The cross-border regulation of electronic data throws up many conflict of laws-related problems. Microsoft Corp v United States (“the Microsoft Ireland case”), a case pending before the US Supreme Court, is a recent example of such a problem and may have implications for data stored by US companies in New Zealand. The question to be decided is whether a warrant issued under the Stored Communications Act of 1986 (US) applies extra-territorially to data that is held by Microsoft overseas. Microsoft argues, inter alia, that extraterritorial warrants to produce data stored overseas may expose companies to conflicting legal obligations if the place of storage prohibits companies from disclosing the data.
The New Zealand Privacy Commissioner filed an amicus brief in the proceeding, arguing that the extraterritorial application of the Act should reflect the importance of comity, the presumption of territoriality and “the responsibility of each country to assert and respect the rights of those within its jurisdiction”. The brief notes that application of the Act to data held in New Zealand could entail civil and criminal liability under New Zealand law, and emphasises “the prerogative of each country – large or small – to apply its own law, including fundamental protections for the rights of its own citizens, to information within its own jurisdiction”.
Some of these concerns are now reflected in a new Bill, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which would provide a direct answer to the Microsoft Ireland case. For commentary on the Bill, see this post by Jennifer Daskal on Just Security (and see here for her earlier analysis of the conflict of laws issues).