eDiscovery Daily Blog

Google Required to Hand Over Foreign Stored Emails to Justice Department: eDiscovery Case Law

In the ruling In re Search Warrant No. 16-960-M-01 to Google, Pennsylvania Magistrate Judge Thomas J. Rueter ordered Google to comply with a search warrant to produce foreign-stored emails, disagreeing with the U.S. Court of Appeals for the 2nd Circuit’s ruling in the Microsoft Ireland warrant case, where Microsoft was not ordered to provide access to emails in that ruling.

In August 2016, the court issued two search warrants, pursuant to section 2703 of the Stored Communications Act (SCA), which required Google to disclose electronic data held in the accounts of targets in two separate criminal investigations to agents of the FBI.  Each account holder resided in the US, the crimes they are suspected of committing occurred solely in the US, and the electronic data at issue was exchanged between persons located in the United States.

Google partially complied with the warrants by producing data that is within the scope of the warrants that it could confirm is stored on its servers located in the US, but refused to produce other data required to be produced by the warrants that was stored on servers located out of the US, relying on the recent decision of a panel of the US Court of Appeals Second Circuit, Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197 (2d Cir. 2016), where the Second Circuit denied the government’s efforts to compel Microsoft to provide emails in that case.

In ruling that Google has to comply with the warrant in full, Judge Rueter stated that “Under the facts before this court, the conduct relevant to the SCA’s focus will occur in the United States. That is, the invasions of privacy will occur in the United States; the searches of the electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania. These cases, therefore, involve a permissible domestic application of the SCA, even if other conduct (the electronic transfer of data) occurs abroad.”

Judge Rueter also indicated that he “agrees with the Second Circuit’s reliance upon Fourth Amendment principles, but respectfully disagrees with the Second Circuit’s analysis regarding the location of the seizure and the invasion of privacy”, noting that “[e]lectronically transferring data from a server in a foreign country to Google’s data center in California does not amount to a ‘seizure’ because there is no meaningful interference with the account holder’s possessory interest in the user data. Indeed, according to the Stipulation entered into by Google and the Government, Google regularly transfers user data from one data center to another without the customer’s knowledge. Such transfers do not interfere with the customer’s access or possessory interest in the user data.”

Judge Rueter also noted that the searches would occur in the US, stating that “Even though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States.”  As a result, Judge Rueter granted the Government’s motions to compel Google to comply with the search warrants.

So, what do you think?  Should the location of the data or the location of the searches for the data determine whether it is subject to foreign data privacy considerations?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

  • Craig Ball

    You ask, “Should the location of the data or the location of the searches for the data determine whether it is subject to foreign data privacy considerations?” Data resides where you can access it, and there’s no reason it can’t exist in more than one place at one time, albeit in different forms. The data as pixels is wherever I can see the pixels; as electrons, it’s wherever I can intercept them in transit; and as magnetic remnants, wherever the storage medium resides. If I can access the data in a location, the data is in that location; though, it’s counterpart is somewhere else. Shall we call this Quantum Jurisdiction?

    I wonder how the law dealt with jurisdiction when the data was a shortwave radio signal?

  • Stuart Ritchie

    And the answer is: both such locations are irrelevant per se. The starting point for analysis is always the attributes of the data subjects – residence, domicile, location, and nationality. Each of those attributes, separately, determine whether any foreign privacy laws, including torts, might be engaged at all. That does not necessarily invalidate the judge’s analysis, as he may have eliminated all comity issues raised by Google during submissions. Though I’m curious about the notion of a possessory interest in data.