Are You at Risk of Having Electronic Data Seized When Traveling Abroad?
Executives and in-house counsel should be aware that traveling with sensitive data can lead to its seizure—with potentially severe consequences worldwide. Recently, Parliament in the United Kingdom seized from a traveling executive a USB drive containing data that had been produced in a United States lawsuit between Six4Three, a software company, and Facebook. Put simply, that data was in the wrong place at the wrong time.
Several Members of Parliament, frustrated with the apparent refusal of Facebook’s CEO and co-founder Mark Zuckerberg to appear for testimony, summoned (via a sergeant at arms) Ted Kramer, the founder of Six4Three, at his hotel room in London. According to reports, the executive met with a parliamentarian, was threatened with contempt, “panicked,” and copied onto a USB drive a large amount of lawsuit-related data that previously had been synchronized to his laptop from a DropBox account.
The consequences were immediate in the U.K. and severe back in the U.S. The USB drive ended up in the hands of Damian Collins, Parliament’s chair of the culture, media and sport select committee. This exposed the contents of the drive—including potential trade secret information—to a foreign investigative body that was not subject to the jurisdiction of the California state court that had issued a confidentiality order prohibiting disclosure to third parties. Collins then announced an intent to publish the documents. But back in California state court, things got worse. Not only did Kramer’s turning over the data violate the confidentiality order; the executive possessed the information by erroneous DropBox permissions thatthemselvesviolated the confidentiality order by giving him access to “attorneys eyes only” material. The state court judge called the situation “unconscionable” and ordered forensic examinations of numerous devices of Kramer—and his attorneys, who had to withdraw from the case.
There are many lessons to be learned, but this event highlights three things about physically moving data across borders. First, once data is within the boundaries of another country, it is subject to seizure and search according to the laws of that country. U.S. components of multinationals are frequently confronted with the hazards of importing datafromthe EU or Asia, where such data might be sought for a U.S. civil or criminal action. But the recent seizure in London underscores that when sensitive U.S. data—even when subject to a confidentiality order from a U.S. court—moves out of the country, neither its U.S. origin nor protective orders of American courts are necessarily effective in preventing a foreign law enforcement agency (or legislative body) from taking it.
Second, once data is in the custody of a foreign government, the information is at risk of being disclosed to third parties or the public—in a context where expected principles of confidentiality (or the protection of U.S. law) is absent. A foreign authority may simply decide that the public interest of its country outweighs comity. Notions of privilege can also vary dramatically. Europe and parts of Asia accord far less protection for in-house counsel’s activities than do principles of law in the United States. And some foreign governments may be interested in (involuntary) technology transfers.
Finally, when U.S.-based data comes back into its home country, even when there is no incident abroad, it can still be seized at the border, without being subject to Fourth Amendment protections. Data seized by the Department of Homeland Security may be disclosed to other federal investigative agencies, and there have been multiple recently reported instances of Customs and Border Patrol personnel forcing entrants to allow searches of electronic devices, where a purely internal law enforcement agency would have to obtain a warrant.
There are several ways to mitigate risks that stem from crossing international borders while carrying electronically stored data:
- Apples and Pears, Beers and Confusion
- Cloud Outsource Directive and Guidance Note Issued by the South African Reserve Bank
- Cybercrime Legislation on South Africa’s Horizon: Is Your Organisation Ready?
- Eavesdropping: The Privacy Myth
WSG Member: Please login to add your comment.