A Belgian resident, identified as Théo, was questioned by police after his virtual exploration of Washington D.C. on January 5, 2021, coincided with the lead-up to the U.S. Capitol assault. According to the individual, authorities presented him with private Facebook Messenger messages during the interview. While the case was eventually closed, the incident highlights the reach of U.S. judicial procedures over international data under the CLOUD Act, according to technology law expert Jeoffrey Vigneron of Lawgitech.
In the investigation regarding the Capitol breach, Google initially provided identifiers for 5,723 devices to authorities. After a multi-stage filtering process, investigators narrowed the list to approximately 1,535 individual users.
How do U.S. authorities access data from abroad?
U.S. law enforcement agencies utilize “geofence warrants” to request data from companies like Google regarding devices present in a specific area at a set time. Jeoffrey Vigneron notes that these warrants do not target individuals directly but rather use data to “manufacture suspects,” which can result in false positives. While the CLOUD Act of 2018 does not grant the FBI direct access to private accounts, it mandates that service providers under U.S. jurisdiction comply with valid judicial requests, even when data is stored outside the United States.
The tension between the U.S. CLOUD Act and the European General Data Protection Regulation (GDPR) creates a persistent conflict of laws for international tech firms. Companies often favor compliance with U.S. court orders to avoid severe domestic sanctions, effectively testing the limits of European digital sovereignty in cross-border investigations.
Why does the GDPR not always protect European citizens?
The GDPR serves as a significant legal framework, but it is not an absolute barrier against extraterritorial data requests. According to Jeoffrey Vigneron, a U.S. court order is not, on its own, a sufficient legal basis under GDPR requirements. However, because international providers are often subject to multiple legal jurisdictions, they may be forced to choose between conflicting mandates. Furthermore, users are not always notified when their data is accessed, as notifications can be deferred to protect the integrity of ongoing investigations.
What happens next in legal challenges?
The legal status of geofence warrants is currently under review by the U.S. Supreme Court, with a decision expected in June. Jeoffrey Vigneron suggests that if the court finds these warrants unconstitutional, it could significantly restrict the ability of authorities to use broad location data to identify suspects. Additionally, ongoing negotiations between the European Union and the United States regarding cross-border access to electronic evidence, which were relaunched in March 2023, may eventually provide a more formal framework for these situations, though they are not expected to eliminate such requests entirely.
It is important to note that since late 2023, Google has ceased storing individual location history on its servers, which prevents the company from fulfilling future geofence requests for that specific data category. However, search histories and connection logs remain potentially subject to disclosure under existing legal processes.
Frequently Asked Questions
Can a simple internet search trigger a geofence warrant?
No. According to Jeoffrey Vigneron, searches or requests for directions performed from a location like Belgium cannot, by themselves, cause an individual to appear in the results of a geofence warrant.
Is the CLOUD Act the same as direct surveillance?
No. The CLOUD Act does not authorize the FBI to directly access private accounts. Instead, it compels technology providers subject to U.S. jurisdiction to respond to valid judicial requests for data.
Will the upcoming Supreme Court decision end all data transfers?
Not necessarily. While a ruling could limit the use of geofence warrants, it would not eliminate the broader legal mechanisms that allow U.S. authorities to request data from international providers.
Do you believe current international data privacy regulations are sufficient to protect individuals from extraterritorial legal requests?
