One of the great regulatory challenges of the Internet era — indeed, one of today’s most pressing privacy questions — is how to define the limits of government access to personal data stored in the cloud. This is particularly true today because the cloud has gone global, raising a number of questions about the proper reach of one state’s authority over cloud-based data. The prevailing response to these questions by scholars, practitioners, and major Internet companies like Google and Facebook has been to argue that data is different. Data is “un-territorial,” they argue, and therefore incompatible with existing territorial notions of jurisdiction.
This Article challenges this view. The Article argues that the jurisdictional challenges presented by the global cloud are not conceptually as novel as they seem. Despite the technological wizardry of modern life, the “cloud” is actually a network of storage drives bolted to a particular territory, and there is a substantial body of case law suggesting that courts think of data as a physical object. Moreover, even if the cloud were a free-floating ether, data can be thought of as an intangible asset, like money or debt, which flows easily across borders; courts have been adjudicating jurisdictional disputes over intangible assets for centuries. These precedents suggest a number of distinct legitimate grounds for states to assert jurisdiction over data — not a single test, as major Internet service providers have claimed.
After showing that these jurisdictional problems are not unprecedented, the Article turns more practical. Drawing from these precedents, the Article outlines steps that courts, Congress, and the President can take to alleviate jurisdictional conflicts over the cloud. As the recent Microsoft Ireland case works its way through the courts, the President negotiates a treaty with the United Kingdom regarding cross-border access to the cloud, and Congress rewrites the Electronic Communications Privacy Act, finding a grounded approach to addressing this problem — one rooted in longstanding jurisdictional and conflicts principles — has never been more critical.'Data Institutionalism: A Reply to Andrew Woods' by Zachary D. Clopton in (2016) 69 Stanford Law Review Online responds
In Against Data Exceptionalism, Andrew K. Woods explores “one of the greatest societal and technological shifts in recent years,” which manifests in the “same old” questions about government power. The global cloud is an important feature of modern technological life that has significant consequences for individual privacy, law enforcement, and governance. Yet, as Woods suggests, the legal challenges presented by the cloud have analogies in age-old puzzles of public and private international law.
Identifying these connections is a conceptual advance, and this contribution should not be understated. But, to my mind, the most telling statement in Woods’s excellent article comes early on: “Showing that the jurisdictional challenges presented by the global cloud are not conceptually novel does not resolve those problems.” Data may not be exceptional, and the legal puzzles posed by data sound in existing notions of jurisdiction and conflict of laws. The problem, however, is that existing answers to these puzzles are unsatisfying. They are unsatisfying in that they do not provide clear answers, but instead pose even more challenging normative questions. And they are unsatisfying because some consensus answers sit on shaky normative footing. More satisfying answers, I contend, require attention to institutions, not just laws.