Which country's laws apply to government access?

Access to user data can easily involve three or more different countries and it is important to be clear about which laws apply to which aspects of the process of sharing user data.  A law enforcement officer and the user might be in Country X, the email provider is headquartered in Country Y, and the actual data is stored in Country Z.  

This example could easily become even more complicated if the user were in a different country from the law enforcement officer, or if copies of the data were hosted in multiple locations.  It is therefore unsurprising that it can be difficult to determine which country’s laws govern data access in international cases.  This is an unsettled area of the law, and State practice is rapidly evolving as an increasing number of cases are beginning to come before the courts.  

The concept of jurisdiction can be broken down into three aspects, which broadly mirror the arms of government: prescriptive (exercised by the legislature); enforcement (exercised by the executive); and adjudicative (exercised by the judiciary).  When applied to the context of online user records, prescriptive jurisdiction means the ability to create laws controlling when and on what terms government can access user data held by private companies.  Adjudicative jurisdiction means which courts can hear disputes about the application of these laws.  Enforcement jurisdiction means the power for officers from that State to enforce the laws through compulsory process, such as executing search warrants, arresting individuals or imprisoning them.  It is this third aspect of jurisdiction that is most important in the context of accessing online records internationally.

Unlike legislative jurisdiction, enforcement jurisdiction is usually bound by a State’s territory.  Absent special circumstances or express permission, a State cannot enforce its own laws in another State’s territory.  This means that a country can have legislation governing a person’s actions outside its territory but is unable to enforce that law.

The key question for compulsorily obtaining user data then becomes where the “search” and “seizure” occur.  Several possibilities exist:

  • where the hosting provider retrieves records;
  • where the internet company copies records from the hosting provider; or
  • where the law enforcement officer looks at the records.

At the moment, the law is unsettled and there is no clear answer to this question.  Applying precedents based on physical property to electronic data is difficult.  Physical property is usually seized before it is searched.  Cases involving data turn this scenario on its head because police officers usually seize computer data first, and then take it off-site to search it.  Electronic property is also unusual in that it may be copied infinitely without compromising the original data, and multiple copies are often created in the ordinary course of use.    

The US courts are currently grappling with the correct way of analysing “search” and “seizure” in the context of access to user data.  Microsoft Corporation is challenging a US search warrant over user data that the company stores in Ireland.