The Law Needs to Reflect International Cloud and Data Storage Realities

By at 18 October, 2017, 10:16 am

by Raymond J. Keating-

Politics and government always trail behind private sector advancements. Normally, in a market economy, that’s just fine. After all, only costly problems arise when government tries to guide, dictate, project or regulate the future of our economy. Quite simply, we don’t want government getting in the way of entrepreneurship, investment, innovation and growth. However, when the law creates uncertainty and increased costs for entrepreneurs, businesses and their customers and employees because it fails to reflect economic reality, troubles can result.

Currently, a serious dispute is playing out in the courts regarding government’s warrant powers, and consumers and businesses operating in the international marketplace. Specifically, Microsoft is challenging a U.S. search warrant seeking email stored in a data center in Ireland.


A federal court issued the warrant under the Stored Communications Act, which was enacted as part of the Electronic Communications Privacy Act (ECPA) of 1986. But a panel of three judges in the U.S. Court of Appeals for the Second Circuit unanimously held that a warrant issued under this law cannot force a company (in this case, Microsoft) to hand over emails stored outside the U.S., based on the long-held and logical principle that U.S. laws, unless otherwise stated, apply within the territorial jurisdiction of the United States. The federal government’s request for a rehearing by the entire Second Circuit Court was denied, but the U.S. Supreme Court has granted a review.

In the end, electronic data and documents stored in other countries should be treated, in effect, not all that differently than any request for physical searches and seizures. To do otherwise would inflict real damage on the cloud computing industry and its individual, small business and large firm customers. Uncertainty and confusion would flourish. Sovereignty would be undermined, especially considering that nations have differing laws covering privacy.

Of course, there is the issue that if the U.S. government can seize data in other countries, then it would follow that entities in other nations could reach into the United States to get the emails, data and documents of individuals, small businesses and other enterprises. For good measure, the property rights of individuals and businesses should not be lost when they go online regarding email, data, etc.

A Small Business Issue

In an article published in June of this year, Charlotte A. Tschider, who leads a cybersecurity and privacy consulting business and is an Affiliated Professor with the Mitchell Hamline School of Law, pointed out, “Cloud computing provides unprecedented opportunities for innovative small businesses to flourish in Minnesota, across the United States and around the globe. As the owner of Cybersimple Security, a small data privacy and security consulting firm, my clients frequently provide cloud-based services to global customers. Modern cloud services are an undeniably critical, cost-effective platform for small business technology operations. However, our country’s laws have not evolved to solve new technology challenges introduced by cloud services impacting U.S. growth and security, and this inaction has serious implications for America’s tech community.”

Professor Tschider went on to describe the problem of operating under a decades-old law: “American law enforcement agencies’ current interpretation of ECPA allows U.S. warrants to be served for data stored overseas, even if that data pertains to foreign persons or conflicts with the laws of the country where the data is stored. This creates a precarious, and sometimes criminally liable, situation for American businesses offering global services to an international consumer base. The ambiguity codified in the ECPA hurts the ability of American companies to participate in international business ventures and often dissuades international partners from storing data in the United States.”

And this issue is not just about larger enterprises. Small businesses, of course, should be concerned as users of email and consumers of assorted cloud computing services. In addition, though, as indicated by Professor Tschider’s points, small business very much works in the industries affected. For example, based on the latest (2015) Census Bureau data, among employer firms in the computer systems design and related services industry, 91.7 percent have less than 20 employees, and 97.9 percent less than 100 workers. That’s small business.

Decades-Old Law Needs Updating

The Microsoft court case speaks to the clear need to update decades-old laws that were written before cloud computing and the ubiquitous, commercial Internet were fathomed.

It was explained in a joint July 27, 2017, letter signed by various tech associations, “Cloud computing services, in particular, have revolutionized global commerce, increasing efficiency, lowering cost, and enabling innovative new products and services across every sector of industry. Cloud services now support nearly every aspect of daily life, from mobile banking and online commerce to high-tech manufacturing and the Internet of Things. To sustain and advance these innovations and the global collaboration they enable, cloud services increasingly operate on a global basis. Companies operating in this environment increasingly face the challenge of complying with multiple, often conflicting, privacy laws and regulations. These conflicts undermine the confidence of users in information technology products and services, while simultaneously creating obstacles to law enforcement professionals in investigating and prosecuting criminal activity.”

On August 1 of this year, Senators Orrin Hatch (R-UT) and Chris Coons (D-DE) introduced the International Communications Privacy Act (ICPA). In a statement, Hatch said, “The potential global reach of government warrant authority has significant implications for multinational businesses and their customers. Failing to address this issue in a reasonable, comprehensive way will only continue to cause problems between American businesses and the U.S. government. ICPA will aid US law enforcement while safeguarding consumer privacy, striking a much-needed balance in today’s data-driven economy.”

Senator Coons also pointed out, “In a globalized world, we need clear rules governing access to data stored abroad. Courts who have examined these issues continue to encourage Congress to fix this problem, and our legislation does just that.”

A House version of the bill (H.R. 3718) was introduced on September 12 by Reps. Doug Collins (R-GA), Hakeem Jeffries (D-NY), Suzan DelBene (D-WA) and Darrell Issa (R-CA). In a joint statement, Rep Issa said, “As technology has made tremendous leaps and bounds, our digital privacy laws unfortunately have stayed frozen in time. Today, the growth of cloud computing, online storage, and other services are increasingly taking American data to servers and other facilities all across the world. The conflict created between different legal systems can undermine consumer privacy and cause uncertainty as to when law enforcement may or may not access certain information on those servers… This bill will codify privacy rights in a manner that strikes an important balance in safeguarding privacy while establishing a clear framework to ensure requests for information comply with the law and our Constitutional rights.”

Key points were offered in the Hatch statement overview of the ICPA:

 Requires law enforcement agencies to obtain a warrant for the contents of electronic communications. Under ICPA, law enforcement may only obtain the contents of electronic communications stored with electronic communication service providers and remote computing service providers only pursuant to a warrant.

Clarifies that U.S. law enforcement can obtain the electronic communications of U.S. persons and persons located inside the United States pursuant to a warrant, regardless of where those communications are located. Additionally authorizes U.S. law enforcement to obtain electronic communications relating to foreign nationals who are located outside the United States in certain circumstances.

 Reforms the Mutual Legal Assistance Treaty (MLAT) process by providing greater accessibility, transparency, and accountability. Requires the Attorney General to create an online docketing system for MLAT requests and to publish statistics on the number of such requests.

Provides a sense of Congress that data providers should not be subject to data localization requirements. Such requirements are incompatible with the borderless nature of the Internet, are an impediment to online innovation, and are unnecessary to meet the needs of law enforcement.

Professor Tschider pointed out, “From a business perspective, unfettered law enforcement access to foreign data creates substantial challenges. My clients have unfortunately lost global business opportunities because of a perceived overreach by U.S. surveillance agencies on foreign business operations or consumers… Last year, Sens. Orrin Hatch (R-Utah), Chris Coons (D-Del.) and Dean Heller (R-Nev.) introduced legislation called the International Communications Privacy Act to update and clarify the law. This legislation would help clarify the responsibility of small business when faced with U.S. warrants for overseas data by requiring law enforcement to follow existing mutual legal assistance treaties. The United States and other countries negotiate MLATs to codify U.S. law enforcement procedures to access foreign data. ICPA, or legislation modeled after it, would improve the balance between government, privacy and business interests, enabling American small businesses to increasingly support a global customer base, improve revenue and grow jobs at home.”

Catching up to the realities of the marketplace by passing the ICPA would reduce uncertainty and costs, and that would be positive for entrepreneurs and small businesses, their customers and employees, and U.S. competitiveness and growth.


Raymond J. Keating is chief economist for the Small Business & Entrepreneurship Council.

Keating’s latest book published by SBE Council is titled Unleashing Small Business Through IP:  The Role of Intellectual Property in Driving Entrepreneurship, Innovation and Investment and it is available free on SBE Council’s website here.

News and Media Releases