Google Data Privacy Fight Hinges on Cloud Storage Tech

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

An order that Alphabet Inc.'s Google turn over customer data stored overseas relied more on the specific storage technology at play than on an outdated federal email privacy law, attorneys told Bloomberg BNA.

Magistrate Judge Laurel Beeler of the U.S. District Court for the Northern District of California ruled April 19 that Google must turn over customer data stored overseas subject to a valid search warrant issued in June 2016 under the Stored Communications Act, 18 U.S.C. § 2701 ( In re The Search of Content That Is Stored At Premises Controlled By Google , 2017 BL 129087, N.D. Cal., No. 16-mc-80263-LB, 4/19/17 ).

The ruling may not offer real clarity sought by companies that store large amounts of data in the cloud, such as Google, Microsoft Corp. and Amazon.com Inc., on whether they must comply with government demands for the release of consumer data stored outside the U.S. But it does offer some insight into how courts may parse the technological issues surrounding the storage of data and identification of the consumers tied to that data by focusing on the ability of the company to readily identify the citizenship of a particular user.

The decision “focused on Google’s technology which splices single files into components and then stores it in different locations around the world,” Craig A. Newman, partner with Patterson Belknap Webb & Tyler LLP and chair of its privacy and data security group in Washington, told Bloomberg BNA April 25. Unlike the U.S. Court of Appeals for the Second Circuit’s decision in the Microsoft Ireland case, where the software giant “stored files locally based on user geography,” Google based its data storage practices “on network efficiencies,” Newman said. The decision rested on whether “the data can be accessed rather” than where it is physically located, he said.

A Google spokeswoman told Bloomberg BNA that the company didn’t have any comment on the litigation.

Google Data Storage Practices

The case arises out of a June 30, 2016 search warrant that requested “specific email accounts regarding subscriber information, evidence of specified crimes and information about the account holders’ true identity, locations and assets,” the opinion said.

Google partially complied with the search warrant. The search engine giant turned over records that could be traced to data centers in the U.S., but didn’t produce data for accounts that were “stored exclusively outside” of the U.S., the opinion said.

Data stored by Google would be “broken into component parts and different parts of a single file may be stored in different locations,” the opinion said. The location of data stored on Google’s servers “can change during the time period from when legal process (such as a search warrant) is authorized and when it is served,” it said.

“Technology has been a defining factor” in recent decisions across the U.S. and courts have offered “different legal justifications based on a service provider’s use storage technology,” Newman said. The bottom line in these cases from Pennsylvania, Wisconsin and California “is that a service provider’s location and ability to retrieve data stored abroad have been considered decisive factors— not whether the data is subject to protection under foreign law or is otherwise a violation of privacy rights,” he said.

Bennett Borden, data analytics partner at Drinker Biddle & Reath LLP in Washington, told Bloomberg BNA April 25 that cloud computing companies may be “offending” the courts and judges by moving their data around the world. Courts see it as a “business practice of hiding the data,” and that is what may have called the differing opinions across the U.S.

Different Than Microsoft Ireland

In the landmark case of In re Warrant to Search a Certain E-mail Account Controlled & Maintained by Microsoft Corp ., the Second Circuit held that the SCA doesn’t contemplate extraterritorial application and that the term of art, “warrant,” used in the SCA was intended to protect privacy rights.

The Second Circuit said that the SCA focused on user privacy and determined that enforcing the warrant and directing Microsoft to seize communications stored in Ireland would be an unlawful extraterritorial application where Microsoft didn’t have to turn over email stored on Irish servers.

In dissent, Judge Dennis Jacob said that “no extraterritorial reach is needed to require delivery in the United States of the information sought” because the warrant asked for data “already within the grasps of a domestic entity.” The dissent didn’t focus on the specific location of the data but on whether a U.S.-based company had a warrant properly served on it and that it could easily access the data. Three other dissenting judges agreed under the same reasoning.

Magistrate Judge Beeler relied on the dissents for her ruling against Google.

Borden said that the Second Circuit properly focused on the fact that Microsoft could distinguish between data belonging to a U.S. citizen and that of a foreign citizen. The Google case is different because the search engine giant simply moved data around the world “for algorithmic efficiencies” and it doesn’t “know if data is related to foreign citizens” in every example.

Together, these cases highlight the “stronger constitutional basis” for overturning SCA warrants “where the data is located in another country compared to when the data is located in the U.S.,” Borden, who is also Drinker’s chief data scientist, said.

Due to conflicting court standards, Congress needs to act on the decades-old SCA to add clarity and certainty for the cloud computing industry and courts across the U.S., Timothy Newman, privacy associate at Haynes and Boone LLP in Dallas told Bloomberg BNA. Courts shouldn’t have to struggle with an outdated standard, he said. Rather “Congress could modernize the SCA and provide a clearer framework for analyzing law enforcement requests for electronic communications,” Newman said.

If Congress fails to act “it’s very possible” that the case “will bubble up to the Supreme Court.”

To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security