The US Court of Appeals has ruled that the ECPA, an American law, protects the data of non-USA citizens when their data is stored on servers in the USA.

Suzlon Case

Korean firm, Suzlon Energy Ltd, wanted Microsoft to disclose email documents belonging to an Indian citizen stored on a server in the USA. They argued that the emails were not protected from disclosure by the privacy protections of the ECPA, as these only applied to US citizens.

The US court determined that the ECPA covered “any person” and not just a US citizen. Part of the reason for this was the impracticality of expecting Microsoft to assess whether or not account holders were US citizens, when receiving a disclosure request. Accordingly the court decided that the ECPA applied to any documents stored in the USA.

Increased Protection for Data?

Following this decision any data stored in the USA will be protected by the provisions of the ECPA, regardless of the citizenship of the data owner. This may help to alleviate some of the concerns being raised in Europe about the inadequacy of data protection provisions in the USA. However, if the server on which the data is stored is located outside of the USA the data will not be protected.

On a practical level, data owners often have no idea where their data is actually being stored, so this rule may be of little assistance in protecting their data. Also, service providers will need to know exactly where all data is stored in order to correctly respond to disclosure requests.

Under English or American law (or any other common law system), you or your company may be ordered by a court to identify and disclose not just physical documents but also electronically stored information (ESI) as part of a litigation process. This could apply to you even if you are not a party to the court proceedings.

Location of the ESI

Data is often stored or replicated in an external hosting centre or within a software application – particularly in relation to SaaS software, or in a corporate data centre. If numerous data centres are used they are usually in different physical locations which could be in various countries. The court order to disclose data may well conflict with compliance and privacy requirements in relation to data in the countries in which the data is actually held. However for the purposes of complying with a court order the actual location of the data and the local rules applying to the storage of the data cannot be used as a reason to refuse disclosure.

For example in AccessData Corporation v ALSTE Technologies GmbH a US court ordered a German company to disclose emails stored in Germany as part of the disclosure process in a court case, although the company argued that this breached the German Data Protection Act.

Compliance Issues

In order to protect yourself against the above scenario, you should include clauses in your terms and conditions that permit you to comply with requests for disclosure of both physical and electronic information in relation to court orders. If you hold data on behalf of customers, you should also try to exclude liability for a technical or any other type of failure to properly comply with a disclosure request that they forward to you.

Under the provisions of the US Patriot Act the personal data of your customers based in the EU can be shared with US law enforcers without your customer being informed, even though this conflicts with EU data protection laws. The Patriot Act applies not just to a business owned by a US company but any business using the services of a US subsidiary for data processing or a data centre located in the US.

The Patriot Act

Under EU data protection laws you must tell your customers when your are asked to disclose personal data. However, such provisions conflict with your obligations to comply with the Patriot Act.

The Patriot Act gives US law enforcement authorities the right to access personal data held by you, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent you from informing your customers that you have had to hand over personal data.

Conflict with EU Data Protection Laws

If the Patriot Act applies to you, you should have procedures and measures in place to deal with any requests for information under the Patriot Act. These procedures need to be set out clearly in your terms of business or privacy statement, bearing in mind your obligation to comply with this particular US law.

For example Microsoft states in its privacy policy for online services that “in a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).”