Congress should act to pass proposed legislation to establish guidelines for data security in the digital age.
This week, the Supreme Court agreed to hear a case on data sovereignty — the concept that a country has control of the data stored within its borders — resulting from a dispute between Microsoft and the Justice Department. In 2013, the Justice Department demanded Microsoft hand over foreign citizens’ emails stored on its servers in Ireland. The Justice Department alleged this would provide evidence needed to settle a drug trafficking case. Microsoft refused to comply with the government’s search warrant and took the matter to court. After a long legal battle, the 2nd Circuit Court of Appeals sided with Microsoft; however, in its opinion, the court urged Congress to act to update the Electronic Communications Privacy Act, an archaic law that serves as the only guidance for courts on how to handle the question of data sovereignty.
There is a consensus among both houses that this law must be updated — after all, it was written well before the advent of international cloud computing, let alone the Internet itself. “The laws governing digital data were written more than 30 years ago and were never intended to reach across international borders,” Sen. Orrin Hatch said in a statement issued earlier this week. Hatch has urged his colleagues to pass the International Communications Privacy Act (ICPA). We agree.
The bill “provides a commonsense framework that ensures law enforcement has access to the information it needs while protecting people’s rights.” In short, Congress is the best avenue to create a good option amid a Catch-22 for the Supreme Court. However it rules on the case, the outcome could have lamentable consequences for personal and national security.
If the court rules in favor of Microsoft, it will create legal loopholes for cybercriminals to circumvent the purview of U.S. law enforcement by storing incriminating files or evidence on foreign servers. To retrieve this data, the government would have to go through a lengthy process of requesting it through diplomatic channels — a fraught process, particularly in countries with unfavorable views of the U.S.
Alternatively, if the court sides in favor of the Justice Department, it is in essence establishing the precedent that sovereign boundaries do not apply to data — thereby enabling countries around the world to seize Americans' data from servers in the U.S. Both options would threaten personal and national security, and neither are viable.
This is why it is imperative that Congress passes the ICPA to create a middle ground in which the government may obtain a warrant to access information stored in foreign servers only if certain conditions are met. Under the ICPA, the government can adequately prove that it has done everything in its capacity to prove the information it seeks is owned by a “U.S. person, a person physically located within the United States, or a national of a foreign country that has a law enforcement cooperation agreement with the United States.” We applaud Hatch for his support of this compromise, as it sets out a desperately needed framework for how to govern data in the 21st century; we urge Congress to expedite its passage before the Supreme Court’s ruling in June.