Microsoft Ireland faces a data privacy battle in US supreme court

Legal row centres on whether the US can force US firms to hand over data held abroad

 

The Microsoft Ireland email case, now headed for the United States Supreme Court, will yet again place Ireland at the heart of a case in which one of the world’s most important courts wrestles with defining boundaries between personal privacy, business practice and government interests.

The case – accepted by the court in mid-October – raises a critical, interlinked business and privacy question: can US companies can be compelled to hand over data stored outside of the US?

As to why Ireland keep featuring in such cases, many multinational technology companies handling data are based here, making Ireland a collision point for widely differing European Union and US approaches to data privacy and protection.

But this case is different from earlier cases in key ways.

First off, it will be considered by the US’s highest court, rather than the European Court of Justice (ECJ), which has made decisive, landmark pro-privacy judgments in Irish-originating cases on the limits of state-mandated data retention (the Digital Rights Ireland decision), and on protections that should be afforded to EU citizen data when it is transferred to the US (the Schrems Facebook decision).

Second, this is the first major post-Snowden case to come before the US Supreme Court in which a company has refused to comply with data disclosure demands made by the US government.

But, like previous decisions by the ECJ, the Supreme Court’s ruling will come at a time of much greater public awareness and concern about government access to online data.

Cloud computing

The ruling is likely to determine the future development of cloud computing and influence US national and international policy, particularly, EU policy as it implements the General Data Protection Regulation and ponders whether US data protections are adequate for the survival of the EU/US Privacy Shield data transfer agreement.

But it’s also a case full of many subtle twists and turns, most prominent being a valid question about whether hearing case No 17-2, The United States of America v Microsoft Corporation, is a misguided use of the Supreme Court’s valuable time.

Nonetheless, the court announced October 16th that it would accept the US government’s request that it consider a previous appeals court ruling in Microsoft’s favour. Written arguments will be submitted in coming weeks, with an oral hearing to be scheduled in the new year, and a decision due before the court takes its summer recess in July.

The case arose in 2013, after a New York state judge served Microsoft with a warrant during an investigation into drug trafficking, demanding the company hand over emails sent through its email service.

If the emails were in one of Microsoft’s US-based data centres, the company would be required to divulge them under the Electronic Communications Privacy Act of 1986, generally referred to as the Stored Communications Act (SCA). Section 2703 of the act stipulates that electronic communications may be obtained on the basis of a valid warrant.

But the emails were stored in Microsoft’s Dublin data centre, raising the issue of “extraterritoriality”.

Treaties

Microsoft handed over some related email metadata stored in the US, but refused to surrender the Dublin emails, arguing that section 2703 was never intended to apply to electronic data held abroad. Instead, it said, data could be lawfully requested in co-operation with the Irish Government, using the standard approach of international mutual legal assistance treaties (MLATs).

If the documents were on paper, rather than held in electronic from, the US government would have to use MLATs. Former minister for justice Michael McDowell submitted a brief in the appeals case, noting that Ireland has never refused to comply with an MLAT request from the US.

So, a central point in this convoluted case is the lack of clarity regarding electronic data and whether it forms a different category, entitled to less privacy protection, than a paper document.

On this point, the US government argued in its written court submission that emails are inherently mobile and the company could repatriate the desired emails with a mouse-click. Emails are stored abroad only because of arbitrary “business decisions of private providers” and are the property of the email service provider.

The US said the decision of the Second Circuit Court of Appeals – which sided with Microsoft, after a Federal Appeals Court had ruled in the original judge’s favour – was causing delays and frustrating many other serious state and federal cases.

Microsoft, and numerous technology companies and privacy advocates that submitted supporting briefs in the appeals case, have in turn argued that section 2703 was never meant to apply extraterritorially, and electronic data should not be given fewer protections than print documents.

Emails, Microsoft said, are the property of the individual and are entitled to the privacy protections of the country where the emails are stored. To view them otherwise “would cause people to lose their rights when they go online,” wrote Microsoft president and chief counsel Brad Smith, in a blog post.

Congress could never have had the intent of allowing warrants to be applied internationally, said Microsoft.

“The current laws were written for the era of the floppy disk, not the world of the cloud,” wrote Smith.

That point – determining Congressional intent in the 1986 law – will be central to this case, and the prime focus for the Supreme Court.

Narrow application

Yet, in another twist, if the court finds in favour of the US government, legal experts say the decision will apply only narrowly, to the 1986 SCA. Were Congress to introduce new legislation to amend the act and clarify access– and a bipartisan Bill already has been put forward – it would resolve the issue without the need for what’s likely to be a short-term Supreme Court decision.

Microsoft and many other tech companies have been pushing Congress to do exactly this.

But Bills move slowly. In the interim after a pro-US ruling, or if Congress amended the SCA to allow extraterritorial direct access to cloud-held data, tech companies would have a big problem.

Most immediate would be the obligations of access. Although the case title may suggest the US federal government is the only party wishing to access data via warrant, courts in all 50 states could directly demand data held in other countries. Some 33 states asked the Supreme Court to hear the case.

An even broader concern is that cloud computing everywhere would be under threat. Cloud computing – now a business norm – demands a high level of trust between clients and companies such as Microsoft, a belief that a cloud provider will not breach privacy and confidentiality and hand over personal or business data at the request of foreign governments.

Nationality

Another twist: the nationality of the person whose emails were requested in the case has never been revealed and do not form any part of the US government’s petition to the Supreme Court. So, in legal terms, the US is not just asking that US citizen data stored abroad by a US-based company should be accessible, but the data of any citizen, of any country, held anywhere in the world.

A ruling allowing the US government and each of its states such extraterritorial reach would set a precedent for foreign nations to seize the data of US and international citizens held in the US and abroad. This is why privacy advocates internationally are concerned by the case, and why some observers are baffled by the US justice department’s decision to pursue the case.

Businesses will surely seek ways to block access. Cloud infrastructure worth collective billions isn’t likely to be dismantled, but the structure of the international business operations that facilitate it would probably shift.

Companies such as Microsoft, Amazon, and Oracle would likely look at legal structures for creating corporate subsidiaries that would bar attempts at seizing data outside the laws of the country in which the subsidiary is located.

If that happens, data storage and management will become more onerous and costly for cloud providers. On the other hand, the privacy protections afforded in various locations, especially in the EU, could become an international marketing feature.

Finally, businesses, including Microsoft, have argued that the MLAT system should be overhauled by international governments, to make the process of requesting evidence less burdensome and slow, particularly in the case of investigations, which generally must move quickly than trials.

For all these reasons, the Supreme Court hearings will be closely watched by business and privacy advocates worldwide, and a ruling nervously awaited by all sides.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.