Ubiquitous computing and increasing engagement of private companies in governmental surveillance

Ubiquitous computing describes the phenomenon that automated data processing pervades all areas of private and professional life. Since information and communication technology infrastructure and services are mainly provided by private companies they hold extensive collections of personal data. As the flow of digital information is not restrained by state borders, data is stored and handled transnationally and thus independent from the territory in which the data was originally collected or in which the data subject is situated. Governments are significantly interested in extensive data for crime prevention and law enforcement purposes. As government agencies, however, have no direct access to privately controlled data, they increasingly request for the private companies’ assistance to provide them with the relevant data. Due to the volatility of data location and the continuous transnational flow of digital information especially in the globalized areas of communications and commerce, governmental requests often ignore territorial boundaries, which traditionally restrict governmental access rights. The article describes how law enforcement agencies involve private companies in surveillance and which legal approaches are used to gain access to the data stored by private companies. It pays special attention to transnational data exchange both within the European Union and on a transatlantic scale. The article looks at this practice of transnational direct requests from three different perspectives: first, it investigates whether governments requesting information stored abroad directly from the foreign company without including the respective domestic public authority violate the authority of the sovereign nation in whose territory the data is located (traditionally guarded by mutual legal assistance procedures) and thus breach public international law. Subsequently, the article discusses whether (transnational) direct requests to private companies leverage adequate fundamental rights protection of the data subjects. It seeks to evaluate the new role of private companies as they might be compelled to balance individual fundamental rights against general security interests—a duty traditionally performed by the state. Last, the article pays attention to the emerging difficulties for globally operating companies to detect the applicable jurisdiction when being exposed to contradicting legal regimes.