Data case has huge implications for personal privacy
The US’s attempt to access information in Dublin may change cloud computing
Locked out: can a nation state demand data held in another state’s territory, circumventing treaties and agreements?
Can a nation state demand data held in another state’s territory, circumventing treaties and agreements?
The fate of emails sitting in a Dublin-based computer server will soon be determined by a US court in a critical case that will shape – and perhaps entirely recast – the fast-growing global cloud computing business.
The case is a legal challenge mounted by Microsoft against a search warrant issued in December 2013 by a judge in the state of New York, in a drugs prosecution. It will decide how far the US government can reach in order to obtain data held by US companies in jurisdictions outside the US and whether US companies can guarantee the security and privacy of data held in those servers.
Under the cloud computing model, data associated with a service does not need to reside anywhere near the person or business using it. Data processing and transferrals can be done from anywhere, using the “cloud” of the internet.
Emails considered potentially relevant to the ongoing case just happen to sit in Microsoft Ireland’s data centre in Dublin. If the emails were print documents, US authorities would need to make a formal request to the Irish government, via treaties known as mutual legal assistance treaties (MLATs), to seize evidence held on Irish soil.
And that is the issue on which the case pivots: is digital data different from “real world” material and subject to fewer protections? Can a nation state demand data held in another state’s territory, circumventing treaties and agreements?
There’s no other Irish element to the case, which involves an individual using an email service provided by a US multinational company with operations and data centres in many countries.
However, in a rare move for a nation state, the Irish Government filed a supporting brief in the case. According to the brief, written by former Irish attorney general and minister for justice Michael McDowell, Ireland has never refused an MLAT request from the US in the past.
The case arises at a time of unprecedented public and business concern about US government access to personal data held by internet-based businesses, following the extensive leaks from whistleblower Edward Snowden.
Additionally, privacy is a major issue in the EU. A new general data protection regulation has just been negotiated. The European Court of Justice (ECJ) has also taken a tough pro-privacy stance in several prominent cases in the past two years (most, by chance and circumstance, involving Ireland). In these, it has firmly laid out protections that must be provided to the data of EU citizens and data held within the EU.
Max Schrems caseOne such case in 2015, that of Austrian law student Max Schrems v the Irish Data Protection Commissioner, resulted in the ECJ declaring invalid the Safe Harbour agreement many US and EU companies had used to facilitate the transfer of data.
All of this creates a context in which the Microsoft case will either clarify or further confuse the cloud computing and business landscape.
If the US government’s position in the current case were adopted, it would throttle any new Safe Harbour agreement, creating a loophole damaging to EU privacy protections, says John Frank, Microsoft’s vice-president, EU government affairs.
He says the Schrems decision is important to the email case, because it demonstrates that Europe’s legal and political system sees data protection and privacy not as legal and technical issues, but core human rights values.
“Our case points out a problem. It won’t solve it. Solving it requires discussion between the US and the EU as to how [data protection and transfers are] handled,” he says, adding that it is important for customers and civil society to have a say.
A judgment could come any time in the Microsoft case. A panel of judges in the second circuit court of appeals in New York heard oral arguments last September. A ruling usually comes about six months after oral arguments, Frank says, suggesting February in this case.
“But we just don’t know,” he says. It is probably a good sign the court did not issue a judgment quickly, but is taking its time considering the arguments, he says. The court also provided far more time for arguments than had originally been set aside.
Nonetheless, “reading tea leaves is dangerous, if not irresponsible”, Frank says.
ment Whichever way the court decides, the case will almost certainly be appealed
. The next stop would be the highest court in the US, the supreme court. It only accepts about four per cent of cases referred to it, but agrees to consider most cases appealed by the US government, Frank says. So if Microsoft wins in the appeals court, the government is nearly guaranteed to ask the supreme court to hear it, making it highly likely a final judgment will come there.
If the appeals case goes against Microsoft, securing a supreme court hearing will be a greater challenge, he says. But he is guardedly optimistic, as the court has shown deep interest in cases involving digital data, privacy and law enforcement access and, despite being seen as a conservative court, has tended to rule on the side of privacy.
Heightened concerns about terrorism are not likely to influence a ruling, he believes.
“Historically, in times of war, the pendulum would swing more [towards the government]. But the war on terror is a less defined conflict. The supreme court has recognised this is the new normal, and civil rights need to be protected.”
If Microsoft is the party asking the supreme court to hear the case, the “amicus” support by interested third parties will be critical, Frank says. In the appeals case, Microsoft has had the support of dozens of technology companies, trade and privacy organisations and computer experts, as well as the Irish state.
“The Irish government’s position will be very important” to a supreme court case, he says. The court will take notice if the Irish state again files a supporting brief – or if it does not.
If the supreme court agrees to take the case, it would be unlikely to be heard and decided within this year’s schedule, which concludes when last judgments are issued in July, he says. More likely, the court would hear oral arguments in the autumn and then make a ruling some time in 2017.
Frank acknowledges that the best outcome would be for the case to advance to the supreme court, as a decision there is final and – for better or worse – will provide clarity. However, he doesn’t know what the implications of a ruling against Microsoft would be, he says, without seeing the final judgment.
“It all depends on how the court rules. There’s yes or no and an explanation,” he says.
As with ECJ rulings, it is the explanation that sets the context for the ruling and provides the detail and parameters that go on to shape future policy.
But he hopes a final ruling will not go against Microsoft.
“If the court were to deliver that judgment, there are huge problems for everyone,” Frank says.