Microsoft’s legal battle to block the US government from accessing emails held in the company’s Dublin data centre may not have had the profile of other recent key privacy cases.
However Microsoft's victory last Thursday in New York State's Second Circuit Appeals Court has ramifications at least as far-reaching as Max Schrems' challenge to the Safe Harbour EU/US data handling framework, the nullification of the EU Data Retention Directive by the European Court of Justice, or Apple's refusal last year to accommodate the FBI and weaken encryption on an iPhone.
This case mattered, enormously, because a functional basis of the internet was at stake and the operational structure of a vast range of industries that depend on data being moved and stored around the globe, located in ‘the cloud’, was under threat.
If any country could directly demand access to data held by a company and circumvent the treaty process, the privacy of individuals and companies using internet and cloud services could be arbitrarily compromised. The very efficiencies and global reach of cloud services would be sacrificed, as companies would be forced to set up stand-alone operations in every market and keep national data in each relevant territory.
Worse - as Microsoft vigorously argued - what was to keep any country in the world from demanding direct access to data held in the US? The ramifications of the case were unthinkable from both a privacy rights and a business operations perspective.
And cloud services are very big business. Analyst Gartner estimates the value of cloud services to the public market -ranging from business processes, software, computing infrastructure, security and advertising offered to companies and individuals - will reach $204 billion this year.
As often in such landmark decisions or incidents - consider the terrorist gunman's iPhone in Apple's standoff with the FBI -the original case that prompted Microsoft's appeal was not likely to draw much sympathy, and initially seemed nondescript. A drugs prosecution in which emails held in Ireland were desired as evidence, the case only expanded into one of international importance when the judge demanded by court order that Microsoft retrieve a number of Dublin-based emails.
Microsoft refused, putting it in contempt of court, and launched an appeal. In this case heard last year and finally decided this week by a three judge panel, Microsoft successfully argued that data held in another international jurisdiction - in this case, Ireland - was a matter for the Irish government and the Garda. If a US court wanted data held in Ireland, it should be obtained using the existing, albeit slow and clumsy, route of Mutual Legal Assistance Treaties (MLATs) by which countries already cooperate on investigations.
Notably, former Irish Justice Minister Michael McDowell provided a statement in support of Microsoft, noting that Ireland had never refused a request made by the US via MLAT.
The judges agreed with Microsoft, citing earlier US Supreme Court judgements on the controversial issue of "extraterritoriality", the notion that if a company was based in the US, its global operations could be treated as if they were on US soil, answerable to US domestic laws.
The judges found that Microsoft had complied fully with the domestic elements of the warrant "and resisted only its extraterritorial aspects". Supreme Court rulings, the panel said, had "restated and emphasised" that extraterritoriality goes beyond what was envisaged by Congress in its laws.
Supreme court ruling
The Supreme Court references are pointed. If the US government is to appeal the case, the next level of appeal would be to that very court, unless it takes a rarely-used option to ask that the case be heard by the full 20-judge roster of appeals court judges.
The Supreme Court only takes about 3 per cent of cases referred to it, but is more likely to take cases when the request comes from the government, say legal sources. As with the ECJ, a Supreme Court ruling is final, and the current court has generally been protective of privacy and mindful of business practicalities.
While Microsoft and others across the technology industry, as well as privacy advocates, might embrace the clarity and finality of a Supreme Court ruling in Microsoft’s favour, the judgement could of course go the other way - towards what would only be a pointless and damaging Pyrrhic victory for the US government that would threaten its own citizens’ privacy and its businesses.
Microsoft is understood to prefer that the current judgement stand and - by way of sensible compromise - that the US and other national governments move to overhaul the sclerotic MLAT system instead.
Such badly-needed streamlining would provide a rare win on all sides, for individuals and business, and for privacy eights, the global legal system and international law enforcement.