Against data exceptionalism.

• Author: Woods, Andrew Keane
• Position: Introduction into II. Is Data Different? B. The Reality: Data Is Not So Different, p. 729-756

Table of Contents Introduction I. The Problem A. Evidence in the Global Cloud B. Jurisdictional Confusion C. A Broken International System D. Government Response II. Is Data Different? A. The Claim: "Data Is Different" B. The Reality: Data Is Not So Different 1. Data as an intangible asset a. Intangibility b. Mobility c. Divisibility and fungibility d. Distance between the asset holder and the asset 2. Data as a physical asset C. Summary III. Jurisdiction over Data in the Cloud A. Prescriptive Jurisdiction 1. Location of the data 2. Location of the harm 3. Citizenship of the suspect 4. Citizenship of the victim 5. Citizenship of the data controller B. Enforcement Jurisdiction C. Integrated Analysis IV. Conflicts of Laws over the Cloud A. A Conflicts Approach to Evidence in the Global Cloud 1. Identifying true conflicts 2. Weighing state interests 3. Reciprocity B. Blocking Statutes V. Implications for Law and Policy A. Reforming ECPA B. Interpreting ECPA C. Improving Mutual Legal Assistance D. The Case Against a Global Treaty Conclusion Introduction

On December 4, 2013, a magistrate judge in the Southern District of New York issued a search warrant for the contents and metadata associated with an e-mail account stored by Microsoft. (1) Microsoft produced the relevant data stored on its American servers. (2) But Microsoft, like many Internet companies, uses data centers located around the world to balance data loads and ensure that a user's data (3) is promptly available wherever the user accesses it. (4) Much of this particular customer's data was stored on the company's data center in Ireland. (5) The company therefore refused to hand over that data on the grounds that the Stored Communications Act (SCA), (6) which is part of the Electronic Communications Privacy Act (ECPA), (7) does not apply extraterritorially. (8) A district judge was unconvinced and upheld the warrant. (9) A number of amici have argued that allowing the U.S. government to compel the data would encroach on foreign sovereignty, (10) and Ireland filed an amicus brief to assert its interest in the matter. (11) The case is currently pending in the Second Circuit. (12)

The Microsoft Corp. case is only the most recent symptom of a much larger problem: while many people now store their most personal data in the cloud--that is, on remote servers scattered around the globe--there is no settled understanding of who has jurisdiction over that data. (13) Companies and countries have taken a number of different positions--some incompatible with each other--regarding the reach of the state's jurisdiction over Internet data. (14) These jurisdictional disagreements have wide-ranging implications for law enforcement and individual privacy, especially now that the cloud is global. (15) Consider, for example, what will happen when the Internal Revenue Service (IRS) seeks to collect back taxes by levying a Bitcoin account--how should a court determine whether the IRS has jurisdiction over the virtual currency? (16) Or consider the applicability of the Health Insurance Portability and Accountability Act (HIPAA) of 199617 to personal health data stored in the cloud--how should a court decide the location of the data for the purposes of determining whether it falls within the reach of HIPAA? Relatedly, what should a court do when, as in Microsoft Corp., two nations assert jurisdiction over the same piece of data? As that Second Circuit case works its way through the courts, Congress considers reforming ECPA, (18) and the United States and United Kingdom negotiate a treaty regarding government access to data stored in the cloud, (19) these questions have never been more pressing.

Fortunately, these questions are not as novel as some scholars suggest. A number of lawyers and academics have recently made the case for "data exceptionalism," suggesting that cloud-stored data is fundamentally incompatible with existing territorial limits on jurisdiction. (20) But, despite the wizardry and wonder of modern technological advances, cloud-based data is not conceptually novel enough to support this view. (21) Data has physical and intangible features, both of which provide helpful precedent for states seeking to assert jurisdiction over that data. (22) Cloud-based data resides on servers--essentially large hard drives--and wherever those servers sit, they are subject to territorial assertions of jurisdiction. (23) Even if this data were somehow stored in a free-floating ether, it would not be so different from other forms of intangible assets, like intellectual property and debts, which have been the subject of extraterritorial seizures going back many years. (24) Contrary to prevailing wisdom, jurisdiction over cloud-based data has nearly everything to do with territoriality--it requires an inquiry into the location of the data, the domicile of the data controller, the location of the crime, the citizenship of the victim, and/or the citizenship of the perpetrator. (25) Of course, these different bases for jurisdiction mean that the same piece of data may be subject to a number of different jurisdictions at the same time. But overlapping and conflicting laws are not a novel legal problem either; rather, conflicts of laws casebooks are filled with such disputes, and the fact that the subject of the dispute is Internet data changes very little as a conceptual matter. (26)

Showing that the jurisdictional challenges presented by the global cloud are not conceptually novel does not resolve those problems, but it does suggest a number of helpful insights drawn from past precedents. For example, if data is not as different as many have suggested, then states need not commit to narrowly defining their authority over data based on a single test, such as the location of the data or the domicile of the company. (27) Major Internet firms have adopted strikingly different views about the relevant test for when states have the authority to compel data. Microsoft treats the relevant test as the location of the data; under this test, states have the authority to compel data stored only on servers in their territory. (28) Google and Facebook appear to take a different view, suggesting in a number of different contexts that states have authority to compel data only if the data controller (the company) is domiciled in that state's territory. (29) Neither view is right as a matter of longstanding principles of jurisdiction. Well-established precedent suggests that if a court has personal jurisdiction over the defendant or the defendant's assets--in this case, an Internet company or its offices, servers, or bank accounts--it can lawfully compel the data in connection with a legitimate law enforcement effort, regardless of where the data is stored or where the company is domiciled. (30)

Moreover, a rich vein of conflicts jurisprudence suggests that states can take simple steps to reduce jurisdictional disputes with other states. (31) For example, one of the lessons of transnational litigation regarding offshore bank accounts--perhaps the best analogy to offshore data storage--is that blocking statutes, which prevent citizens from complying with foreign law enforcement requests, greatly exacerbate conflicts of laws. Repealing those statutes is therefore one of the simplest steps that states can take to encourage regulatory harmonization and reduce conflicts. (32) The implication of this insight for cloud-based data is simple but far reaching: it suggests reforming many states' privacy statutes, which often operate as blocking statutes. Applying this insight to U.S. law, for example, would mean reforming ECPA. (33) While there are a number of ECPA reform proposals pending in Congress, (34) and ECPA reform has been widely discussed in the press, (35) none of the current proposals would have any effect on the statute's blocking features...