Dublin industrial estate centre of global privacy debate

US judge rules that Microsoft hand over data stored in Ireland to authorities

Microsoft, Grange Castle, in Dublin. Last week a judge ordered that Microsoft must turn over a customer’s emails that are stored. Photograph: Aidan Crawley

Microsoft, Grange Castle, in Dublin. Last week a judge ordered that Microsoft must turn over a customer’s emails that are stored. Photograph: Aidan Crawley

Thu, Aug 7, 2014, 01:00

The anonymous building on the outskirts of a sprawling industrial estate near Clondalkin may seem ordinary enough.

But what lies inside is at the centre of an international debate about whether communications stored in giant data centres here should be accessible to foreign law enforcement agencies.

Last week, a judge in New York ordered that Microsoft must turn over a customer’s emails that are stored in a data centre in Dublin.

Microsoft is appealing the case and drawing support from technology companies which see the ruling as a threat to their cloud computing services overseas.

At the heart of the issue is whether data stored in Ireland or elsewhere is beyond the reach of foreign law enforcement agencies. It may also lead to a clash between European and US privacy laws.

If upheld, say legal experts, it could mean that users in Ireland and farther afield of Microsoft’s services – and others, including Apple, Google, Yahoo, Facebook, and Twitter, with a headquarters in the US – are not immune from having their data handed over to the US government for law enforcement or intelligence purposes.

Technology companies – whose business models often rely on using their own customers’ data for commercial gain – have presented themselves as fighting in favour of customers’ privacy.

Microsoft’s general counsel Brad Smith said the company will appeal the court’s decision which would “not represent the final step in this process”.

“We will continue to advocate that people’s email deserves strong privacy protection in the US and around the world,” he said.

It comes amid a debate over privacy and technology that erupted last year when former National Security Agency contractor Edward Snowden revealed US government efforts to collect huge amounts of consumer data around the world.

Dr TJ McIntyre, a lecturer at UCD school of law and chairman of Digital Rights Ireland, says the disclosures highlight the vulnerability of information we increasingly store in clouds, or huge data centres, owned by US firms.

“Under the US constitution, privacy depends on whether you are a US citizen or physically located in US territory,” he said. “If you’re neither, you’re fair game. That makes it very worrying: US authorities could have access to data stored here about Irish citizens or companies with little in the way of control.”

Irish citizens or companies may wonder what interest US intelligence or law enforcement agencies would have in combing through family snaps or inconsequential emails.

Dr McIntyre, however, said there are wider implications. “These issues may not be of interest to an individual – but only provided you don’t need confidentiality in your medical records, provided you don’t need a free press that isn’t spied on by government, and provided there’s no one out there to abuse your personal information.”

Observers have also pointed out potential economic ramifications for US firms which have data centres here.

The IDA estimates that about €1.6 billion has been spent by technology companies in cloud computing here.

Google is the latest to announce new plans for a €150 million data farm. But analysts say that a perception that firms with US headquarter are not be able to assure customers’ privacy could prove highly damaging.

Corporate users of technology increasingly rely on these services that store email, documents and other private data in the cloud.

European-based firms such as Orange and Deutsche Telekom have been quick in recent days to pitch their cloud-computing offerings as a safer alternative to potential clients.

With so much money at stake, many observers believe it could ultimately end up being appealed to the US supreme court. There is also the question of whether seizing data from an Irish-based data centre in this manner would breach Irish law.

In an affidavit filed as part of the case, former minister for justice Michael McDowell states that any disclosure would only be lawful here where it is mandated by reference to Irish law and subject to the “jurisdiction and control of the Irish courts”.