the trustee and, ultimately, the client.Such tricks, however, may not stand up in US courts, if other judges agree with Rueter.
The US Supreme Court will probably have to take a stand on the issue.
Waiting for a decision, millions of foreigners must decide whether to cut their losses in this front of the online privacy wars: It may no longer be OK to expose their lives to US corporations.