A Cloud of Confusion: The EDPA Compels Google to Disclose Data Stored Abroad Under the Stored Communications Act
The Eastern District of Pennsylvania, in a departure from the Second Circuit’s Microsoft ruling, recently required Google to comply with search warrants issued pursuant to the Stored Communications Act (“SCA”), and produce data stored on servers abroad. The Eastern District joins other district courts, including the Northern District of California and the Eastern District of Wisconsin, in requiring technology companies to comply with subpoenas or warrants issued pursuant to the SCA and produce internationally-stored data. See In re Two Email Accounts Stored at Google, Inc., No. 17-1234, 2017 U.S. Dist. LEXIS 101691 (E.D. Wis. June 30, 2017); In re Search of Content that is Stored at Premises Controlled by Google, No. 16-80263, 2017 U.S. Dist. LEXIS 59990 (N.D. Cal., Apr. 19, 2017).
In In re Google Search Warrants, the court found that Google’s compliance with the government’s warrants required a domestic application of the SCA because the relevant conduct, data retrieval and production, took place at Google’s headquarters in California. In support of its holding, the court distinguished Google’s method of data storage from Microsoft: whereas Microsoft stored its data in different centers abroad, Google breaks its data into “shards,” and “stores the shards in different network locations in different countries at the same time.” These data shards “only become comprehensible when the file is fully reassembled” – a process that is directed and reviewed by Google employees in California.
While the Second Circuit in Microsoft noted potential privacy issues in allowing user data to be accessed within the United States, the Eastern District of Pennsylvania rejected any such privacy concerns. Google argued that requiring compliance with the SCA warrant was tantamount to “requiring a bank to search, seize and retrieve to the United States documents its customer has stored in a safe deposit box in a foreign branch.” The court, dismissing this analogy, found that the SCA protects privacy interests at the location of the disclosure of the communications to the government; here, the warrants were issued by the United States to a United States-based provider and require disclosure in the United States. The court noted that this privacy-based analysis reinforced the conclusion that Google’s compliance with the warrants was a domestic application of the SCA.
Though this discovery dispute arose in the criminal setting, recent federal court decisions considering the application of the SCA to internationally-stored data has ramifications for civil litigation. The Eastern District of Pennsylvania decision, among others, demonstrates the importance of the method by which companies choose to store their data internationally. Data centrally stored in one static foreign location could be protected from SCA subpoenas and warrants under the Second Circuit’s analysis in Microsoft. Conversely, companies – like Google – that “break individual user files into component parts . . . and store the shards in different network locations in different countries,” only to be reassembled by the company in the United States will likely be required to produce such data pursuant to an SCA subpoena or warrant under the Eastern District of Pennsylvania’s recent decision and a growing number of district court decisions.