Against Data Exceptionalism
61 Pages Posted: 10 Mar 2016 Last revised: 10 Jul 2018
Date Written: March 8, 2016
One of the great regulatory challenges of the Internet era — indeed, one of today’s most pressing privacy questions — is how to define the limits of government access to personal data stored in the cloud. This is particularly true today because the cloud has gone global, raising a number of questions about the proper reach of one state’s authority over cloud-based data. The prevailing response to these questions by scholars, practitioners, and major Internet companies like Google and Facebook has been to argue that data is different. Data is “un-territorial,” they argue, and therefore incompatible with existing territorial notions of jurisdiction. This Article challenges this view.
The Article argues that the jurisdictional challenges presented by the global cloud are not conceptually as novel as they seem. Despite the technological wizardry of modern life, the “cloud” is actually a network of storage drives bolted to a particular territory, and there is a substantial body of case law suggesting that courts think of data as a physical object. Moreover, even if the cloud were a free-floating ether, data can be thought of as an intangible asset, like money or debt, which flows easily across borders; courts have been adjudicating jurisdictional disputes over intangible assets for centuries. These precedents suggest a number of distinct legitimate grounds for states to assert jurisdiction over data — not a single test, as major Internet service providers have claimed.
After showing that these jurisdictional problems are not unprecedented, the Article turns more practical. Drawing from these precedents, the Article outlines steps that courts, Congress, and the President can take to alleviate jurisdictional conflicts over the cloud. As the recent Microsoft Ireland case works its way through the courts, the President negotiates a treaty with the United Kingdom regarding cross-border access to the cloud, and Congress rewrites the Electronic Communications Privacy Act, finding a grounded approach to addressing this problem — one rooted in longstanding jurisdictional and conflicts principles — has never been more critical.
Suggested Citation: Suggested Citation