Storm brewing over US request to Microsoft to access data held in Ireland

At first, the detail seems minor. At a drugs trial in the state of New York, the prosecution wants access to some emails as potential evidence.

The problem is, the emails aren’t in New York. Nor are they in the United States. They are in “the cloud”, held in Microsoft’s big European Data Centre in Ireland.

Still, that shouldn’t be a big deal. Established international legal channels exist, by which such data can be obtained if law enforcement wants them. According to a document on the matter written by former Irish attorney general and minister for justice Michael McDowell for the case in question, Ireland has never refused such a request from the US in the past, using what are called Mlats (mutual legal assistance treaties).

But the court instead opted to make a direct request – a court order – to Microsoft to produce the emails. And Microsoft refused, placing it in contempt of court. Microsoft has now challenged the US court's right to force it to hand over emails held here. The court is arguing that Microsoft is a US company, and such an order can be made directly to a US data controller, regardless of where the data actually resides. Microsoft's position is that data belongs not to them, but to the individual who places it in the cloud, and the laws determining data protection rights and governing legal access must be the local laws in the location of the data centre.

Therefore, in this case, Irish and broader European data protection law would shield the data. And, says Microsoft, Mlats exist already that would enable the US to request access to the emails through more appropriate channels.

What happens next in the court is a matter of worldwide interest and will have significant business, political and broader economic effect. At issue is a critical data privacy, protection and access issue that will influence the future of not just cloud computing, but the digital economy generally.

And it may well also determine whether limits can be placed on the ability of surveillance agencies of one country to access such data, a fear that arose, particularly in Europe, after whistleblower Edward Snowden revealed the extent of National Security Agency and Government Communications Headquarters snooping into data held by private technology companies.

"This is a principle that we need to stand up and defend," says Brad Smith, Microsoft's general counsel and executive vice-president of legal and corporate affairs. "People need to have confidence that they can trust the services the use. We need regulatory clarity."

Email ownership

The court needs to determine whether you own your email, or if it’s the property of your service provider, he says. Digital data should have the same protections afforded information written on paper.

“It is a pivotal case,” says Simon McGarr of McGarr Solicitors, the solicitors for privacy advocate Digital Rights Ireland. “There are enormous consequences if the [right to access] were to be upheld by the court, especially for all US-based technology companies. It would mean all data under their control, on all subjects, no matter where it is based, could be demanded directly by a US court.”

Both parties to Microsoft’s case have consented to having Digital Rights Ireland enter an “amicus brief” – to offer a legal position on the case.

Several other parties also have come in on an amicus brief, including major cloud and digital companies Apple and Cisco.

Last week, Ireland's Minister for Data Protection, Dara Murphy, wrote a letter to the European Commission requesting that it, too, come in as amicus, an indication of the Government's concern that the ruling could have a significant impact on the Irish economy.

Murphy requested the EU step in to offer a view on EU privacy and data protections in relation to the Microsoft case, as the case highlights discrepancies between “the respective legal regimes in the European Union and the United States, particularly in relation to the protection of data”.

Many feel that Ireland's role as a technology hub and home to many internet and technology companies, as well as its growing profile as a location for international data centres, is at stake, an issue highlighted in a strongly worded public letter to the Taoiseach from president of the American Chamber of Commerce Ireland and PayPal country manager Louise Phelan.

The chamber is concerned about “the extraterritorial reach of law enforcement authorities to access data in the context of routine criminal investigations” and, in the letter, posted to its website, it asks the Government to itself take an amicus stance in the case.

“Maintaining the trust of our citizens by protecting their privacy and guarding against unreasonable government intrusions is fundamental to the European data sector. We understand that governments have a need for legitimate access to user data in confronting crime and in strengthening national security, but a better balance must be struck that allows governments to address criminal threats while at the same time preserving the right to privacy,” Phelan writes.

Microsoft’s Smith says he would welcome both the Government and the EU taking amicus briefs in the case.

“I think it’s extremely important that the court and judge have a chance to hear about this issue” from concerned parties, as the case has implications for technology companies, civil society, national governments and others.

The chamber’s point about extraterritoriality – the ability of a government to say it has the right to access data held in other countries – has much broader implications that might have been considered by US authorities, argue McGarr and Smith.

“If the US asserts jurisdiction over data held in US sister companies abroad, other countries could assert the same territoriality over data held in the US, or on US citizens,” says McGarr. “So the case has huge political implications.”

Smith agrees. “It absolutely goes both ways. This is one of the issues we are trying to raise. It’s easy for the US to say it wants access to data held abroad, but it all changes when governments from another country try to reach into servers to get US data. It will set off a modern-day equivalent of a land rush.” In addition, he says, “if this becomes a free for all, governments are likely going to play both offence and defence” – on the one hand, defending their own citizens’ data while arguing to access data abroad when it suits them. “That’s going to put companies in the technology sector in the middle of a no-win argument.”

On the face of it, one might think each country would do best to have its own data centres, and that this would encourage the development of indigenous companies. But McGarr believes companies large and small would struggle in such a complicated operating environment, which would create a nightmare scenario for international trade.

Smith says the case “is part of a broader trend that’s very significant. People do care about privacy, and are more focused on these issues than many in government and business might have thought”.

Popular support

He points to research conducted by Amárach for Microsoft which showed that nine in 10 Irish people in a 1,000 person sample said they believed data should be subject to the laws of the locality in which it is held, and that the Government should defend against access to Irish-held data by outside authorities.

Argument will continue on the case into spring and perhaps into summer, with a decision in summer or autumn of next year. If Microsoft fails in the challenge, the company will take the issue all the way to the US Supreme Court, he says.

“Every day there’s an opportunity for the US government and the state department to step back and take a look at what they’re rally advocating,” Smith says.

“We want technology to advance, but it is equally important that timeless values endure,” he says. “This case is shining a light on some fundamental principles.”