Data Localization and Export: Upcoming SCOTUS Microsoft Decision

Some of the more perplexing issues in our data-driven world are the questions of data localization and export – that is, where data should be stored and how it can be moved. Up until recently, data and computer-housed information has flowed cross-border without much hindrance. In general, companies store data wherever it is convenient to store the information and move it around at will. Those practices are coming under fire. For example, a new law in China requires personal data to be stored “domestically.” See here. But what does that really mean in a world of cloud storage?

In another example, the US Supreme Court is set to decide whether a US-issued warrant can compel a US-based company to disclose data stored on servers located outside of the US. Moreover, the EU’s new General Data Protection Regulation (“GDPR”) also tries to tackle this complicated issue. These are complex issues and every business, both small and large, needs skilled and experienced internet law attorneys to help. Here is a quick primer.

Data Localization: Microsoft Case and Proposed New Laws

In the case of US v. Microsoft, the key issue is whether a US-issued warrant for information in a criminal case can be used to compel a US-based company, Microsoft, to provide copies of emails and other electronically-stored information housed on computers and servers located in Ireland. The underlying case concerns drug-trafficking. According to reports, Microsoft stores data on more than a million servers located in 40 countries. Given the constant flow of data and information, there is a legitimate question of where any given piece of data is located at any given moment. Is there truly a concept of “storage” or “stored”?

At the trial level in 2013, in response to the warrant, Microsoft tendered relevant emails that were stored on US-based servers, but sought to quash the warrant with respect to data stored on its Irish servers. Microsoft lost at the trial level, but the trial court was reversed by the Court of Appeals in Matter of Warrant Search Certain E-Mail, 829 F. 3d 197 (2nd Cir. 2016). See news report here.

The Court of Appeals held that, when enacting the federal Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701 et seq., Congress did not intend the SCA to have extraterritorial applications. To quote the Court: “Having thus determined that the Act focuses on user privacy, we have little trouble concluding that execution of the Warrant would constitute an unlawful extraterritorial application of the Act.”

If the standard is “Congressional intent,” then Microsoft may win the case before the Supreme Court. Indeed, at the recent oral argument of the case, Justice Sonia Sotomayor asked why the court should not wait for Congress to resolve the issue. A proposed law called the CLOUD Act has been introduced in the Senate by, among others, Sen. Orrin Hatch (R-Utah). The proposed law would require production of stored data in response to a valid warrant even if it is held outside the US. The proposed language amending the SCA is this:

“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody or control, regardless of whether such communication, record or other information is located within or outside of the United States.”

The proposed CLOUD Act would also allow companies to challenge application of the warrant where disclosure would place the company in violation of a foreign nation’s laws. As can be seen, the issue of data locatalizion and movement is complex.

Data Localization: China’s Cybersecurity Law

In related news and adding another layer of complication, compliance deadlines are now going into effect for China’s Cybersecurity Law (“CSL”). The CSL took effect on June 1, 2017; compliance with various parts of CSL were deferred until various dates throughout 2018 and full compliance is required by December 31, 2018. With respect to cross-border data transfer and data storage, as reported here, Article 37 of the CSL states:

“Personal information and important data collected and generated by critical information infrastructure operators in the PRC [People’s Republic of China] must be stored domestically.”

The CSL states that where it is “truly necessary” due to “business requirements” that the data is provided outside of the mainland, companies must follow rules and procedures formulated by various Chinese State information and security assessment departments. Unfortunately, the rules and procedures for moving the stored data have not been promulgated. Obviously, companies in and companies doing business with China are concerned with how Chinese authorities will define “truly necessary” and “business requirements.” Compliance with the domestic storage of China-based data takes effect on December 31, 2018.

Data Localization: EU’s GDPR

As might be expected, the EU’s new GDPR does not have a provision related to localization of data storage. Given the number of member states, that would be untenable. Likewise, given the linkages of the EU economy to the larger global economy, there is no within-EU data storage requirement.

With respect to data movement, in general, movement is free as long as the receiving nation or the exporting-receiving companies have sufficient standards for protecting the private, personal, and financial data. Thus, Article 44 of GDPR prohibits transfer of personal data to non-EU recipients unless the receiving country has laws providing adequate levels of protection for data (Article 45) or the data exporting-data receiving companies have appropriate, proper, and sufficient safeguards to protect the data from compromise (Article 46).

Two General Steps to Take Now

As noted above, every business handled private data. To handle current and future issues with data localization and data movement, a couple of simple steps should be taken now.

Audit and inventory the personal and consumer data. Identify where physically the data is stored.
Audit and identify circumstances in which the various data is transferred cross-border.

With these two steps taken, your business can begin to determine whether storage and movement comply with the applicable law(s).

Internet Law Attorneys: Contact Revision Legal

If you need more information about data localization, cloud storage or data movement laws and requirements, contact the dedicated and experienced Internet law lawyers at Revision Legal, a new kind of law firm serving a data driven world. We can be reached by email or by calling us at 855-473-8474.