The Epiq Angle

When Google Stores Emails Overseas, Can the U.S. Government Access Them?

July 18, 2017

Privacy advocates were pleased in 2016 when the Second Circuit Court of Appeals, ruling in favor of Microsoft, found that the government could not compel the tech giant to turn over customer data stored overseas.  The decision marked the first time that a federal court had ruled on whether the Stored Communications Act (SCA) could be applied overseas. At the time, it appeared that tech companies may be able to rely on the SCA to protect information stored on servers located outside the U.S.

Google Email Overseas

International Data Rule Changes

2017, however, has seen some major changes to the legal landscape surrounding overseas data—changes that are unlikely to please privacy advocates or tech companies, but have come as a relief to U.S. intelligence agencies. Chief among these changes is a decision named In the Matter of the Search of Content That is Stored at Premises Controlled By Google. The ruling, issued by the U.S. District Court for the Northern Circuit of California, followed a different interpretation of the SCA. The Court held that Google can be required by a search warrant to disclose content from its users’ Gmail accounts, even when the content is stored exclusively outside of the United States.

Stored Communications Act (SCA)

Key to the decision was Google’s disclosure that the U.S. is the only place in which the information could be accessed. The Court held that the warrant is directed at the location where Google can access the data and deliver it to the government – and that because this location is within the court’s jurisdiction, the data is subject to the warrant, regardless of where the data is currently located. (The Court also held that an SCA warrant is not technically a search warrant, because it requires a disclosure of data, and the government “does not search a location or seize evidence.”
 
The opinion distinguishes Google’s circumstances from the Microsoft decision by pointing out that data subject to the warrant in the Microsoft case was stored in a way that was tied to a user’s location. The data from Google’s email accounts, on the other hand, is stored automatically based on an algorithm, with no storage decision being made.

Judicial Opinions

The ruling is not the first time this year that Google’s efforts to protect overseas data has been dealt a blow by the judicial system. In February, a district court in Pennsylvania held that the FBI could compel Google to produce data related to two criminal cases, even though the data was stored internationally. The court held that because Google “will gather the requested undisclosed data on its computers in California, copy it in California, and send the data to law enforcement agents in the United States,” the SCA was not being applied internationally.

Filed under: big data, cloud, compliance, data privacy, data protection, ediscovery