Microsoft data privacy fight- present and future implications
Overview of the legal dispute and stances of importance parties explained
Why is data stored all over the world?
To serve an increasingly global audience more quickly. Storing a client’s data close to where that client is reduces lag time. The biggest data-center operators, like Microsoft and Amazon, are always on the lookout for cheap land, tax breaks and access to cut-rate electrical power as they add more storage facilities.
How did cloud computing change the cyber landscape and legal implications
Before cloud computing, individuals stored their digital information on their computers at home and corporates stored their data on server computers in offices. If the government desired to search someone’s information stored on a computer, it would request and obtain a search warrant, enter that person or company’s premise and access the device physically. The practical implication of this is that the person or company to whom the computer belongs to knows about the search and could launch a defence to the search legally i.e. their negative rights to their own data protection is at least secured.
However, as information moved to the cloud, the warrants could be served on a cloud service provider (Microsoft in this case), instead of the particular individual or company. Transparency is mitigated and the individual or company no longer necessarily know whether and when their information is accessed. Without that knowledge, they lacked the ability to protect their data privacy rights. In other words, this changed the privacy equation between citizens and the state- citizens’ right to data privacy shifted to tech companies and tech companies bore more fundamental responsibilities in protecting data. This is especially true after the Edward Snowden controversy, which tech consumers suspected US tech companies as government spies and their trust to tech companies has plummeted. Overseas customers (especially corporate clients) in particular wanted assurances that data would be kept private, that they would have a say in where their information is stored and to have their negative rights to object government’s search ensured by law.
5. Why is U.S. law not clear on this subject?
The law at issue in this case, the Stored Communications Act (SCA), which lets law enforcement gain access to electronic information once they obtain a warrant, dates back to 1986 and has not been reformed since then. That was three 20 years before Amazon opened the cloud computing era.
Timeline of event and stances of main parties
Main argument of the US government is that SCA warrants function as both a warrant and a subpoena, and thus are not restricted by territorial constraints.2 Microsoft would be able to comply with the subpoena-like nature of the SCA warrant.
The Irish government also filed a brief in support of neither party.6 The Irish government considered that the U.S. government’s action violated both the European Union’s Data Protection Directive and Ireland’s own data privacy laws, and maintained the emails should be disclosed only on request to the Irish government pursuant to the long-standing mutual legal assistance treaty (MLAT) between the U.S. and Ireland formed in 2001.789
The panel primarily focused on the extraterritoriality of the SCA, The court relied heavily on the United States Supreme Court’s 2010 ruling in Morrison v. National Australia Bank that the “longstanding principle of American law that legislation of Congress, unless a contrary intent appears, is meant to apply only within the territorial jurisdiction of the United States” applies in all cases. The Second Circuit found no mention of extraterritorial application in the SCA nor in its legislative history. The court said the SCA’s use of the term “warrant”, as a term-of-art, suggested a specific territory. It also concluded that the primary focus of the SCA was protecting the privacy of users of electronic services.12
In his concurrence, Judge Lynch noted that there was nothing in the record to indicate whether the owner of the e-mails being sought was a U.S. citizen or resident. He agreed with the government that the term “warrant” only implied the need for issuance under Fourth Amendment standards, rather than suggesting it was a search warrant with a specific place. He also noted that Microsoft chose to store the e-mails in Ireland based on the account holder’s unverified statement of residence and on Microsoft’s business interest in minimizing network latency. No one disputed that if Microsoft had chosen to store the emails in the U.S., the warrant would have been valid.
dissetnL “has substantially burdened the government’s legitimate law enforcement efforts; created a roadmap for the facilitation of criminal activity; and impeded programs to protect the national security of the United States and its allies”, and called on a higher court or the U.S. Congress to rectify the outdated language of the SCA.15
In February 2017, federal magistrate judge, presiding over a District Court within the Third Circuit, ruled that Google must comply with a government warrant to turn over data from foreign servers. The magistrate judge rejected Google’s reliance on the current standing from the Microsoft case, and stated in his opinion that the scope of the invasion of privacy for the case was entirely within the United States, and not where the electronic transfer of the data occurs, making the SCA warrant enforceable.716
Rivals Apple and Amazon as well as privacy advocates and academics supported Microsoft. The government received backing from the majority of U.S. states (though not Microsoft’s home state of Washington or tech-heavy California). Already, Google and Verizon Communications Inc.’s Yahoo have stopped complying with at least some search warrants for emails and other user data stored outside the country, the Justice Department said.
Rights that he CLOUD Act ensured
The Act retained the common law right for cloud service providers to go to court to challenge search warrants when there is a conflict of laws, independent of any international treaties on extraterritorial reach for US warrants (provided under action 103(c) of the Act).
This comity right is especially important in light of the Europe General Data Protection Regulation (GDPR) which was implemented in 25 May 2018. If there is a conflict of laws regarding the reach of the US search warrants according to GDPR’s relevant provisions, cloud serveice providers such as Microsoft is under the common law given the right to launch a comity analysis, which better protects EUorpean customers.
What the CLOUD Act creates
The CLOUD Act is an important milestone in the journey to modernise the law. It has the important implication of not only preserving rights but it also creates a foundation for a new generation of international agreements to find the fundamental balance between data protection and efficiency of state prosecution involving multiple jurisdictions.
The Act provides the framework and statute authority for US to cooperate with other countries for purposes of crime investigation and law enforcement. These agreements can provide similar but more concrete guidance with respect to the Cyberspace than existing Mutual Legal Assistance Treaties.
The litigation and the passage of the Act also incentivises other government to review their digital privacy law and surveillance requests. In Europe last week, the European Commission presented its proposed e-Evidence legislation to the European Parliament. Many other governments are similarly seeking to update their laws to protect privacy, promote digital security and address the challenge of an increasingly borderless world.
Fifth, the CLOUD Act gives cloud service providers added and direct legal rights to protect privacy under these international agreements. These rights come in two complementary forms. The first gives providers the right to inform foreign governments that have these agreements when their citizens are impacted by U.S. warrants. And second, providers can go directly to court to raise comity concerns under a new statutory process when the U.S. seeks a warrant that goes beyond the scope of an agreement and that conflicts with a foreign law.