Where Is Your Data “Located”?

In a well-reported decision last week, a New York Court ordered Microsoft to produce emails stored on a server located in Dublin, Ireland.  There has already been some very good legal analysis of the opinion, which Microsoft has stated that it will appeal.  A key issue, of course, is whether a US-based court should have the ability to order the production of data “located” in a foreign country.

One of the issues with analyzing this problem is the application of old school ideas, like physical location, to electronic information.  It’s easy (and convenient) to think about data being stored on a server, which is an actual physical item, and identifying that data as being located in that place.

But unlike actual physical objects, data is easy to copy, and copies often are stored in different places for more convenient access or for data protection and backup purposes.  It’s likely that the email messages in Dublin were replicated several times, possibly on backup media such as a tape or on a backup server (both of which are physical items).

However, unlike physical objects, many people can have “access” to data at the same time, and physical proximity is generally not very important to that access.  So while only people located near the server in Dublin can physically touch that server, there are likely dozens or hundreds of people throughout the world with the ability to access the server and read the data stored there.  The only constraint to that access is having the security credentials to access it.

Conversely, it’s easy to turn the idea of physical access on its head.  Even if you were standing next to the Dublin server, you would not have access to its data without proper credentials.  Thus, even assuming that a court with jurisdiction could order to you to “get” the server, you might not have any ability to actually deliver the data stored on it.  In fact, with the right security and encryption, it’s possible to limit access to that information to just one person in the entire world!

The law changes slowly, and for good reason.  But until we have a better legal framework for analyzing electronic data issues, cases like the Dublin server will be difficult to predict and explain under our current legal structures.

About the Author: Jim Shook

James D. Shook, Esq., CIPP/US Director, Compliance Practice, Global Technology Office Dell EMC Jim helps Dell EMC’s customers understand and efficiently meet the legal and regulatory obligations for their data, focusing on cybersecurity, privacy, retention and electronic discovery. Along with an undergraduate degree in Computer Science, he is an experienced commercial litigator and a former general counsel to technology companies. Jim publishes and speaks frequently about meeting challenges created by the intersection of law and technology, and has been an active member of The Sedona Conference’s working groups on electronic information (WG1) since 2004 and data security and privacy (WG11) since 2015.