#14: International servers and data collection
We can hardly live anymore without foreign storage- and communication services like Gmail, Box, OneDrive or Apple Icloud. These services use mostly cloud applications and in most cases the cloud is owned by a third party. These applications can be accessed all over the world through different devices. It is therefore possible and likely that part of the data is stored in another country than the country where the owner of the data lives. In the Netherlands it is questionable whether the public prosecutor can order or seize data which is accessible in the Netherlands but is stored abroad.
In a recent case at a regional court a supplier of corporate software complained about the subpoena of the public prosecutor which ordered to provide data of different clients in the interest of a criminal investigation. The applicant is a supplier of corporate software for service companies. The applicant offers customers a tax software package which is developed by a third party. This software provides support for accountants and administration offices regarding tax returns and tax consultancy. The goal of this program is to make it easier to prepare tax returns by using data from the clients administration or by importing the clients annual accounts software in the mentioned software package.
The software package is a cloud application, which means that the user can access all the submitted data from anywhere in the world. The submitted data is placed on a server in Ireland, which is property of Amazon. The hosting of the server is also done by Amazon. The applicant hires part of this server on behalf of its clients to store their data. The applicant does not process the data nor does it have regular access to the saved data. The data saved on the server for clients of the applicant is only accessible for the applicant in case of technical problems which need to be solved.
The applicant argues among other things that the subpoena violates the terms of proportionality and subsidiarity since other measures could have been taken to collect the requested data. For instance, the prosecutor could seize the data on the computers of the suspects involved.
The court looked at this alternative but concluded however that it would however be very time consuming to copy the data from the computers. This was in opinion of the court more radical than subpoenaing the data from applicant. The court concludes that the terms of proportionality and subsidiarity were not violated in this case.
The publication of the decision of the court does not show that the applicant argued that the subpoena is not legitimate because the data was not stored in the Netherlands and the server is owned by a third party. A missed opportunity?
The legislative history of the Dutch Criminal Procedural Code states that the search of automatized work has to be followed by the laws of the states were the data is established. The Dutch legislator considers the search of data in another state as an action with legal relevant consequences and that it could be in violation of the sovereignty of another state. The sovereignty of countries limits in that way the investigative authority when searching a computer on the territory of another state. The prohibition of investigation acts beyond the Dutch border is determined in article 146 sub 1 and 539a sub 3 of the Dutch Criminal Procedural Code. The legislative history explicitly mentioned that in case of a network search no access can be granted to a computer that is established abroad.
In the current case the cloud is used worldwide and the data is saved on a server in Ireland, in property of Amazon. The applicant did rent a part of this server but the hosting of the server however was done by Amazon. In fact in this case the data (at least a part of it) was not saved in The Netherlands. Although the question is where the cloud is exactly located, in our opinion the physical establishment of the server is in Ireland and the third party ownership should be taken into consideration. We believe that the public prosecutor acted outside his jurisdiction. If they want to subpoena the data, they have to submit an international request for mutual assistance or act on treaty based legislation. Therefore in our opinion the complaint against the subpoena should be granted.
Our view finds support in a an earlier judgement of the Court of Rotterdam. In this case the draft folder of a Hotmail account was used. The defendant created a draft message for the other suspect to read logging in on the same account. At first the public prosecutor requested the saved data from Microsoft in the United States. However, the public prosecutor did not await the results and searched through the Hotmail account by logging in the account since an undercover informant got the password. The Court judged that by logging in on the Hotmail account without permission of the defendant and without waiting for the result of the request to the United States for legal assistance, the public prosecution violated the sovereignty of the United States.
Also foreign courts are strict when it comes to accessing data abroad. A similar situation can be found in the case Microsoft Corporation v. United States of America. In this case the authorities requested access to data of an e-mail account. Microsoft however stated that it was not obliged to collect this data since the server was located in Ireland. Because the American authorities do not have the power to order data which was kept abroad, the subpoena was unlawful according to Microsoft. The Higher Court concluded that:
“Because the content subject to the Warrant is located in, and would be seized from, the Dublin datacenter, the conduct that falls within the focus of the SCA would occur outside the United States, regardless of the customer’s location and regardless of Microsoft’s home in the United States.”
In our view the public prosecutor cannot put the rules of international law aside by expending the investigating territory outside The Netherlands. That also applies to digital data.
If you have questions or if you would like to discuss the foregoing, please contact us at firstname.lastname@example.org or email@example.com.