Extraterritorial Jurisdiction Puts Citizen Data at Risk
The legal doctrine of extraterritorial jurisdiction allows a government to claim the authority to extend its criminal laws beyond its geographical boundaries. For a claim of extraterritorial jurisdiction to be enforced, the legal authority in the external territory or a legal authority that covers both territories must approve its validity. For example, The Vienna Convention on Diplomatic Relations, an international treaty signed in 1961, specifies the legal privileges that enable diplomats to live and work in a foreign country without the threat of harassment by the host country; this treaty provides the legal basis for diplomatic immunity, which exempts diplomats (and their staff and families) from local judicial process and police interference.
The concept of extraterritorial jurisdiction also has implications for personal data privacy. When personal data held by one organization is transferred to a third party for storage or processing, the original organization is still, by law, responsible for that data and must provide for its security while it is being held by the third party. This responsibility is typically met by including special provisions in the outsourcing contract that limits the third partys use or disclosure of the data. However, based on the concept of extraterritorial jurisdiction, some legal experts now believe that U.S. law enforcement and intelligence agencies could circumvent other countries data privacy laws to gain access to data on citizens of foreign countries if that data is being stored by a company (foreign or U.S.) that conducts systematic business in the United States.
If information about a countrys citizens is transferred for storage or processing to a U.S. or U.S.-controlled foreign company, the U.S.-linked company could be compelled (via an NSL or a FISA court order) to grant access to that data. And a controversial section of the USA PATRIOT Act prohibits an organization from disclosing that it has received or disclosed data as a result of a FISA order. This could allow U.S. law enforcement and intelligence agencies to completely circumvent other countries data privacy laws to gain access to citizen datawith no knowledge on the part of the foreign organization storing or processing the data or the citizens whose data was revealed. Furthermore, since non-U.S. residents are not safeguarded by the Fourth Amendment (or other U.S. data privacy laws such as Electronic Communications Privacy Act), U.S. law enforcement and intelligence agencies could be free to gather data about non-U.S. citizens located abroad.
The Netherlands is one country particularly concerned about this possibility as it has just implemented the Dutch Electronic Patient Database, which puts the medical records of all Dutch nationals into a single patient database accessible to doctors. The company that developed this system will be storing the patients data on a cloud computing system run by CSC, a U.S.-based firm with operations in the Netherlands. Originally, the privacy of this data was thought to be secure because of contracts that clearly assign jurisdiction over the data to Dutch authorities. The Netherlands has rigorous data protection laws that protect patients sensitive data. However, some researchers at Amsterdam University have raised concerns that U.S. government agencies could circumvent the Netherlands data protection laws and request access to medical information on every single person in the Netherlands.
Importantly, other countries have implemented laws similar to the USA PATRIOT Act that include comparable provisions to access citizen data outside their respective jurisdictions. This all raises serious questions about the degree to which one the data of one countrys citizens is protected from another country in our increasingly interconnected and borderless online world. Indeed, Microsofts UK Managing Director Gordon Frazer publicly admitted that neither his firm, nor any other firm, could guarantee that data about EU citizens stored in an EU-based data center would not leave the EU under any circumstances.
Questions:
As a result of the risk and uncertainty raised by the doctrine of extraterritorial jurisdiction, some industry experts believe that the use of multinational cloud computing service companies poses an increase in exposure of private, confidential data. Develop a strategy or line of reasoning that such service providers could use to allay the fear of its existing or potential clients.
Do research to find the current status of the so called gag provision of the USA PATRIOT Act that prohibits an organization served with an NSL or FISA warrant from revealing that fact. Do you believe that this clause of the USA PATRIOT Act should be ruled unconstitutional? Why or why not?
Do research to find at least three other countries that implemented legislature similar to the USA PATRIOT Act following the 9/11 terrorist attacks. Do these laws also lessen the restrictions for gathering intelligence data about the countrys citizens?