FRAMING THE PROBLEM
Having assessed how well or poorly the traditional norm covers active police cross-border data gathering, the next step is to examine the more indirect method that is raised by the Microsoft Ireland case. The methodological question, then, is this: can State A order Individual X to produce data that X controls, but that is stored in State B? Or, in the context of the case itself, can the US government order Microsoft to produce data that is stored in Ireland for use by the state in a criminal investigation? For the present purposes, this legal question will be referred to hereafter as the “Microsoft Ireland issue.”
It is first worth noting that this discrete legal issue becoming the subject of attention is a display of the adage “everything old is new again.” The question of whether it is a breach of international law for the courts of one state to compel private parties to disclose documents located in another state is one that well predates the popular use of either electronic data storage or the Internet. Beginning in the late 1960s, such orders issued by US courts in civil litigation matters involving transnational corporations were viewed as intrusive upon domestic sovereignty by the jurisdictions targeted, including Canada, the United Kingdom, France, and Australia — each of which enacted blocking statutes to prevent the companies from complying with the foreign orders.
Moreover, even today, the issue persists outside the cybercrime setting, as the advent of cloud storage has made it more difficult for companies involved in litigation to comply with court orders to disclose the contents of their cloud storage (or easier to refuse to comply, depending upon one’s perspective), due to concerns about infringing the laws or sovereignty of the state in which the cloud storage facility resides.
It is of interest that this issue has arisen once again in the US context, for as Google was at pains to point out in a recent filing in its own case on the issue,
the American government is well aware of the sovereignty issues at play, indications of which appear in sources such as the United States Attorneys’ Manual and a Department of Justice manual on obtaining electronic evidence.
An interesting recent (if implicit) recognition of the issue is a new practice used by US authorities in corporate criminal prosecutions: to offer cooperative credit to companies being prosecuted so that they will “voluntarily” produce documents that are in another jurisdiction.
This is not to say, however, that parties, courts, or governments who encounter the issue always recognize it. In the Canadian context, the most prominent case to have dealt with the kind of facts that might give rise to the Microsoft Ireland issue is eBay Canada Ltd v Canada (National Revenue), where revenue authorities invoked a section of the tax statute that provided for the compulsion of documents relevant to a tax assessment, even if they were located in another state.
The information sought existed in electronic form on eBay’s central servers in California and was easily electronically accessible to eBay Canada’s personnel. The Canadian office’s effort to resist the disclosure order was rebuffed by two levels of court, essentially on the basis that, since the data was so easily accessible, it was “formalistic in the extreme
to say that it was not actually in the possession of the Canadian company. The extraterritorial jurisdiction aspects of the disclosure order were avoided by this construction of the facts, though no true consideration was given to the international law issues or to the relevant state practice, perhaps because it was not raised by the parties.
As for Parliament, the Supreme Court of Canada noted in Tele-Mobile Co. v Ontario that the federal government had stated that it enacted production orders in the Criminal Code as a means of compelling individuals with possession or control over data located outside Canada to surrender it, so as to solve “the problem that has in part been created by inexpensive overseas data warehousing.”
The implicit position is clearly that jurisdiction over the individuals who possessed or controlled the data is sufficient jurisdiction to order its production. This measure was taken seemingly without much
consideration of whether it was consistent with international law or, indeed, without recognition that Canada itself had opposed such measures before US courts.
Also worth mentioning is the long-running struggle between the criminal authorities of Belgium and Yahoo, which began with a run-of-the-mill fraud investigation launched in 2007. Belgian authorities demanded that Yahoo produce Internet protocol addresses associated with email accounts that were implicated in the investigation, but Yahoo refused on the basis that it was not present in Belgium as it had no business infrastructure there and, thus, did not fall under Belgium’s territorial jurisdiction. At every stage of the proceedings, it argued that the appropriate manner for Belgium to gather the data was by way of a MLAT request.
In December 2015, the Cour de Cassation upheld lower court rulings against Yahoo,
on the basis that the broadcast of Yahoo’s services into Belgium gave it sufficient presence to base jurisdiction on the extended territoriality principle. Accordingly, Yahoo was required to respond to the request. The case appears to have proceeded on the assumption (similar to the Canadian position) that if Yahoo was within Belgium’s jurisdiction, the latter could lawfully demand production of the data, without any explicit consideration of the Microsoft Ireland issue.
To say that something is controversial or opposed in some examples of state practice is not, however, to say that the issue is settled. The Court of Appeals factums of the various parties and interveners in the Microsoft Ireland case display an interesting array of arguments that sketch out some of the major legal and policy angles. It is worth briefly reviewing some of these arguments for that reason, although the focus here will be on the international law issues rather than on the local legal peculiarities. Microsoft itself rested its argument essentially on traditional notions of extraterritorial enforcement jurisdiction: while the assertion of personal jurisdiction over the company and the actual act of disclosing the data to the government might occur on American soil, the execution of the warrant to retrieve the data happens in Ireland, where the data is stored, which amounts to extraterritorial enforcement. Even a proper interpretation of the relevant US statutes produces the conclusion that the MLAT procedure is the lawful route — not least because “in 2006, the US and EU negotiated … a self-executing treaty that expressly favours bilateral cooperation for data seizures, not unilateral intrusions into each other’s territory.”
Microsoft also pleaded that the case had already caused international discord, a proposition confirmed by both the record of the case and the public dialogue among the state players. Ireland filed an amici brief in the case clearly stating its view that its territorial sovereignty was implicated and that the case represented a potential infringement thereof. It also asserted that the matter was covered by the MLAT between the states and indicated its willingness to execute the MLAT process “as expeditiously as possible.”
Finally, it pointedly mentioned its own law to the effect that Irish courts might be empowered to “order the production of records from an Irish entity on foreign soil,” but would give great weight to whether the order would violate the law of the foreign state.
The European Union (EU) and the Council of Europe have taken even stronger postures. A brief was filed by Jan Philipp Albrecht, German member of the European Parliament and vice-chair of its Committee on Civil Liberties, Justice and Home Affairs. He criticized the lower court decision as having “endorsed the by-passing of the EU MLAT and the respect for foreign jurisdiction inherent therein,” his main pitch being that EU privacy protection standards are significantly higher than those of the United States, and, thus, avoiding the MLAT regime prevents the oversight required by European authorities in sharing data.
Moreover (and redolent of the earlier manifestations of this problem discussed earlier in this section), if the US court held that Microsoft must comply with the warrant, this would cause a conflict since EU laws would prohibit the transfer of data to the United States. Albrecht also noted that he was the European Parliament’s rapporteur for the current negotiations between the EU and the United States for a treaty on the protection of personal data in cooperative criminal investigations.
Upholding the warrant, he said, “would forestall this future agreement and disturb these negotiations.”
This view was supported by a letter from Vivane Reding, vice-president of the European Commission, in which she expressed the view that the magistrate’s decision in Microsoft Ireland “bypasses existing procedures,” is an exertion of extraterritorial jurisdiction that may breach international law, and causes companies to be caught in an untenable conflict of laws.
A similar stance was taken by the Council of Europe’s commissioner on human rights.
The best international law analysis was presented in the amici brief by Anthony Colangelo of Southern Methodist University’s Dedman School of Law, who supported Microsoft’s overall position but made a number of finer methodological points. He located the central problem as a matter of determining whether the warrant actually amounts to an extraterritorial action by the United States, a question he answered in the affirmative. He emphasized the principle of non-intervention, arguing that the warrant in question is an extraterritorial extension of enforcement jurisdiction into what is clearly a sovereign territorial interest of Ireland’s, despite the fact that the intrusion is electronic rather than kinetic.
Importantly, the question of extraterritoriality is not appropriately answered unilaterally, as the lower court did, but, rather, with due consideration of the interests and positions of the relevant states, and he submitted that great weight should be given to the views of both Ireland and the EU on this question. Finally, by circumventing the United States–Ireland MLAT, the procedure amounts to a breach of the treaty, specifically the “obligation to implement these agreements in good faith” under the Vienna Convention on the Law of Treaties.
The briefs of other interveners and amici made a number of a similar points as well as a host of arguments regarding the interaction of US law and international law that are not strictly relevant here. An important point made by a group led by the Electronic Frontier Foundation was that establishing this kind of warrant procedure as permissible could very well lead to foreign regimes with weaker data protection laws feeling emboldened to compel businesses with presences on their territories to surrender the personal data of American citizens
— a strong example of the kind of “tit for tat” response that generally makes states conservative about the manner in which they exercise extraterritorial jurisdiction.
A coalition of data firms made a similar point, giving the example of personal data of American human rights activists stored on American computers being turned over to the Russian government, a situation that illustrated the kind of “international free-for-all” that could result.
And the decision of the Court of Appeals? Given the amount of international law that was argued, the court’s reasons are quite anaemic, turning essentially on the difference between a warrant and a subpoena under the domestic legislation involved (the Stored Communications Act).
Having decided that the instrument in question was actually a warrant, the court construed the warrant as a very territorially limited species of state action to which the usual statutory interpretation presumption against extraterritorial application applied. This was particularly the case here, given that the Stored Communications Act contained no language indicating any congressional intent towards extraterritorial application. The court rejected the government’s argument that the order was in fact a kind of subpoena, although it cited its own and other US case law to the effect that a subpoena requiring an individual in the United States to produce documents held abroad was lawful, without any consideration of the lawfulness of that point under international law.
There was little international law analysis to speak of, other than the acknowledgement that the presumption against extraterritoriality was applied in order not to interfere with international relations. The factual apogee was the court’s recognition of two points: (1) that Irish territory was implicated and (2) that Microsoft gathering the data simply amounted to the government acting indirectly rather than directly:
[I]t is our view that the invasion of the customer’s privacy takes place under the SCA [Stored Communications Act] where the customer’s protected content is accessed — here, where it is seized by Microsoft, acting as an agent of the government. Because the content subject to the Warrant is located in, and would be seized from, the Dublin datacenter, the conduct that falls within the focus of the SCA would occur outside the United States, regardless of the customer’s location and regardless of Microsoft’s home in the United States.
The high water mark of international legal analysis arrived in the tail end of the majority’s decision, in which the court brushed up against the possibility that international law norms might be breached, though under the scope of “comity” rather than law:
Our conclusion today also serves the interests of comity that, as the MLAT process reflects, ordinarily govern the conduct of cross-boundary investigations. … [W]e find it difficult to dismiss those interests out of hand on the theory that the foreign sovereign’s interests are unaffected when a United States judge issues an order requiring a service provider to “collect” from servers located overseas and “import” into the United States data, possibly belonging to a foreign citizen, simply because the service provider has a base of operations within the United States.
Despite the fact that, as indicated above, the question of whether the warrant amounted to a breach of foreign sovereignty had been argued by the parties, the Court did not really entertain the question of whether there was a prospect of unlawful extraterritorial enforcement jurisdiction. Indeed, at several points in the judgment, there are indications that the distinction between prescriptive and enforcement jurisdiction was confused by both the government
and the court.
Accordingly, for all of the heated discussion around the case, it has thus far resolved very little from an international law point of view; a Supreme Court appeal might change that, but at the time of writing, none had been announced. At most, it is an example of state practice (by way of a court decision) from which it can be indirectly inferred that the state in question feels that the act might be unlawful. Much turned on the fact that warrants are treated more restrictively than subpoenas under US law, which in both practical and international law terms is a distinction without a difference — in each case, the government is compelling a party to surrender data located in the territory of another state. The issue remains the one being explored in this section: is this lawful under international law? Most important, then, is the court’s recognition that the execution of the warrant would take place in Ireland, despite being electronically initiated in the United States by a US company. As explored in detail above, this tends to be the position taken by states, and while the court did not refer to it, this view was reflected in the record. This point becomes more important in the actual international law analysis of the question, taken up the following section.
ANALYZING THE PROBLEM
In light of the foregoing, the most that can be said about the issue from a customary international law point of view is that the current landscape reflects the overall state of play on cross-border electronic evidence gathering more generally. While states generally take a territorial sovereignty point of view, there is a dissonance between what states say (opinio juris) and what they do (state practice). In order to properly analyze the problem, then, we must resort to first principles. In my view, there is a compelling argument that a state engaging in behaviour similar to that of the US government in the Microsoft Ireland case is in breach of international law, specifically the prohibition on extraterritorial enforcement jurisdiction.
This point of view can emerge from both factual and legal analysis. Factually, a private individual is being compelled by the state to obtain data that it owns, possesses, or controls, which is stored on the territory of another state. It is important not to fall into the “computers are different” fallacy and remember that, despite its seemingly ephemeral quality, stored data like the kind at play in Microsoft Ireland is a physical thing that is quantitatively present in the foreign state. It is not truly any different than if the individual were being asked to obtain paper documents, or even tractors, from the foreign state.
Legally, the state’s power to compel the surrender of things — enforcement jurisdiction — is being extended into the territory of the foreign state, absent the latter’s permission and, in some circumstances, violating its laws. From a state responsibility point of view, it matters not that the courts or state entities issuing the compulsory orders are acting within their domestic jurisdiction and compelling entities that are within the issuing state’s territory, because the ultimate effect is extraterritorial; that is to say, the breach of the customary prohibition on extraterritorial enforcement occurs at the moment the data is gathered by the compelled entity on the foreign state’s territory and the compulsory order is consummated. The conduct is certainly attributable to the issuing state, since on any reasonable construction of the concept of agency the compelled individual is acting as the agent or proxy of the issuing state. This seems true whether the actors are properly considered to be the courts or the government and thus caught under Article 4 of the Draft Articles on State Responsibility or the compelled private individual itself, since it is under the direct control of the state and thus caught under Article 8.
As outlined in the first section of this article, this kind of behaviour has been considered objectionable by states since the pre-digital era. Notably, this is a kind of conduct that is not just viewed by states as being unfriendly but also as directly engaging their territorial sovereign interests, as can be seen by the various European reactions to the original Microsoft Ireland decision. As explained in the previous subsection, laws and practice at the state level can certainly be viewed as fractured, but given that international law is consent based, the most methodologically sound reaction to this situation is to revert to the more conservative, positivist position. The balance of the evidence points to the conclusion that states view this kind of compulsion as unlawful when it is directed at their territories. Accordingly, until a clearer or more nuanced picture emerges, in my view it is safe to conclude that a Microsoft Ireland-style warrant, if executed, breaches the rule against the exercise of extraterritorial enforcement jurisdiction.