Google to appeal against order to hand over foreign emails

Google reportedly plans to appeal against a court order to hand over to the FBI emails of Gmail users stored outside of the US, arguing that doing so will put the privacy of non-US citizens at risk.

In a similar case, the US Department of Justice is considering going to the Supreme Court after an appeals court refused to revisit its July 2016 landmark ruling blocking government access to emails stored on Microsoft servers in Ireland.

Both cases involve warrants issued under the US Stored Communications Act, which many technology firms and privacy advocates consider outdated, particularly in the light of the EU-US Privacy Shield personal data exchange agreement reached in 2016.

Privacy Shield was developed in consultation with the US to replace the Safe Harbour agreement, which was declared invalid by the Court of Justice of the European Union (CJEU).

For just over three years, Microsoft has resisted giving access to emails believed to be linked to narcotics trafficking that are stored on its servers in Ireland, arguing that the emails belong to its customers and that the servers are outside US jurisdiction.

Microsoft and Google are among several big US technology firms that have called for surveillance reforms because of concerns that public loss of trust in technology will hurt their businesses.

Now Google is resisting giving the FBI access to emails held on servers outside the US that have been linked to a US fraud investigation, and plans to appeal against a ruling by Philadelphia judge Thomas Rueter that transferring emails from a foreign server so FBI agents could review them locally did not qualify as a seizure.

The ruling said that although the retrieval of the electronic data by Google from its multiple datacentres abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the US.

But judge Rueter’s finding is the opposite of the July 2016 conclusion reached by a federal appeals court in the Microsoft case, which was welcomed by Microsoft and other tech firms as a landmark ruling that set an important precedent for protecting the privacy of cloud services. 

In line with the Microsoft ruling, Google argued that it had complied with warrants it had received for data the company knew to be stored in the US, but that some emails were stored outside the country to improve network performance.

Judge Rueter’s ruling came just a week after US president Donald Trump issued an executive order on enhancing public safety in the US that caused alarm because of fears that it could jeopardise the Privacy Shield agreement by weakening protections for data held in the US about foreign citizens.

But the fears were quickly dismissed by law firms and civil rights groups, who said that although the executive order underlines the vulnerability of Privacy Shield, it is unlikely to have any marked effect.

However, judge Reuter’s ruling could potentially spark fresh concerns among European privacy campaigners, according to Nicky Stewart, commercial director at cloud assurance services firm UKCloud.

“Public sector bodies with contracts with US cloud firms need to make an immediate privacy impact assessment and, if necessary, seek expert legal advice,” he said.

Stewart also believes public sector organisations may need to scope out migration options to move workloads so data privacy and sovereignty can be assured.

“As they prepare for Brexit and GDPR [General Data Protection Regulation] as well as the prime minister’s new industrial strategy which actively favours UK firms for government contracts and procurement for growth in the post-Brexit world, departments are going to need to weigh up the risks in terms of data privacy and sovereignty and currency fluctuations of doing business with non-UK providers,” he said.