The problem here is that single-factor tests—whether we rely on the location of a company in question or the location where the data is handled—are too simplistic and cannot accommodate the complexity of these types of cross-borders cases.
Retrospect is I&J’s flagship, open-access monthly publication documenting legal and policy developments in order to illuminate jurisdictional tensions on the cross-border internet. The I&J Retrospect Database contains more than 1,200 cases from 117 countries, offering stakeholders a unique tool to monitor emerging trends and enable evidence-based discussions.
I&J: Having gone through the latest issue of the monthly I&J Retrospect, which cases stand out the most to you?
It is a very interesting mix of important developments, particularly in the areas of law enforcement access to user data as well as other continued pressures on intermediaries in different forms.
The Irish government’s plan to introduce a social media watchdog that would oversee companies’ content takedown procedures in accordance with an industry code of conduct seems like an interesting idea. The question is whether this “Digital Safety Commissioner” will be backed up with sufficient resources to ensure the efficiency of enforcement procedures, which is unfortunately not always the case if you look at the areas of consumer protection and data protection.
I was also particularly interested in the Canadian cross border court case involving a Romanian website which infringed on national data protection rules by indexing court decisions pulled from a Canadian public information website. This is a very interesting illustration of the difficulty to enforce clear rules against undesirable conduct across borders while at the same time preserving open access to useful resources.
I&J: A US magistrate judge compelled Google to comply with domestic warrants and produce content user data stored overseas, arguing that forced compliance does not constitute an unlawful extraterritorial application of the US Stored Communications Act. Why did the Pennsylvania district court diverge from the findings in a similar case last year involving Microsoft’s user data stored in Ireland?
The respective approaches taken by the courts in these two important cases are indeed very different. While the Court in the Microsoft matter focused on the location of the data, the Court in the case involving Google focused on the location of where US law enforcement personnel would view the content – a focal point that typically always will point to the US.
Looking at the facts of the cases, one important difference is found in the fact that, in the so-called Microsoft Ireland case, the content was known to be stored on Irish servers. The Department of Justice could therefore be expected to go through a compulsory mutual legal assistance procedure (MLAT) and request the data through the Irish government. In the ongoing Google case, the judge found that the location of the data does not really matter as such: Google’s network architecture makes its users’ data a “moving target.” To Google’s own admission, it simply cannot say in which country the data will be stored at a given time, which played to Google’s disadvantage here. Without such clear determination, the US Department of Justice arguably had no basis for an MLAT request.
Such reasoning brings attention to something important: existing legal thinking as to suitable frameworks and procedures for accessing user data in foreign jurisdictions is focused on what’s called a “single factor test”: they look at one particular criteria to determine jurisdiction in such matters. The problem here is that single-factor tests – whether we rely on the location of a company in question or the location where the data is handled - are too simplistic and cannot accommodate the complexity – such as the presence or absence of alternative mechanisms to access the data – of these types of cross-borders cases.
Professor Svantesson is Co-director of the Centre for Commercial Law at the Bond University Faculty of Law and a researcher at the Swedish Law & Informatics Research Institute, Stockholm University.