Republicans and Democrats in Congress have a hard time agreeing on anything.  But, they might concur that it is not appropriate for law enforcement officials to order a cloud services provider to turn over customer data stored in another country without that country’s permission.

In December 2013, a federal district court judge in New York issued a warrant to Microsoft directing the company to produce all emails and other private information associated with an individual customer account, which happened to be stored in a data center in Ireland.  Law enforcement officials claimed that the 1986 Stored Communications Act, which was enacted long before global internet communications and email existed, permitted the issuance of a warrant for this information regardless of its location.

The Stored Communications Act was included in the Electronic Communications Privacy Act.  Both laws are seriously outdated and need to be modernized to comply with today’s cloud services technology.  But, they are currently the only tools available to law enforcement to compel technology companies to release consumer data. 

Documents and other digital “papers” stored in the cloud or online in other ways did not exist when these laws were enacted.  As a result, courts have struggled to apply the Fourth Amendment’s protections against unreasonable searches and seizures to such information.  Extraterritoriality makes it even more problematic.

Arguing that a U.S. government warrant does not apply to data stored overseas, Microsoft appealed the warrant to the U.S. Court of Appeals for the Second Circuit.  The court ruled in Microsoft’s favor by denying the government’s petition for rehearing on January 24, 2017.  The federal government has appealed this decision to the U.S. Supreme Court, which agreed to hear oral arguments on February 27, 2018.

American businesses have taken the lead in cloud computing technologies, enabling citizens around the world to communicate with each other, store photos, videos, and documents with greater security and at lower costs.  On January 18, 2018, 23 amicus briefs, representing 37 countries and 289 different groups and individuals, were filed with the Supreme Court in support of Microsoft’s position that Congress never intended for law enforcement to force companies to seize their customer’s private emails in data centers located overseas.

Yet, a Supreme Court ruling one way or the other is not the end of the story.  Congress must modernize data privacy laws to reflect both current and future communications technology.

On August 1, 2017, Sens. Orrin Hatch (R-Utah) and Chris Coons (D-Del.) introduced S. 1671, the International Communications Privacy Act of 2017.  On September 8, 2017, the House companion bill, H.R. 3718, was introduced by Rep. Doug Collins (R-Ga.). 

This legislation would require U.S. law enforcement agencies to obtain a warrant for content of electronic communications stored remotely, and provides the legal framework to obtain electronic communications of U.S. persons, regardless of where they are located.  The bill also calls for greater transparency and efficiency in the use of the Mutual Legal Assistance Treaty, which is used to assist law enforcement to obtain electronic communications relating to foreign nationals in certain circumstances.

Adoption of the International Communications Privacy Act would give technology companies, including cloud services providers, legal certainty in protecting the privacy of their customers and complying with legal requests for information, while addressing the borderless nature of the internet.  It strikes the right balance between the legitimate needs of law enforcement and the privacy of American citizens.

Although Congress has been known to not move forward even when there is bipartisan support, this matter is too important to be left on the sidelines.