Partner
Some of the more perplexing issues in our data-driven world are the questions of data localization and export – that is, where data should be stored and how it can be moved. Up until recently, data and computer-housed information has flowed cross-border without much hindrance. In general, companies store data wherever it is convenient to store the information and move it around at will. Those practices are coming under fire. For example, a new law in China requires personal data to be stored “domestically.” See here. But what does that really mean in a world of cloud storage?
In another example, the US Supreme Court is set to decide whether a US-issued warrant can compel a US-based company to disclose data stored on servers located outside of the US. Moreover, the EU’s new General Data Protection Regulation (“GDPR”) also tries to tackle this complicated issue. These are complex issues and every business, both small and large, needs skilled and experienced internet law attorneys to help. Here is a quick primer.
In the case of US v. Microsoft, the key issue is whether a US-issued warrant for information in a criminal case can be used to compel a US-based company, Microsoft, to provide copies of emails and other electronically-stored information housed on computers and servers located in Ireland. The underlying case concerns drug-trafficking. According to reports, Microsoft stores data on more than a million servers located in 40 countries. Given the constant flow of data and information, there is a legitimate question of where any given piece of data is located at any given moment. Is there truly a concept of “storage” or “stored”?
At the trial level in 2013, in response to the warrant, Microsoft tendered relevant emails that were stored on US-based servers, but sought to quash the warrant with respect to data stored on its Irish servers. Microsoft lost at the trial level, but the trial court was reversed by the Court of Appeals in Matter of Warrant Search Certain E-Mail, 829 F. 3d 197 (2nd Cir. 2016). See news report here.
The Court of Appeals held that, when enacting the federal Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701 et seq., Congress did not intend the SCA to have extraterritorial applications. To quote the Court: “Having thus determined that the Act focuses on user privacy, we have little trouble concluding that execution of the Warrant would constitute an unlawful extraterritorial application of the Act.”
If the standard is “Congressional intent,” then Microsoft may win the case before the Supreme Court. Indeed, at the recent oral argument of the case, Justice Sonia Sotomayor asked why the court should not wait for Congress to resolve the issue. A proposed law called the CLOUD Act has been introduced in the Senate by, among others, Sen. Orrin Hatch (R-Utah). The proposed law would require production of stored data in response to a valid warrant even if it is held outside the US. The proposed language amending the SCA is this:
“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody or control, regardless of whether such communication, record or other information is located within or outside of the United States.”
The proposed CLOUD Act would also allow companies to challenge application of the warrant where disclosure would place the company in violation of a foreign nation’s laws. As can be seen, the issue of data locatalizion and movement is complex.
In related news and adding another layer of complication, compliance deadlines are now going into effect for China’s Cybersecurity Law (“CSL”). The CSL took effect on June 1, 2017; compliance with various parts of CSL were deferred until various dates throughout 2018 and full compliance is required by December 31, 2018. With respect to cross-border data transfer and data storage, as reported here, Article 37 of the CSL states:
“Personal information and important data collected and generated by critical information infrastructure operators in the PRC [People’s Republic of China] must be stored domestically.”
The CSL states that where it is “truly necessary” due to “business requirements” that the data is provided outside of the mainland, companies must follow rules and procedures formulated by various Chinese State information and security assessment departments. Unfortunately, the rules and procedures for moving the stored data have not been promulgated. Obviously, companies in and companies doing business with China are concerned with how Chinese authorities will define “truly necessary” and “business requirements.” Compliance with the domestic storage of China-based data takes effect on December 31, 2018.
As might be expected, the EU’s new GDPR does not have a provision related to localization of data storage. Given the number of member states, that would be untenable. Likewise, given the linkages of the EU economy to the larger global economy, there is no within-EU data storage requirement.
With respect to data movement, in general, movement is free as long as the receiving nation or the exporting-receiving companies have sufficient standards for protecting the private, personal, and financial data. Thus, Article 44 of GDPR prohibits transfer of personal data to non-EU recipients unless the receiving country has laws providing adequate levels of protection for data (Article 45) or the data exporting-data receiving companies have appropriate, proper, and sufficient safeguards to protect the data from compromise (Article 46).
As noted above, every business handled private data. To handle current and future issues with data localization and data movement, a couple of simple steps should be taken now.
With these two steps taken, your business can begin to determine whether storage and movement comply with the applicable law(s).
If you need more information about data localization, cloud storage or data movement laws and requirements, contact the dedicated and experienced Internet law lawyers at Revision Legal, a new kind of law firm serving a data driven world. We can be reached by email or by calling us at 855-473-8474.
Tips To Avoid Data Breach Litigation
Online affiliate marketing is big business now. Affiliate marketing, of course, has been around for a long time. Basically, a business or a person agrees to promote and recommend a product, a brand of products, or even a whole business in exchange for various things of value. Generally, the affiliate does not actually sell the […]
Read more about The Dos and Don’ts of Online Affiliate Marketing
Yes, as long as the proposed trademark meets the other requirements for registration. U.S. trademark laws do not require that only the English language can be used for trademarks. However, whatever the language, trademarks must meet the legal requirements, including functionality, distinctiveness, uniqueness, etc. For example, every trademark must function as a trademark in that […]
Read more about Can I Trademark a Non-English Word or Phrase in the U.S.?
In a new ruling, a California federal judge has declared the entirety of California’s Age-Appropriate Design Code Act (“CAADCA”) to be unconstitutional. Cal. Civ. Code §§ 1798.99.28 et seq. See media report here and the Opinion here. The case is Netchoice, LLC. v. Bonta, Case No. 22-cv-08861-BLF (US N.Dist. Cal, March 13, 2025). The CAADCA […]
Read more about California’s Age-Appropriate Design Code Act Declared Wholly Unconstitutional