Skip to main content
×
×
Home

Cross-Border Evidence Gathering in Transnational Criminal Investigation: Is the Microsoft Ireland Case the “Next Frontier”?

  • ROBERT J. CURRIE
Abstract

A recent and prominent American appeals court case has revived a controversial international law question: can a state compel a person on its territory to obtain and produce material that the person owns or controls, but which is stored on the territory of a foreign state? The case involved, United States v Microsoft, features electronic data stored offshore that was sought in the context of a criminal prosecution. It highlights the current legal complexity surrounding the cross-border gathering of electronic evidence, which has produced friction and divergent state practice. The author here contends that the problems involved are best understood — and potentially resolved — via an examination through the lens of the public international law of jurisdiction and, specifically, the prohibition of extraterritorial enforcement jurisdiction. An analysis of state practice reveals that unsanctioned cross-border evidence gathering is viewed by states as an intrusion on territorial sovereignty, engaging the prohibition, and that this view properly extends to the kind of state activity dealt with in the Microsoft Ireland case.

Un arrêt récent d’une importante instance d’appel américaine a relancé une question de droit international controversée: un État peut-il obliger à une personne sur son territoire d’obtenir et de produire du matériel qui lui appartient ou qu’il contrôle, mais qui est stocké sur le territoire d’un État étranger? L’affaire en question, États-Unis c Microsoft, traite de données électroniques stockées à l’étranger et recherchées dans le cadre d’une poursuite pénale. Elle souligne la complexité juridique actuelle entourant la collecte transfrontalière de preuves électroniques, ce qui a généré des frictions et une pratique divergente entre les États. L’auteur affirme que les problèmes impliqués sont mieux compris — et potentiellement résolus — selon l’optique du droit international public de la compétence, et plus particulièrement de l’interdiction de l’exercice de la compétence d’exécution à l’étranger. Une analyse de la pratique des États révèle que la collecte transfrontalière non-autorisée de données est perçue par les États comme une atteinte à leur souveraineté territoriale ainsi qu’une contravention à l’interdiction d’exécution extraterritoriale. Cette analyse se prête bien à l’évaluation du genre d’activités étatiques traitées dans l’affaire Microsoft Ireland.

  • View HTML
    • Send article to Kindle

      To send this article to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle. Find out more about sending to your Kindle.

      Note you can select to send to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

      Find out more about the Kindle Personal Document Service.

      Cross-Border Evidence Gathering in Transnational Criminal Investigation: Is the Microsoft Ireland Case the “Next Frontier”?
      Available formats
      ×
      Send article to Dropbox

      To send this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Dropbox.

      Cross-Border Evidence Gathering in Transnational Criminal Investigation: Is the Microsoft Ireland Case the “Next Frontier”?
      Available formats
      ×
      Send article to Google Drive

      To send this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Google Drive.

      Cross-Border Evidence Gathering in Transnational Criminal Investigation: Is the Microsoft Ireland Case the “Next Frontier”?
      Available formats
      ×
Copyright
References
Hide All

1 The emerging field of “transnational criminal law” examines the body of public international law, primarily treaty based, under which states cooperate in the suppression of criminal activity that transcends borders and engages mutual interests. See generally Boister, Neil & Currie, Robert J, Routledge Handbook of Transnational Criminal Law (London: Routledge, 2015); Boister, Neil, An Introduction to Transnational Criminal Law (Oxford: Oxford University Press, 2012). As this article is focused on investigation and enforcement, I am using the term in the broader sense of cross-border crime that engages the interests of more than one state, which I have called elsewhere “transnational crimes of domestic concern.” Currie, Robert J & Rikhof, Joseph, International and Transnational Criminal Law, 2d ed (Toronto: Irwin, 2013) at 22.

2 Microsoft Corporation v United States of America, 829 F3d 197 (2d Circ 2016), rehearing en banc denied, No 14-2985, 2017 WL 362765 (2d Cir, 24 January 2017) [Microsoft Ireland case].

3 One of the amici in the case, Electronic Frontier Foundation (EFF), has put up a page on its website that conveniently provides pdf copies of all of the relevant documents and pleadings in the case. See EFF, online: <https://www.eff.org/cases/re-warrant-microsoft-email-stored-dublin-ireland>. All citations to these documents herein will be sourced to this site.

4 What species of “warrant,” “subpoena,” or other criminal procedure device this order amounts to is actually at issue in the case. It appears to be analogous to the Canadian production order (see Criminal Code, RSC 1985, c C-46, s 487.014) where at the Crown’s instance a court will issue an order directing a private party to produce evidence. What is pertinent for this article, as discussed below, is that the “warrant” amounts to an exercise of compulsory state power and is thus an exercise of enforcement jurisdiction.

5 In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation, 2014 WL 1661004, 13 Mag 2814 (US Dist Ct) (25 April 2014).

6 The case of eBay Canada Ltd v Canada (National Minister of Revenue), 2007 FC 930, aff’d 2008 FCA 348 [eBay case], before the Federal Court and Federal Court of Appeal of Canada dealt with essentially the same issue, but it appears the international law aspects were not brought to the attention of the courts.

7 In re Search Warrant no 16-690-M-01 to Google; In re Search Warrant no 16-690-M to Google, Decision of Judge Thomas J Reuter (Dist Ct Eastern District for Pennsylvania, 3 February 2017) [Google Warrant case]. See Ricci Dipshan, “The Cloud Conundrum: Explaining Divergent Google, Microsoft Search Warrant Rulings,” LAW.COM (15 February 2017), online: <http://www.law.com/sites/almstaff/2017/02/15/the-cloud-conundrum-explaining-divergent-google-microsoft-search-warrant-rulings/?slreturn=20170122201302>.

8 Indeed, it is sometimes the presence of potentially relevant evidence in a state outside the investigating state that makes a case “transnational” in nature. See Ellen S Podgor, “Cybercrime: National, Transnational or International?” (2004) 50 Wayne L Rev 97.

9 That is, the conclusion of mutual legal assistance treaties (MLATs), under which states agree to collect and send evidence to each other, on a reciprocal basis, for use in criminal proceedings. See section II below.

10 Some solid examples of writing of this sort: Orin Kerr, “The Surprising Implications of the Microsoft/Ireland Warrant Case,” Washington Post (29 November 2016), online: <https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/11/29/the-surprising-implications-of-the-microsoftireland-warrant-case/?utm_term=.8cd07e1ec5a9>; Jennifer Daskal, “The Un-Territoriality of Data” (2015–16) 125 Yale LJ 326.

11 Kate Westmoreland & Gail Kent, “Foreign Law Enforcement Access to User Data: A Survival Guide and Call For Action” (2015) 13:2 Can J L & Technology 225.

12 As is well known, in October 2015, the Court of Justice for the European Commission issued a decision invalidating the US–EU Safe Harbour Agreement Regarding Data Transfer and Protection. See Case C-362/14, Maximillian Schrems v Data Protection Commissioner (6 October 2015), online: <http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=61478>, which one blogger accurately referred to as “Snowden aftershocks.” Alysa Zeltzer Hutnik & Crystal N Skelton, “Snowden Aftershocks: High Court Invalidates US-EU Safe Harbor,” online: <http://www.adlawaccess.com/2015/10/articles/snowden-aftershocks-high-court-invalidates-u-s-eu-safe-harbor/#page=1>. And see David S Kris, Statement before the Committee on the Judiciary, US House of Representatives, Hearing on International Conflicts of Law Concerning Cross Border Data Flow and Law Enforcement Requests (25 February 2016), online: <http://judiciary.house.gov/_cache/files/95e3c0d6-2da2-40f3-a91a-a4849ff240b8/david-kris-testimony.pdf>.

13 See generally C Kuner et al, “Internet Balkanization Gathers Pace: Is Privacy the Real Driver?” (2015) 5:1 International Data Privacy Law 1; P de Filippi & S McCarthy, “Cloud Computing: Centralization and Data Sovereignty” (2012) 3:2 Eur J L & Technology. Brazil has been especially keen on this point. See Tim Ridout, “Brazil’s Internet Constitution: The Struggle Continues,” Fletcher Forum (25 March 2014), online: <http://www.fletcherforum.org/2014/03/25/ridout/>. Russia’s new “data localization” laws came into force on 1 September 2015 and the Russian telecommunications regulator recently issued an order blocking public access to the LinkedIn social network on the basis that it was in violation of the law. Maria Tsvetkova & Andrew Osborn, “Russia Starts Blocking LinkedIn Website after Court Ruling,” Reuters Technology News (17 November 2016), online: <http://www.reuters.com/article/us-russia-linkedin-idUSKBN13C0RN>.

14 See Mark Wilson, “Twitter Moves Non-US Accounts to Ireland, and Away from the NSA,” Slashdot (18 April 2015), online: <http://yro.slashdot.org/story/15/04/18/0633204/twitter-moves-non-us-accounts-to-ireland-and-away-from-the-nsa>.

15 I should note that I am intentionally avoiding any substantial discussion of “cybercrime” in this article. It is not necessarily irrelevant, as on some definitions of “cybercrime” any criminal case that has electronic evidence involved would be a cybercrime case. However, the focus here is more generally on situations where there is electronic evidence that appears to require a transnational enforcement effort of some sort, whether a given case would involve “cybercrime” or not. The recent study by the United Nations Office and Drugs and Crime’s (UNODC) inter-governmental panel of experts highlighted “the increasing involvement of electronic evidence in all crime types and not just those falling within the term ‘cybercrime.’” UNODC, Comprehensive Study on Cybercrime: Draft 2013 (New York: United Nations, 2013) at 188.

16 Lowe, Vaughan & Staker, C, “Jurisdiction” in Evans, Malcolm D, ed, International Law, 3d ed (Oxford: Oxford University Press, 2010) 313.

17 Coughlan, Steve et al, Law beyond Borders: Extraterritorial Jurisdiction in an Age of Globalization (Toronto: Irwin Law, 2014) at 3536 [emphasis in original].

18 Case of the SS Lotus (France v Turkey), 1927 PCIJ (Ser A) No 10, 31 [Lotus].

19 Hannah L Buxbaum, “Transnational Regulatory Litigation” (2006) 46 Va J Intl L 251 at 304.

20 R v Hape, 2007 SCC 26, para 58.

21 Lotus, supra note 18 at 18–19.

22 This is a point often made in international law literature, but a recent report based on a survey of cybercrime and international law experts from an array of countries provides a contemporary explanation: “It is worth noting here the strength of feeling among the international lawyers present in the workshop organized for this project as to the sensitivity of states to a breach of territorial integrity for the purpose of criminal law or security investigations. This feeling is based upon the dual observation that a state’s first responsibility is traditionally understood to be ensuring public order and the fact that the enforcement of criminal law is explicitly connected to the coercive power of the state, ie its monopoly of violence that is the marker of its internal claim to sovereignty.” Bert-Jaap Koops & Morag Goodwin, Cyberspace, the Cloud and Cross-Border Criminal Investigation: The Limits and Possibilities of International Law (Tilburg: Tilburg Institute for Law, Technology and Society, 2014) at 61.

23 Kindred, Hugh M, et al, eds, International Law: Chiefly as Interpreted and Applied in Canada, 8th ed (Toronto: Emond Montgomery, 2014) at 252.

24 Chris D Ram, “The Globalization of Crime as a Jurisdictional Challenge” (paper delivered at the 2011 Annual Conference of the Canadian Council on International Law, Ottawa, 2011) at 1 [copy on file with author].

25 See USA v Licht, 2002 BCSC 1151, where an extradition was stayed because the US Drug Enforcement Agency (DEA) had been operating a sting operation on Canadian territory without the permission of Canadian authorities.

26 United States of America v Orphanou (2004), 19 CR (6th) 291 (Ont SCJ), where an MLAT request was denied because a US police officer who was permitted to attend the execution of an MLAT-based search warrant absconded with evidence.

27 In early 2013, there were media reports of a dispute between the Canadian Royal Canadian Mounted Police (RCMP) and the US DEA, due to the Canadian police operating a confidential informant on US soil without the permission of American authorities. See John Nicol & Dave Seglins, “L.A. Cocaine Bust Threatens Canada-US Police Relations,” CBC News Canada (12 February 2013), online: <http://www.cbc.ca/news/canada/story/2013/02/11/canada-us-police-relations.html>.

28 On extradition and mutual legal assistance generally, see Currie & Rikhof, supra note 1, ch 9.

29 These are agreements, usually for narcotics interdiction, under which enforcement officials from one state will ride aboard an enforcement ship or aircraft from another state, in order to provide permission for the enforcement ship to cross into the first state’s territorial waters or airspace to pursue traffickers’ vessels. See JE Kramek, “Bilateral Maritime Counter Drug and Immigrant Interdiction Agreements: Is This the World of the Future?” (2000) 31 U Miami Inter-American L Rev 121; Gilmore, William, Agreement Concerning Co-operation in Suppressing Illicit Maritime and Air Trafficking in Narcotic Drugs and Psychotropic Substances in the Caribbean Area (London: UK Foreign & Commonwealth Office, 2003).

30 See generally Saskia Hufnagel & Carole McCartney, “Police Cooperation against Transnational Criminals” in Boister & Currie, supra note 1, 107; Saskia Hufnagel, Harfield, Clive & Bronitt, Simon, eds, Cross-Border Law Enforcement: Regional Law Enforcement Cooperation — European, Australian and Asia Pacific Perspectives (New York: Routledge, 2012); Goldsmith, Andrew & Sheptycki, James, eds, Crafting Transnational Policing (Oxford: Hart, 2007).

31 See Boister, supra note 1, ch 13.

32 Koops & Goodwin, supra note 22, citing PJP Tak, “Bottlenecks in International Police and Judicial Cooperation in the EU” (2000) 8 Eur J Crime, Crim L & Crim Justice 343 at 344.

33 See note 20 above.

34 Framework Agreement on Integrated Cross-Border Maritime Law Enforcement Operations, 26 May 2009, Can TS 25 (2012).

35 Not to mention its use in court. A recent book on the subject to which I have contributed is already in its third edition. Stephen Mason, ed, Electronic Evidence, 3d ed (New York: LexisNexis, 2012).

36 Koops, Bert-Jaap & Brenner, Susan, Cybercrime and Jurisdiction: A Global Survey (The Hague: TMC Asser Press, 2006); Teresa Scassa & Robert J Currie. “New First Principles? Assessing the Internet’s Challenges to Jurisdiction” (2011) 42 Georgetown J Intl L 1017.

37 Gail Kent, Sharing Investigation-Specific Data with Law Enforcement: An International Approach, Stanford Public Law Working Paper (14 February 2014), online: <https://ssrn.com/abstract=2472413>; Koops & Goodwin, supra note 22; Nicolai Seitz, “Transborder Search: A New Perspective in Law Enforcement?” (2004–05) 7 Yale J L & Technology 23; UNODC, supra note 15.

38 Most famously in John Parry Barlow, “A Declaration of the Independence of Cyberspace,” EFF, online: <https://homes.eff.org/∼barlow/Declaration-Final.html>. See also David R. Johnson & David Post, “Law & Borders: The Rise of Law in Cyberspace” (1996) 48 Stan L Rev 1367.

39 See, eg, Daniel C Menthe, “Jurisdiction in Cyberspace: A Theory of International Spaces” (1998) 4 Mich Telecommunications & Technology L Rev 69.

40 See Mueller, Milton L, Networks and States: The Global Politics of Internet Governance (Cambridge, MA: MIT Press, 2010) at 3.

41 See generally Jack Goldsmith, “Unilateral Regulation of the Internet: A Modest Defense” (2003) 11 EJIL 135; Kohl, Uta, Jurisdiction and the Internet: Regulatory Competence over Online Activity (Cambridge: Cambridge University Press, 2007).

42 Koops & Brenner, supra note 36 at 6.

43 Scassa & Currie, supra note 36.

44 See also Coughlan et al, supra note 17, ch 4.

45 Libman v The Queen, [1985] 2 SCR 178, para 63.

46 Dan Jerker B Svantesson, “How Does the Accuracy of Geo-Location Technologies Affect the Law?” (2007) 2 Masaryk U J L & Tech 11. Of course, as discussed below, this cannot always be accomplished rapidly and in real-time accordance with the needs of a criminal investigation.

47 Chris Ram, “Cybercrime” in Boister & Currie, supra note 1, 390.

48 Cybercrime Convention Committee (T-CY), Transborder Access and Jurisdiction: What Are the Options?, Doc no T-CY (2012) 3 (6 December 2012) at 6 [T-CY, Transborder Access and Jurisdiction].

49 See Susan Brenner & Bert-Jaap Koops, “Approaches to Cybercrime Jurisdiction” (2004) 4 J High Tech L 1 at 21–23; Seitz, supra note 37.

50 “Russians Accuse FBI of Hacking,” The Register (16 October 2002), online: http://www.theregister.co.uk/2002/08/16/russians_accuse_fbi_agent>.

51 Convention on Cybercrime, ETS 185 (2001).

52 Council of Europe, Explanatory Report to the Convention on Cybercrime (23 November 2001), online: <https://rm.coe.int/16800cce5b>. See also Kaspersen, Henrik WK, “Jurisdiction in the Cybercrime Convention” in Koops & Brenner, supra note 36, 9 at 19–21.

53 See Koops & Goodwin, supra note 22 at 57, n 220.

54 See Boris Vasiliev, “Sovereignty, International Cooperation and Cyber Security: A Treaty Dialogue” (2013), online: <http://cyfy.org/speaker/boris-vasiliev/>. The Council of Europe’s T-CY appears to disagree. See T-CY, Guidance Note no 3: Transborder Access to Data (Article 32), online: <http://www.coe.int/t/dghl/cooperation/economiccrime/Source/Cybercrime/TCY/2014/T-CY(2013)7REV_GN3_transborder_V12adopted.pdf> [T-CY, Guidance Note no 3]. Nonetheless, the overall lack of consensus has been consistent. See Deliberations at the First Meeting of the Expert Group to Conduct a Comprehensive Study on Cybercrime, Held in Vienna from 17 to 21 January 2011: Summary by the Rapporteur, UN Doc UNODC/CCPCJ/EG.4/2017/2 (21 February 2017), para 27.

55 T-CY, Transborder Access and Jurisdiction, supra note 48 at 12.

56 Ibid [footnotes omitted]. “Everyone” in this report would refer to the Council of Europe states, since it is beyond question that not all states agree on the value of protecting the rights of individuals.

57 An early and frequently cited description of this view is in Jack Goldsmith, “The Internet and the Legitimacy of Remote Cross-Border Searches” (2001) U Chicago Legal Forum 103, though Goldsmith himself takes a more progressivist view.

58 Koops & Goodwin, supra note 22 at 61. See also Kent, supra note 37; Kent & Westmoreland, supra note 11; Susan W Brenner, “Law, Dissonance, and Remote Computer Searches” (2012) 14 North Carolina J Law & Tech 43.

59 UNODC, supra note 15 at 220.

60 Ellen Nakashima & Andrea Peterson, “The British Want to Come to America—with Wiretap Orders and Search Warrants,” Washington Post (4 February 2016), online: <https://www.washingtonpost.com/world/national-security/the-british-want-to-come-to-america--with-wiretap-orders-and-search-warrants/2016/02/04/b351ce9e-ca86-11e5-a7b2-5a2f824b02c9_story.html>.

61 As cited in UNODC, supra note 15 at 198.

62 Koops & Goodwin, supra note 22 at 55–56; UNODC, supra note 15, ss 7.4, 7.5; T-CY, Transborder Access and Jurisdiction, supra note 48, ch 4.

63 T-CY, Transborder Access and Jurisdiction, supra note 48.

64 As cited in ibid at 35.

65 As cited in Koops & Goodwin, supra note 22 at 56; T-CY, Transborder Access and Jurisdiction, supra note 48.

66 Data Retention and Investigatory Powers Act, 2014, c 27. A letter to the UK government from one group of academics said that the law “introduces powers that are not only completely novel in the United Kingdom, they are some of the first of their kind globally.” Jemima Kiss “Academics: UK ‘Drip’ Law Changes Are ‘Serious Expansion of Surveillance,’” The Guardian (15 July 2014), online: <http://www.theguardian.com/technology/2014/jul/15/academics-uk-data-law-surveillance-bill-rushed-parliament>.

67 See Investigatory Powers Act, 2016, c 25.

68 T-CY, Transborder Access and Jurisdiction, supra note 48 at 32–42.

69 Koops & Brenner, supra note 36 at 3.

70 Christopher Hooper, Ben Martini & Kim-Kwang Raymond Choo, “Cloud Computing and Its Implications for Cybercrime Investigations in Australia” (2013) 29 Computer Law & Security Rev 152.

71 In the Criminal Justice (Offences Relating to Information Systems) Bill, 2016, no 16, police are authorized, during the execution of a search warrant, to operate or cause to be operated a computer at the site of the search so as to access “any other computer, whether at the place being searched or at any other place, which is lawfully accessible by means of that computer” (s 7(9)). Admittedly this is ambiguous since much turns on how the word “lawfully” is interpreted, and it is not clear whether cross-border access was intended — yet it is reasonable to conclude that police would expect to be able to use this authority to access, for example, social media accounts, the data for which might be stored outside Ireland’s territory.

72 United States, Federal Rules of Criminal Procedure, r 41, proposed changes as adopted by the United States Supreme Court (28 April 2016), online: <https://www.supremecourt.gov/orders/courtorders/frcr16_mj80.pdf>. See Zach Lerner, “A Warrant to Hack: An Analysis of the Proposed Amendments to Rule 41 of the Federal Rules of Criminal Procedure” (2016) 18 Yale JL & Tech 26.

73 For a good write-up, see Jon Kelly, “Unwarranted Amendments: Criminal Procedure Rule 41 Alteration Goes Too Far,” UCLA Law Review (7 May 2015), online: <http://uclawreview.org/2015/05/07/unwarranted-amendments-criminal-procedure-rule-41-alteration-goes-too-far/#_ftn26>.

74 Ibid.

75 While detailed examination is beyond the scope of this article, it is important to acknowledge that the technological “back end” of data storage is evolving rapidly. Microsoft Ireland arose in the technologically straightforward context of a single company (or parent-subsidiary structure) with offices and storage facilities in different states. This could get more complicated where a similar company had data stored in one state, but backup servers in another. Even that context would be somewhat different for a company that had, for example, contracted with a third party cloud storage provider, which would introduce questions around where the cloud provider had stored the client’s data, particularly if the cloud provider has storage farms in more than one state. Kerr, supra note 10, notes that Google’s current methods of dealing with data are quite dynamic, meaning that it can be difficult to pinpoint with accuracy where any particular set of data might be at any instant. None of this, in my view, changes the analysis here, in that the data is always somewhere and international law rules are simply what they are, but any solutions will need to accommodate this complexity.

76 Microsoft Ireland, supra note 2.

77 Kent, supra note 37 at 6. A recent European privacy law conference hosted a session entitled “Creative Solutions to the MLAT Problem,” online: <http://www.internetjurisdiction.net/ij-project-to-talk-about-reforming-mutual-legal-assistance-at-major-european-privacy-conference/>.

78 Koops & Goodwin, supra note 22 at 58. In 2014, the Council of Europe’s commissioner for human rights expressed the view that this practice was “effectively unregulated and close to arbitrary.” Council of Europe’s Commissioner for Human Rights, The Rule of Law on the Internet and in the Wider Digital World (2014) at 104.

79 See Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, UN Doc A/HRC/32/38 (11 May 2016), para 59.

80 In R v Spencer, 2014 SCC 43, [2014] 2 SCR 212, the Supreme Court of Canada ruled that the previous practice of police making “law enforcement requests” to Internet service providers for voluntary disclosure of information (under the Personal Information Protection and Electronic Documents Act, SC 2000, c 5) amounted to a “search” under s 8 of the Canadian Charter of Rights and Freedoms, Part 1 of the Constitution Act, 1982, being Schedule B to the Canada Act 1982 (UK), 1982, c 11, and thus required a warrant. Prior to this, it appears that foreign law enforcement was free to make the “law enforcement requests” of Canadian data companies. See United States of America v Viscomi, 2015 ONCA 484, 126 OR (3d) 427, leave to appeal denied [2015] SCCA No 397.

81 Though recent governance rules approved by the European Parliament will allow some limited amount of contact between EUROPOL and data providers, subject to stringent privacy protections. European Parliament press release (5 November 2016), online: <http://www.europarl.europa.eu/news/en/news-room/20160504IPR25747/police-cooperation-meps-approve-new-powers-for-europol-to-fight-terrorism>.

82 For a summary, see Kindred et al, supra note 23 at 277–82. Regarding Canada, see Stephen GA Pitel & Nicholas Rafferty, Conflict of Laws, 2d ed (Toronto: Irwin, 2016) at 41–42. And see Restatement (Third) of Foreign Relations Law, s 442, reporters’ note 1.

83 Taddese, Yamri, “Focus: Cloud Services Create Challenges for e-discovery,” Law Times (7 December 2015).

84 Google Warrant, supra note 7.

85 Google Inc.’s Amended Objections to Magistrate’s Orders Granting Government’s Motions to Compel and Overruling Google’s Overbreadth Objection & Request for Stipulated Briefing Schedule (17 February 2017), filed as part of the Google Warrant case, supra note 7.

86 Thomas P O’Brien et al, “US Department of Justice May Leverage ‘Cooperation Credit’ to Obtain Foreign-Based Evidence,” Paul Hastings (23 November 2015), online: <http://www.paulhastings.com/publications-items/details/?id=b0ade769-2334-6428-811c-ff00004cbded>.

87 eBay case, supra note 6.

88 Ibid, para 48 (Federal Court motion judgment).

89 Tele-Mobile Co v Ontario, 2008 SCC 12, [2008] 1 SCR 305, para 40, quoting the statement of the parliamentary secretary to the minister of justice after second reading of the bill that created production orders. Criminal Code, supra note 4.

90 The parliamentary secretary’s statement did acknowledge the “nagging issue” of “extraterritorial searches,” but simply presented the production order as a means of resolving the issue (ibid).

91 United States v Bank of Nova Scotia, 740 F2d 817 (11th Cir 1984), in which the government of Canada was granted amicus curiae standing on the issue, though its argument was unsuccessful.

92 See Steven de Schrijver & Thomas Daenens, “The Yahoo! Case: The End of International Legal Assistance in Criminal Matters” (September 2013), online: <http://jure.juridat.just.fgov.be/pdfapp/download_blob?idpdf=N-20151201-1>.

93 The court’s ruling is available online (in Flemish): <http://jure.juridat.just.fgov.be/pdfapp/download_blob?idpdf=N-20151201-1>.

94 Though I make this comment guardedly, as I have only been able to consult English language summaries of the Belgian decisions in question.

95 Microsoft Ireland, supra note 2 at 21 (Microsoft brief).

96 Ibid at 7 (Ireland amici brief).

97 Ibid at 9.

98 Ibid at 6 (Albrecht brief).

99 The treaty that resulted is discussed below. See European Commission, Fact Sheet: Questions and Answers on the EU-US Data Protection “Umbrella Agreement, Press Release (8 September 2015), online: <http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm>.

100 Microsoft Ireland, supra note 2 at 12 (Albrecht brief).

102 Council of Europe’s Commission for Human Rights, supra note 78 at 77.

103 Microsoft Ireland, supra note 2 at 10–11, 20–23 (Colangelo brief).

104 Ibid at 34. Vienna Convention on the Law of Treaties, 1969, 1155 UNTS 331.

105 Microsoft Ireland, supra note 2 (amici brief of Brennan Centre for Justice at NYU School of Law, the American Civil Liberties Union, the Constitution Project and the Electronic Frontier Foundation).

106 See Coughlan et al, supra note 17 at 68–71.

107 Microsoft Ireland, supra note 2 at 25–26 (amici brief of Verizon, Cisco, Hewlett-Packard, eBay, Salesforce.com and Infor).

108 Stored Communications Act, 18 USC § 2701 (1986).

109 Microsoft Ireland, supra note 2 at 32.

110 Ibid at 39.

111 Ibid at 42.

112 Ibid. At note 20, the court rejects a government argument that the presumption against extraterritoriality does not apply to the warrant provisions because they are procedural rather than substantive. The government seems to be missing the point that enforcement jurisdiction is quintessentially procedural since procedure amounts to actual actions by the state (as opposed to simply passing legislation that contemplates extraterritorial application), and that any presumption against extraterritoriality should apply with even more force to “procedure.”

113 For example, the amount of energy expended on the presumption against extraterritorial application obscures the fact that what is usually being discussed is whether the legislature (in this case, Congress) intended the legislation to apply to something outside the state’s territory (prescriptive jurisdiction). There was no separation of the actual issue of whether the statute purported to empower the government to act outside its territory (enforcement jurisdiction), though this is where the court’s decision ultimately rested. Also, at page 30, there is a discussion regarding the subpoena power, in which the Court appears to accept the conclusion from the earlier case law that an enforcement power (the subpoena) can be based on the fact that the state has prescriptive jurisdiction — though in fairness the court was simply summarizing the effect of that case law and not analyzing it.

114 The United Kingdom’s law is the Investigatory Powers Act, supra note 67; the US position is itself illustrated by the Microsoft Ireland case and see also Winston Maxwell & Christopher Wolf, “A Global Reality: Governmental Access to Data in the Cloud: A Comparative Analysis of Ten International Jurisdictions,” Hogan Lovells White Paper (18 July 2012).

115 Microsoft Ireland, supra note 2 (Irish amicus brief); see also Maxwell & Wolf, supra note 114 at 10.

116 Angelique Chrisafis, “Twitter Gives Data to French Authorities after Spate of Anti-Semitic Tweets,” The Guardian (12 July 2013), online: <http://www.theguardian.com/technology/2013/jul/12/twitter-data-french-antisemitic-tweets>.

117 Angelique Chrisafis, “Twitter under Fire in France over Offensive Hashtags,” The Guardian (9 January 2013), online: <http://www.theguardian.com/technology/2013/jan/09/twitter-france-offensive-hashtags>.

118 Maxwell & Wolf, supra note 114. It is worth noting that some of the conclusions in the article were argued to have been overstated by European law enforcement officials, though apparently only to the extent that states permitting a Microsoft-style compulsion of data do so within limitations that involve the assessment of the state’s territorial connection to the matter, individual, or data in question (T-CY, Transborder Access and Jurisdiction, supra note 48 at 48). The fact remains, however, that a number of states permit the technique to operate.

119 Particularly Koops & Brenner, supra note 36.

120 Kris, supra note 12.

121 International Law Commission, Draft Articles on Responsibility of States for Internationally Wrongful Acts, UN Doc A/56/10 (2001), arts 4, 8.

122 Google Warrants, supra note 7.

123 Paul de Hert, “Cybercrime and Jurisdiction in Belgium and the Netherlands: Lotus in Cyberspace — Whose Sovereignty Is at Stake?” in Koops & Brenner, supra note 36, 71 at 110.

124 T-CY, Transborder Access to Data and Jurisdiction: Options for Further Action by the T-CY, Doc T-CY (2014) 16 (3 December 2014) at 13–14 [T-CY, Transborder Access to Data and Jurisdiction].

125 See note 60 above.

126 Jennifer Daskal & Andrew K Woods, “Cross-Border Data Requests: A Proposed Framework,” Just Security (24 November 2015), online: <https://www.justsecurity.org/27857/cross-border-data-requests-proposed-framework/>.

128 Kent, supra note 37 at 10–25.

129 Agreement between the United States of America and the European Union on the Protection of Personal Information Relating to the Prevention, Investigation, Detection, and Prosecution of Criminal Offences, [2017] OJ L336/3, online: <http://ec.europa.eu/world/agreements/prepareCreateTreatiesWorkspace/treatiesGeneralData.do?step=0&redirect=true&treatyId=10861>. The Electronic Privacy Information Centre is following this development closely and has significant resources posted at <https://epic.org/privacy/intl/data-agreement/>.

130 T-CY, Guidance Note no 3, supra note 54. After studying the issue and surveying state opinion, the T-CY had earlier concluded that a proposed protocol to the Convention addressing transborder access to data “would not be feasible.” T-CY, Transborder Access to Data and Jurisdiction, supra note 124 at 13.

Recommend this journal

Email your librarian or administrator to recommend adding this journal to your organisation's collection.

Canadian Yearbook of International Law/Annuaire canadien de droit international
  • ISSN: 0069-0058
  • EISSN: 1925-0169
  • URL: /core/journals/canadian-yearbook-of-international-law-annuaire-canadien-de-droit-international
Please enter your name
Please enter a valid email address
Who would you like to send this to? *
×

Keywords

Metrics

Altmetric attention score

Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Abstract views

Total abstract views: 0 *
Loading metrics...

* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.

Usage data cannot currently be displayed