'WAR CRIMES' AGAINST PRIVACY: THE JURISDICTION OF DATA AND INTERNATIONAL LAW.

• Author: Morris, P. Sean

1. Introduction

   Back in 1971, Arthur Miller in his classic text, The Assault on Privacy, warned that cybernetics instruments of mass surveillance posed "significant threats to personal freedom are presented by the inevitable linking of computers to existing surveillance devices for monitoring people and their communications." (1) Back then, when Miller penned his text, there was no Internet as we know it, and personal computers and networks were novelties, or they were in the process of emerging from the space program and related US Department of Defense programs. (2) There is no doubt that in these modern times, Miller has been vindicated, the moment the Internet became a reality, got commercialized in the late 1980s and then globalized by the early 1990s. (3)

   There are several angles from which Miller's thesis could be developed; however, this article will turn the focus on digital jurisdiction and how laws covering data retention/data grabbing, electronic snooping laws, and even services agreements for commercial free products such as emails, are seen from the perspective of privacy and in the wider context of international law. (4) In this article, most of these laws will be referred to broadly as "information privacy laws." Another key concern discussed in this article is the global storage of private data such as email contents and other online "products" that individuals use, and whether such storage is beyond the reach of national governments. (5)

   Harking back to Miller above, we must, turn our attention to some developments in a New York courtroom on April 25, 2014, when a magistrate judge ordered Microsoft Corporation to comply with a search warrant to disclose the private data relating to an email account being held on a server in Ireland. (6) According to the judge, the warrant "is a hybrid: part search warrant and part subpoena." (7) This decision was later upheld by a federal judge on July 31, 2014. (8) This example involving Microsoft and the U.S. government's attempt to obtain private data for one of Microsoft's user, whose data is located outside of the U.S. in Ireland develops some of the broader problems that faces international law. (9)

   There are two key aspects of the case (a) whether Microsoft should comply with the search warrant to hand over data located overseas, and (b) whether U.S. laws should be given extraterritorial effect. (10) These two aspects raise questions regarding the reach of domestic laws and their effect on privacy and private data. (11) Most of the domestic laws concerned either give law enforcement agencies the power to retain or syphon (duplicate) individual online activities or access general data storage facilities such as those in financial transactions. (12) The question is how much legality exists in these practices within the context of international law. (13) In terms of the latter, consider financial databases such as the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system (14) as examples of data that can be (un)lawfully accessed, and that any such access, is part of systematic effort to exert control over all forms of data that traverses the Internet. (15) The claim of "war crimes" against privacy in this article refers to those acts undertaken by governments to access private data of individuals in order to make allegations of criminal enterprising activities, and also the access to data by illegal methods. (16)

   The term "data" is use broadly in this article, and sometimes refers to "personal data" including data of private individuals held on email servers; "corporate data;" and "non-corporate data," such as SWIFT, among others. (17) As such, this article focuses on how governments intercept private data and asks whether national information privacy laws should be applied extraterritorially in the absence of a global and standardized regime of international information privacy laws. (18) From this point of view, the article raises questions on the international nature of information privacy laws and suggests that questions pertaining to private data, under the circumstances discussed in the article, are no longer for national states, but are also a concern for international law and that bodies, such as the International Law Commission ("ILC"), should look into the relationship with data grabbing laws that are enacted quickly around the world. (19)

   Because this article addresses the body of law, referred to in this article as informational privacy laws concerning data in broad terms, there is the need to be clear on terminologies. Both the term "data protection" and "privacy" are sometimes used interchangeably, or on other occasions, with specific reference, depending on the context. (20) Also, the terms refer to the system of laws known as informational privacy laws building on the legal differences used in common law and civil law. (21) Thus, what some continental Europeans call "data protection", others may simply refer to as "privacy." (22) This explanation is for the purposes of this article, because strictly speaking both bodies of laws--data protection laws and privacy laws--are completely different when one takes into account the narrow focus of "privacy" as opposed to the broader "data protection" terminology. (23)

   The gist of this article is a discussion on both bodies of law that protects privacy and private/personal data, and in this regard, both bodies of law shall be construed under the roof of information privacy laws. (24) There is third body of law, which forms part of the broader theme of this article, namely, data retention laws or data grabbing laws (snooping legislation) that require the storage of data; it is this body of law that this article explores arguments on as enablers of "war crimes" against privacy. (25)

   The concept of "personal data" is standardized in numerous legal instruments, for example, in regional, (26) domestic and semi-international (soft) law instruments such as the Organization for Economic Cooperation and Development ("OECD") Data Guidelines. (27) Moreover, it is such description that is found in the number of cases that are litigated, in particular Europe, or other cases that are the target of litigation. (28) Thus, for example in cases such as Bonnier v. Perfect Communication (29) at the Court of Justice of the European Union ("CJEU"), that Court, echoing the legislation, reaffirmed that personal data is "any information relating to an identified or identifiable natural person." (30) Similarly, at the European Court for Human Rights ("ECtHR"), in Copland v. the United Kingdom, (31) the notion of personal data was similar confirmed, in particular as it is defined under Article 8 of the European Convention on Human Rights ("ECHR"). (32) The Copland decision is interesting as it relates to information derived from the monitoring of personal Internet usage. (33) The monitoring of personal Internet usage and the data such usage contains, such as that of personal email, was the subject of the Microsoft Search Warrant case. (34)

   In this article, "private data" is used to refer to arguments relating to the case, as oppose to "personal data". The broad point raised by that case, the extraterritoriality of U.S. laws, is of serious concern in relation to international law and the jurisdiction of digital data stored on servers overseas. (35)

2. The Nature of Data Under International Law and an Example of Data That is the Target for "War Crimes"

   Ever since the Internet allowed the cross-border flow of information more rapidly, regulators and policy makers have been struggling with questions of privacy. (36) Moreover, the cross-border flow of data poses severe problems for international law because data located overseas are not subjected to extraterritorial application of domestic law, for the reason that such act would be generally a gross violation of a country's sovereignty. (37) However, on the other hand, because of the number of actors involved in trans-border data, who are subjected to both domestic law and international law, questions pertaining to jurisdiction poses greater challenges to international law. (38) So, what then, to do under these circumstances? First, one would actually need to understand (a) what kind of data is vulnerable to cross-border transfer, and (b) the state of international law, and how all of this is linked to domestic laws on data grabbing (acquisition and retention). The rest of this article will subsequently address these issues and also how countries are creating a new international legalism with data protection laws in relations to privacy.

   Prior to the Internet the trans-border flow of data was minimal and limited to methods such as fax machines, telephones, letters and telegrams, whilst financial transactions such as wire transfers prior to the Internet were also a source of the trans-border flow of data. (39) Today, while these conduits for data transmissions are still around, they are largely replaced by the Internet which facilitates the faster transmission of data across borders. (40) Furthermore, because zeegatons of pages of data are created everyday with the availability of more data creation devices, such as modern smart phones, tablets, laptops, personal computer among others, such data becomes the target of criminals, law enforcement authorities, commercial entities and "hackers." (41) The protection of such data varies by countries, with some regions such as the supra-federal European Union having strong privacy protection laws, while other countries such as the U.S. and some in Africa or South America have either different standards for the protection of privacy or mediocre and weak privacy protection laws. (42)

   Internet created data (e.g., contents) by private individuals that is stored on commercial servers is a commodity in the eyes of the commercial operators and the personal property of the individual. (43) For commercial...