A Philadelphia court has made the unfortunate decision to reopen the legal debate on whether the US has the right to access emails stored on foreign servers if they belong to US companies. If Magistrate Thomas Rueter‘s ruling stands, anyone using US-based internet companies will have to live with the knowledge that, as far as the US government is concerned, it’s America wherever they operate.
That‘s a dangerous approach that hurts the international expansion of US tech companies. Privacy-minded customers in Europe are already suspicious of the US government’s cooperation with the tech giants, revealed by National Security Agency leaker Edward Snowden. Nationalist politicians in some countries -- for example, Marine Le Pen of the French National Front -- want to ban cross-border personal data transfers, arguing that such data must be stored on servers inside the internet user‘s country. That, however, does not appear to guarantee that the US won’t get at it, either.
Last July, Microsoft won a landmark case against the US government, in which it argued it didn‘t have to hand over emails stored on a server in Dublin to investigators working on a drug case. The US Court of Appeals for the Second Circuit agreed with the corporation, ruling that the US Congress never meant the Stored Communications Act to apply extraterritorially. Just two weeks ago, the court allowed the ruling to stand. The government may yet appeal it to the Supreme Court, but in the meantime, US internet companies have assumed that if communications are stored abroad, they are out of the US authorities’ reach.
Acting on that understanding, Google refused to disclose two users‘ data to the Federal Bureau of Investigation, and the FBI went to court in Philadelphia. Unlike Microsoft, Google doesn’t even know the physical location of a file: its artificial intelligence-based system constantly optimizes storage, so bits of one file can be stored in several geographic locations at once.
Judge Rueter refused to be bound by the Microsoft precedent. In his ruling, he disagreed with it, arguing that as long as an American Google employee gets the data using a computer located in the US, nothing extraterritorial is taking place: “When Google produces the electronic data in accordance with the search warrants and the Government views it, the actual invasion of the account holders‘ privacy -- the searches -- will occur in the United States.”
Within that logic, any information, public or private, that the US government can locate using computers on US territory is fair game. And if the logic applies, the European Union wasted its time last year as it tried to establish an acceptable privacy standard for US companies operating in Europe.
A new framework for these companies became necessary after the European Court of Justice struck down the EU’s so-called safe harbor agreement with the US, which allowed internet companies to shuttle personal data back and forth between the two jurisdictions based on an understanding that the US provided adequate protection for users‘ privacy. The so-called Privacy Shield, which replaced the “safe harbor” arrangement, is still pretty permissive, allowing companies to self-certify their commitment to user privacy, but it simplifies redress and gives European data privacy authorities more power over cross-border communication. If, however, the US decides that it can just take the data from foreign servers, the new agreement will be rendered meaningless.
For US companies, this will mean a need to invent new private arrangements to protect European customers, the kind Microsoft proposed in 2015. It appointed Deutsche Telekom “data trustee” for two data centers in Germany, making it impossible for anyone, including Microsoft itself, to obtain any information from the servers without the permission of the trustee and, ultimately, the client. Such tricks, however, may not stand up in US courts, if other judges agree with Rueter.
The US Supreme Court will probably have to take a stand on the issue: Google has already decided to appeal Rueter’s ruling, and now that there are conflicting precedents, the government, too, will definitely want to pursue the battle to the bitter end.
Waiting for a decision, millions of foreigners must decide whether to cut their losses in this front of the online privacy wars: It may no longer be OK to expose their lives to US corporations.
Those who are uneasy about the degree of the US government‘s reach into their private files and communications need to start thinking about alternatives, no matter how hard it may be to replace Google, Microsoft or Facebook.
As the US becomes more hostile toward foreigners under President Donald Trump, there’s no telling why the US government may be asked to collect information. Some travelers to the US are already being asked to reveal their social network histories in a broad search for terrorist connections. What if the government didn‘t even have to ask?
By Leonid Bershidsky
Leonid Bershidsky is a Bloomberg View columnist. –Ed.