The “Cirrus” Matter of Protecting Civil eDiscovery Information in a Changing Privacy Landscape

In a scene in the movie Creed, Sylvester Stallone’s character, Rocky Balboa, is writing out a workout plan for Apollo Creed II, the character played by Michael B. Jordan. When Rocky finishes writing, Apollo takes a picture of the handwritten instructions and starts to leave. Rocky, holding up the paper, says, “Hey! Don’t you need this?” Apollo answers, holding up his phone, “I got it right here.” “But what if you lose that thing or it breaks?” asks Rocky. Apollo replies, “It’s already up in the cloud.” Now for the punchline: “What cloud?” Rocky asks looking up at the sky. Then again, “What cloud?” Laughter ensues from the movie audience. Come on, Rocky! The cloud! Yet, when considering the most recent case involving cloud computing and its importance to eDiscovery, “What cloud?” has been less a cute punchline and more a controversial question affecting the security and privacy of eDiscovery evidence crossing jurisdictional boundaries. Additionally, the questions of, “What if you lose that thing? Or it breaks?” are just as pertinent.

What Cloud?

Simply defined, cloud computing is the practice of using remote networked servers hosted on the internet to store, manage, and process data. These servers, or “clouds,” can be located anywhere in the world. Clouds and their migratory nature were recently contested in Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016). In that case, the court was asked to rule on whether the United States had the jurisdiction, via search warrant issued under the Stored Communications Act (SCA), to compel Internet Service Providers (ISPs), particularly Microsoft, to turn over data that was stored in an overseas server. The particular server that was the subject of the case was “housed” in Ireland, though the storing and access of the specific information originated in the United States. In overruling a lower court’s decision to quash the warrant, the Second Circuit reasoned that user privacy is the main focus of the warrant and not whether law enforcement can have access to stored information. The court maintained that:

[T]he focus of the SCA was protecting privacy. The court supported this conclusion by pointing to the SCA’s reference to the federal rule governing traditional search warrants and to the fact that the SCA was passed as part of the Electronic Communications Privacy Act, with the word “privacy” in its very title. The court further noted that the SCA protects privacy in a variety of contexts unrelated to government requests, which undermined the government’s claim that the statute’s focus was aiding law enforcement. [C]ompelling Microsoft to turn over the data in question would be an extraterritorial, and thus unlawful, application of the SCA. Microsoft Corp. v. United States: Second Circuit Holds that the Government Cannot Compel An Internet Service Provider to Produce Information Stored Overseas, 130 Harv. L. Rev. 769.The U.S. government filed a petition for writ of certiorari to the Supreme Court to overturn the Second Circuit; however, before the case could be heard, Congress passed the Consolidated Appropriations Act, Pub. L. 115-141 on March 23, 2018, which included the Clarifying Lawful Overseas Use of Data Act or CLOUD Act. “The law covers data sought in criminal actions where information in the ‘possession, custody, or control’ of a party is located outside the U.S. It does not cover civil cases. Still, it addresses some of the same concerns attorneys in civil matters have been worrying about.” William Belt, What The CLOUD Act Means For eDiscovery, April 11, 2018.

Though the Act only addresses obtaining stored data in a foreign location for criminal purposes, civil eDiscovery practitioners have noted that the CLOUD Act requires internet providers to deliver personal data to the U.S. law enforcement agencies regardless of jurisdiction if certain criteria articulated in the Act are met. These criteria are:

• The interests of the U.S.
• The interests of the foreign country
• Penalties on the provider
• Location and nationality of the subscriber or customer whose information is sought
• The internet provider’s ties to the U.S.
• The importance of the information to the investigation
• Alternative means of access to the information
• Foreign authorities’ request for the information

It also allows for the U.S. government, through Executive Agreements, to allow another country to compel data from a U.S. company. It also allows for providers to object to data requests if disclosing data would violate foreign laws. Another concern for practitioners is how the CLOUD Act will interact with the EU’s General Data Protection Regulation (GDPR).

Prior to the CLOUD Act passing, civil litigators anticipated that Microsoft would give guidance for extraterritorial discovery. Civil litigators, scholars and institutions (domestic and foreign) wrote no less than 21 amici curiae briefs supporting Microsoft’s position as compared to just one written in support of the U.S. Now, the same questions and potential barriers remain—the main being will privacy, or confidentiality, be threatened for the tradeoff of expediency? So much time and effort in cloud computing has been placed in creating security measures that protect data from hackers and/or employee negligence that, until recently, seemingly little thought has gone into the fact that a subpoena, or its foreign equivalent, may be the biggest threat to eDiscovery privacy.

What if you lose, it or it breaks?

Civil litigation in the U.S. does not have a history of fighting about jurisdictional issues in subpoenaing evidence. If the information resided in a foreign country, companies drafted letters to a particular country’s court requesting information or evidence from a specified person within that country’s jurisdiction. The advent of eDiscovery has only made the exchange of information a little more complicated. What if what happened with Microsoft happens in the civil sector? The Microsoft court sided with Microsoft because the means used to obtain information was based in privacy only insomuch as that privacy outweighed the argument that the focus was helping law enforcement. Essentially, civil eDiscovery may find itself in the same position of arguing privacy protection as did Microsoft. 

The CLOUD Act, arguably according to civil litigators, allows the U.S. government to obtain data regardless of jurisdiction:

Since it was enacted in March 2018, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) has been controversial with privacy advocates in the United States and the subject of sustained criticism by the European Parliament and other organizations abroad. Over the past year, companies that store data outside the United States have been pressed by non-U.S. customers and counterparts to explain whether the CLOUD Act creates new risk that their data may now be within reach of the U.S. government and have had to re-examine existing data storage arrangements. John P. Carlin, et al., The CLOUD Act One Year Later: DOJ White Paper Aims to Promote Greater Understanding of the Act’s Purpose and Impact, April, 16, 2019.

Civil litigation has operated for over 40 years without a real concern of jurisdictional privacy, but unfortunately, the CLOUD Act has exposed an unprotected area in civil cases—disregard of foreign laws may lead to a loss of security and privacy. Belt, supra. At the time of the Second Circuit’s ruling Microsoft operated at least one million servers in at least 100 servers worldwide. The significance of the “win” cannot be overstated especially considering the civil eDiscovery implications in that a subpoena could access potentially all data and metadata stored in a given location.

Conclusion

Presumably, the CLOUD Act does not interfere with traditional means of obtaining information outside U.S. jurisdiction. Moreover, it clams its purpose is to clarify the law regarding the SCA. If all of this is true, however, why the Congressional move to pass a law that makes the first case to challenge U.S. government access to information moot? It is only a matter of time before a civil case raises the same question as the now vacated Microsoft case. Protection for civil eDiscovery lies in becoming competent in the privacy laws of foreign jurisdictions to ensure every step of data collection is armored against a request for information that threatens civil privacy.