Royal Caribbean Can’t Cruise Away from U.S. Stored Data Order (1)

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Royal Caribbean Cruises Ltd. must turn over stored data relating to a money laundering probe, a federal court ruled in a win for the U.S.

The U.S. government served the Miami-based cruise liner with a Stored Communications Act, 18 U.S.C. 2703(d), order because the company was a “provider of electronic communication services,” Judge Beryl A. Howell of the U.S. District Court for the District of Columbia ruled March 8. The cruise line isn’t a traditional electronic communications provider, but it can be considered one, the court said.

Law enforcement authorities often serve SCA orders on cloud computing companies, such as Microsoft Corp. and Inc., when they seek database-stored customer information related to criminal investigations.

Most SCA orders are served on cloud giants, but the case highlights that a company in the U.S. that provides electronic communications or remote computing services can get swept up in a SCA order.

Companies that don’t directly offer consumer internet service, like Royal Caribbean, haven’t historically been served with SCA orders, Hanley Chew, privacy and data security of counsel at Fenwick & West LLP and former assistant U.S. attorney in the U.S. District Court for the Northern District of California, told Bloomberg Law March 9. The U.S. Attorney’s Office and the Department of Justice generally limited such requests to traditional electronic communications providers, such as Yahoo Inc., he said.

Larger Trend or Fact-Specific?

Since the end of 2015, however, there have been more SCA orders “directed at regular businesses,” Chew said. This signals “a larger trend of what we’ll see going forward,” he said.

Howell’s move to allow the communications request may signal to other courts and law enforcement officials that the scope of SCA orders is expanding into new territory.

The decision “could have potential ramifications” for future SCA requests, Joseph Moreno, cybersecurity and data protection partner at Cadwalader, Wickersham, & Taft LLP and former special assistant U.S. attorney for the U.S. District Court for the Eastern District of Virginia, told Bloomberg Law March 9. Some judges and prosecutors may see the decision as a broadening of SCA orders to include non-traditional service providers, he said.

Chew agreed, saying that companies such as Starbucks Corp. or other retailers that provide WiFi to customers could see SCA requests if courts construe the case broadly.

Other judges could see the decision as fact specific to Royal Caribbean, based on how the cruise liner supplied electronic communication services to passengers, Moreno said.

Stored Data on the High Seas

The U.S. government served Royal Caribbean in July 2017 with a SCA request to turn over “subscriber and transaction records in relation to money transfers executed via the” web, connected to specific internet protocol addresses. A magistrate judge denied the request, saying the U.S. failed to show that Royal Caribbean was a provider of either electronic or remote computing services.

The U.S. objected to the magistrate’s opinion and provided more details to the court on why Royal Caribbean should be compelled to turn over the data.

Howell sided with the U.S., ruling that the cruise liner is subject to SCA orders because it “provides passengers the ability to access the internet in order to, among other things, effectuate money transfers, thus making the company a provider” of electronic communication services and subject to the government’s request.

The case is In re United States , D.D.C., No. 17-2682, objection sustained 3/8/18 .

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Barbara Yuill at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security