The US Court of Appeals has ruled that the ECPA, an American law, protects the data of non-USA citizens when their data is stored on servers in the USA.
Korean firm, Suzlon Energy Ltd, wanted Microsoft to disclose email documents belonging to an Indian citizen stored on a server in the USA. They argued that the emails were not protected from disclosure by the privacy protections of the ECPA, as these only applied to US citizens.
The US court determined that the ECPA covered “any person” and not just a US citizen. Part of the reason for this was the impracticality of expecting Microsoft to assess whether or not account holders were US citizens, when receiving a disclosure request. Accordingly the court decided that the ECPA applied to any documents stored in the USA.
Increased Protection for Data?
Following this decision any data stored in the USA will be protected by the provisions of the ECPA, regardless of the citizenship of the data owner. This may help to alleviate some of the concerns being raised in Europe about the inadequacy of data protection provisions in the USA. However, if the server on which the data is stored is located outside of the USA the data will not be protected.
On a practical level, data owners often have no idea where their data is actually being stored, so this rule may be of little assistance in protecting their data. Also, service providers will need to know exactly where all data is stored in order to correctly respond to disclosure requests.