deepagopi2011 - Fotolia

Google to appeal against order to hand over foreign emails

UK firms urged to consider the risks of non-UK cloud service providers and to encrypt data in the light of another US warrant to access emails held by a US cloud services firm on non-US servers

Google reportedly plans to appeal against a court order to hand over to the FBI emails of Gmail users stored outside of the US, arguing that doing so will put the privacy of non-US citizens at risk.

In a similar case, the US Department of Justice is considering going to the Supreme Court after an appeals court refused to revisit its July 2016 landmark ruling blocking government access to emails stored on Microsoft servers in Ireland.

Both cases involve warrants issued under the US Stored Communications Act, which many technology firms and privacy advocates consider outdated, particularly in the light of the EU-US Privacy Shield personal data exchange agreement reached in 2016.

Privacy Shield was developed in consultation with the US to replace the Safe Harbour agreement, which was declared invalid by the Court of Justice of the European Union (CJEU).

For just over three years, Microsoft has resisted giving access to emails believed to be linked to narcotics trafficking that are stored on its servers in Ireland, arguing that the emails belong to its customers and that the servers are outside US jurisdiction.

Microsoft and Google are among several big US technology firms that have called for surveillance reforms because of concerns that public loss of trust in technology will hurt their businesses.

Now Google is resisting giving the FBI access to emails held on servers outside the US that have been linked to a US fraud investigation, and plans to appeal against a ruling by Philadelphia judge Thomas Rueter that transferring emails from a foreign server so FBI agents could review them locally did not qualify as a seizure.

The ruling said that although the retrieval of the electronic data by Google from its multiple datacentres abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the US.

But judge Rueter’s finding is the opposite of the July 2016 conclusion reached by a federal appeals court in the Microsoft case, which was welcomed by Microsoft and other tech firms as a landmark ruling that set an important precedent for protecting the privacy of cloud services. 

Read more about EU-US Privacy Shield

  • The transatlantic data transfer framework has been approved, but will need more fine-tuning in the first joint review in a year’s time, says the Article 29 Working Party.
  • Ireland faces legal challenge over the independence of its data commissioner in the wake of the scrapping of the Safe Harbour data protection agreement.
  • Dublin court case on the legality of Facebook’s data transfers to the US raises issues that affect US national security, claims US Department of Justice.
  • User demand for locally hosted cloud services prompts cloud firms and infrastructure providers to rapidly take up datacentre space in Europe, CBRE research shows.

In line with the Microsoft ruling, Google argued that it had complied with warrants it had received for data the company knew to be stored in the US, but that some emails were stored outside the country to improve network performance.

Judge Rueter’s ruling came just a week after US president Donald Trump issued an executive order on enhancing public safety in the US that caused alarm because of fears that it could jeopardise the Privacy Shield agreement by weakening protections for data held in the US about foreign citizens.

But the fears were quickly dismissed by law firms and civil rights groups, who said that although the executive order underlines the vulnerability of Privacy Shield, it is unlikely to have any marked effect.

However, judge Reuter’s ruling could potentially spark fresh concerns among European privacy campaigners, according to Nicky Stewart, commercial director at cloud assurance services firm UKCloud.

“Public sector bodies with contracts with US cloud firms need to make an immediate privacy impact assessment and, if necessary, seek expert legal advice,” he said.

Stewart also believes public sector organisations may need to scope out migration options to move workloads so data privacy and sovereignty can be assured.

“As they prepare for Brexit and GDPR [General Data Protection Regulation] as well as the prime minister’s new industrial strategy which actively favours UK firms for government contracts and procurement for growth in the post-Brexit world, departments are going to need to weigh up the risks in terms of data privacy and sovereignty and currency fluctuations of doing business with non-UK providers,” he said.

Increase due diligence

Nigel Hawthorn, European marketing director at cloud security, compliance and governance firm Skyhigh Networks, said Google should be praised for the stance it has taken, but warned that UK and EU cloud service users must increase the due diligence they conduct around cloud service providers (CSPs).

“All users – whether consumer or business – of cloud services must now assume that access to their data will be requested by courts around the world at some point and, therefore, it is now vital for them to adopt and control their own safety measures,” he said.

Like consumers, Hawthorn said companies need to improve their cloud service due diligence by checking the applications they are using, what security features they have, where the data is stored and where that particular CSP’s headquarters is located.

But companies can then go a step further by implementing their own technical security features, which increasingly means encrypting data before it even reaches the cloud, he said.

“The tension between the courts and technology is unlikely to ease any time soon, so users must start taking a more proactive role to protect their cloud data,” said Hawthorn.

Read more on Privacy and data protection

Data Center
Data Management