There's a fair amount of indignation swilling around EU privacy regulators, politicians and policy makers following last year's revelations about the NSA's access to data on EU citizens. Hence, the
There's a fair amount of indignation swilling around EU privacy regulators, politicians and policy makers following last year's revelations about the NSA's access to data on EU citizens. Hence, the enthusiasm of some parties for the idea of building a European internet seemingly beyond the reach of any non-EU actors (a.k.a. the US Government). So when recently a US district judge quashed Microsoft's opposition to a US warrant requiring it to disclose data held on a server in Ireland, it appeared that this was an example of the overreaching influence of US law ignoring EU data privacy rules. However, a reading of the published court document setting out US Judge Francis' decision does not obviously lend itself to this dichotomy. In fact EU data protection and privacy law principles do not immediately appear to have been discussed and taken into account as part of the decision.
What did the decision deal with?
Instead the main focus of the decision was on the extraterritorial reach of the search warrant issued against Microsoft under the US Stored Communications Act (SCA). The SCA governs the obligations of internet service providers to disclose information to, amongst other things, the US Government. Microsoft argued that a US federal court can only issue warrants for the search and seizure of property within the territorial limits of the US. It followed that a warrant seeking access to information associated with a specific web-based email account that was stored at Microsoft premises in Ireland was information stored beyond the reach of the territorial limits of the US law enforcement authorities.
Well, Judge Francis was having none of it. He assessed the structure of the SCA, its legislative history and the practical consequences of Microsoft's view and dismissed Microsoft's argument. He argued that it 'has long been the law that a subpoena [which is what he argued the warrant was] requires the recipient to produce information in its possession, custody, or control regardless of the location of that information'. Furthermore, the legal authorities in Judge Francis' opinion supported the notion that 'an entity [that is] subject to jurisdiction in the United States, like Microsoft, may be required to obtain evidence from abroad in connection with a criminal investigation'.
Although this District Court decision has gone against Microsoft, it is clear that Microsoft is in it for the long haul. Public pronouncements by Microsoft have indicated that it sees this decision as just one step in the process of challenging (and seeking to correct) the US Government's view on their right to access data stored electronically outside the US.
What are the implications of the decision?
This decision seems to confirm the status quo for the moment as it relates to internet service providers. In other words, US ISPs with EU subsidiaries could reasonably take the view that they are required to comply with warrants and subpoenas from US law enforcement agencies relating to data held in the EU. A US ISP subsidiary with an EU parent should also think very carefully before challenging a requirement under US law to provide access to data held in the EU. Judge Francis did not clearly spell out that the reach of the law here only applies to US parent ISPs. Therefore it would seem that a US ISP subsidiary would need to be able to argue that the information held in the EU that was the subject of a warrant under the SCA was not in its possession, custody or control in order to deny access.
For cloud computing services more generally, the decision has not changed the general outlook. But given this reminder of the reach of US law, cloud providers with a US presence should be thinking about how to structure services for their EU customers. For instance, offering encryption solutions where the EU customer holds the encryption key should require US law enforcement authorities to approach the EU customer. Or using a corporate structure where a US cloud company can argue that it does not have possession, custody, or control over information held by its EU sister company would also make the strict enforcement of a warrant against a US company more difficult.
In any event, if Microsoft continues to pursue its challenge through the US courts as they indicate they will, then it is possible that a higher court will take a more nuanced view, balancing perhaps US security concerns with the constraints of extraterritoriality and privacy. At some point in all of this, the US courts may well consider Microsoft's obligations under EU data protection law in more detail. Whilst there is no definitive prohibition under current EU data protection law preventing Microsoft, as with any other cloud provider, complying with a US law enforcement request for access to personal data held in the EU, this is one of the critical issues being discussed as part of the reforms to the EU data protection regulatory framework following the Snowden revelations.
Microsoft evidently sees this as a fundamental issue of customer trust in their services. Just as Microsoft, Google, Facebook and others have argued in recent months that they want to be able to tell users when the US Government seeks access to that user's information, so this move by Microsoft to challenge the US Government's right to access data held overseas is part of a similar stand against Government powers. Whether or not Microsoft will be successful in its campaign remains to be seen but a cloud provider will doubtless watch this debate with interest given the repercussions it could have for defending itself against similar requests from the US Government.
What did the decision deal with?
Instead the main focus of the decision was on the extraterritorial reach of the search warrant issued against Microsoft under the US Stored Communications Act (SCA). The SCA governs the obligations of internet service providers to disclose information to, amongst other things, the US Government. Microsoft argued that a US federal court can only issue warrants for the search and seizure of property within the territorial limits of the US. It followed that a warrant seeking access to information associated with a specific web-based email account that was stored at Microsoft premises in Ireland was information stored beyond the reach of the territorial limits of the US law enforcement authorities.
Well, Judge Francis was having none of it. He assessed the structure of the SCA, its legislative history and the practical consequences of Microsoft's view and dismissed Microsoft's argument. He argued that it 'has long been the law that a subpoena [which is what he argued the warrant was] requires the recipient to produce information in its possession, custody, or control regardless of the location of that information'. Furthermore, the legal authorities in Judge Francis' opinion supported the notion that 'an entity [that is] subject to jurisdiction in the United States, like Microsoft, may be required to obtain evidence from abroad in connection with a criminal investigation'.
Although this District Court decision has gone against Microsoft, it is clear that Microsoft is in it for the long haul. Public pronouncements by Microsoft have indicated that it sees this decision as just one step in the process of challenging (and seeking to correct) the US Government's view on their right to access data stored electronically outside the US.
What are the implications of the decision?
This decision seems to confirm the status quo for the moment as it relates to internet service providers. In other words, US ISPs with EU subsidiaries could reasonably take the view that they are required to comply with warrants and subpoenas from US law enforcement agencies relating to data held in the EU. A US ISP subsidiary with an EU parent should also think very carefully before challenging a requirement under US law to provide access to data held in the EU. Judge Francis did not clearly spell out that the reach of the law here only applies to US parent ISPs. Therefore it would seem that a US ISP subsidiary would need to be able to argue that the information held in the EU that was the subject of a warrant under the SCA was not in its possession, custody or control in order to deny access.
For cloud computing services more generally, the decision has not changed the general outlook. But given this reminder of the reach of US law, cloud providers with a US presence should be thinking about how to structure services for their EU customers. For instance, offering encryption solutions where the EU customer holds the encryption key should require US law enforcement authorities to approach the EU customer. Or using a corporate structure where a US cloud company can argue that it does not have possession, custody, or control over information held by its EU sister company would also make the strict enforcement of a warrant against a US company more difficult.
In any event, if Microsoft continues to pursue its challenge through the US courts as they indicate they will, then it is possible that a higher court will take a more nuanced view, balancing perhaps US security concerns with the constraints of extraterritoriality and privacy. At some point in all of this, the US courts may well consider Microsoft's obligations under EU data protection law in more detail. Whilst there is no definitive prohibition under current EU data protection law preventing Microsoft, as with any other cloud provider, complying with a US law enforcement request for access to personal data held in the EU, this is one of the critical issues being discussed as part of the reforms to the EU data protection regulatory framework following the Snowden revelations.
Microsoft evidently sees this as a fundamental issue of customer trust in their services. Just as Microsoft, Google, Facebook and others have argued in recent months that they want to be able to tell users when the US Government seeks access to that user's information, so this move by Microsoft to challenge the US Government's right to access data held overseas is part of a similar stand against Government powers. Whether or not Microsoft will be successful in its campaign remains to be seen but a cloud provider will doubtless watch this debate with interest given the repercussions it could have for defending itself against similar requests from the US Government.