Over the past ten days, civil society has been having kittens over the UK Data Retention and Investigatory Powers Bill, partly because of its extraterritorial extension of UK surveillance powers. This comes at a time when there is already heightened focus on issues of data and jurisdiction because the District Court is due next week to consider Microsoft’s challenge to the magistrate’s decision to uphold a search warrant over data that is stored in Ireland. When the District Court hears this matter, things will no doubt get very technical very quickly. International jurisdiction can have you turning your mind inside out trying to work your way through layers of laws, precedents and analogies, none of which is actually directly applicable to the case at hand. However, before we get swept up in the court’s analysis, let’s take a moment to step outside of the legalities of the Microsoft case and instead think about the fundamental principles behind them. It’s a game of ‘what would we want the laws to look like if we didn’t have to rely on Congress to pass them?’.
The big question that I want to ask is, what criteria should jurisdiction for user data be based on? The four key options that I see are:
- Data location
- User location
- Company location
- Terms of service
Jurisdiction based on data location
This is essentially the approach that Microsoft is advocating. If your biggest fear is the NSA-style overreach of US power, it has definite appeal. It means that US law enforcement doesn’t get a shortcut to the world’s data just because US companies dominate much of the internet. Instead, US law enforcement must use the Mutual Legal Assistance Treaty (MLAT) process or other methods of international cooperation if the data is hosted abroad, which feels reassuringly respectful of international borders and principles of sovereignty.
However, if you’re a vulnerable user in an undemocratic regime, this may not be such an attractive option. Companies that insist on Californian jurisdiction over their data can use this to protect their users’ data when they have concerns about the legitimacy of the foreign government’s request. The Electronic Communications Privacy Act (ECPA) may be an imperfect guardian of user data, but it still provides a baseline level of protection for vulnerable users in undemocratic countries.
Moreover, data is increasingly stored across multiple jurisdictions and moves quickly between them. It seems arbitrary for users to be subject to different laws depending on where their data happens to be at a particular moment in time. For some companies, it may even be difficult to determine where the data is located.
If companies make decisions about where to store data based on legal considerations rather than technical requirements, it could compromise the ability to provide fast, reliable product offerings to consumers. Google highlighted this point in their objections to Brazil’s attempt to legislate for data localization.
Jurisdiction based on user location
Something feels right about users being governed by their own countries’ laws because that’s how it’s traditionally been done. Professor Kerr has argued for US jurisdiction to be based on user location, so that US-based users would receive full statutory protections, regardless of where in the world their data is stored. Applied more broadly, this could have the benefit of ensuring that users in countries with strong data protection and human rights laws receive the protection of their own countries’ regimes even when they’re using a foreign online product. User-based jurisdiction could also facilitate legitimate access to data for criminal investigations by removing the international complications when law enforcement officers are investigating users within their own jurisdiction.
However, companies with a very international user base could find themselves in a nightmarishly complicated situation of having to comply with 193 countries’ legal systems and apply the correct laws to each user wherever that user happened to be. There are also difficulties in identifying where a user is at any given time. Professor Kerr suggests a solution that permits (but does not require) providers doing business in the US to disclose foreign user data (using rebuttable presumptions about user location) in response to foreign legal requests. This goes some way towards solving the problem. However, I'm not sure that it is a complete solution by itself because, if mirrored in other jurisdictions around the world, it places a large amount of discretion in the hands of internet companies and creates significant conflict of laws issues.
Jurisdiction based on company headquarters’ location
This is the approach adopted by companies such as Google, Twitter, and Facebook. It has the advantage of being simple to understand, and ensures that there is at least a baseline level of legal protections (albeit a US-centric baseline).
However, this approach risks entrenching the dominance of US laws and US values over an international space. Countries may be left with limited ability to enforce laws over their own citizens within their own territory on issues such as data protection, intellectual property, or criminal law. It means that countries have to go through the MLAT and US legal process. This creates a large caseload for the US Department of Justice, FBI and US companies, as well as creating delays and frustrations for foreign law enforcement. It is concerns like these that encourage moves towards data localization and fragmentation of the internet.
Jurisdiction determined by terms of service
There is some attractiveness to the idea of being able to specify jurisdiction through the terms of service. It gives a level of user consent and empowerment over their data choices.
However, it is doubtful how many users read and understand the terms of service for every online service they access. This approach also raises concerns about forum-shopping. Terms of service should have to be combined with other indicia of jurisdiction (eg headquarter or user location), otherwise companies or users could just arbitrarily forum-shop for jurisdictions.
So what is the ideal solution?
I’m not sure. I think that the laws governing users and their data should be determined by reference to the location of the parties (ie the user, the provider and the requesting agency), rather than focusing solely on the location of the data. However, no single one of these bases is ideal. I think that we need a combination of factors that are required to provide the basis for jurisdiction. When multiple States assert jurisdiction, there’s then a separate question of how to manage any potential conflict of laws (definitely a question for another day!).
Where does this leave us?
Meanwhile, back in reality, we have to work with the laws that are on the books. It’s important to distinguish the discussion about what the law should be from what it actually is. Some of the arguments being raised in the context of the Microsoft case seem to blur that line by using perceived problems with the MLAT process to justify particular interpretations of the current laws. While legal interpretation should be connected with practical realities, it’s important that the logic of the analysis and interpretation be able to stand on its own merits.