This module is a resource for lecturers

Challenges relating to extraterritorial evidence

Even with formal and informal international cooperation mechanisms in place, challenges arise in the identification and collection of digital evidence from cloud storage and other service providers. The problem with cloud computing is that it is difficult to know where data is stored. Without this knowledge, "the relevant jurisdiction to which a cooperation request for the obtaining of …[digital] evidence" cannot be identified (UNODC, 2013, p. 216).

Cloud data can be fragmented and stored across multiple locations and multiple countries. This fragmentation is illustrated in United States v. Microsoft (2018). In this case, the US Government issued a search warrant pursuant to the US Stored Communications Act (SCA) of 1986, to obtain evidence in a drug trafficking case. In response, Microsoft complied with this request by handing over relevant non-content data stored on US servers (e.g., suspect's address book), but did not give the US Government relevant content data (e.g., content of the individual's emails) because this data was stored at Microsoft's data centre in Dublin, Ireland.

The dispute at the heart of United States v. Microsoft (2018) was whether the provisions of the SCA permit access to data located in the servers of another country and whether this access constituted a legally unjustified extraterritorial reach. The matter is now moot with the passage of the US Clarifying Lawful Overseas Use of Data Act (Cloud Act) of 2018. The Cloud Act amended 18 U.S.C. § 2713 of the SCA as follows: "A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States" (emphasis added). The Cloud Act provides direct access to extraterritorial data. However, "common standards and safeguards concerning the circumstances, if any, under which direct access to extraterritorial data may be conducted by law enforcement" (UNODC, 2013, p. 216) have, as of 2018, yet to be established.

The Cloud Act and the EU General Data Protection Regulation

Concerns have been raised that the Cloud Act will undermine the EU General Data Protection Regulation (GDPR) (Vogel, 2018), a comprehensive data protection regulation that went into effect on 25 May 2018 (the GDPR is explored in detail in Cybercrime Module 10 on Privacy and Data Protection). Companies face steep fines and penalties if they do not comply with the GDPR. Companies that need to comply with both the Cloud Act and the GDPR, need to balance the requirement of the Cloud Act to provide access to data, with the requirement of the GDPR to protect the rights of data subjects (also discussed in Cybercrime Module 10), and ensure that the necessary safeguards are in place and requirements of Article 44-49 of the GDPR are met when transferring data to third parties or international organizations.

Next: National capacity and international cooperation
Back to top