On the 25th of April, a US District Court Magistrate Judge ruled that Microsoft must hand over personal data to US authorities despite said data being stored in Ireland, another jurisdiction entirely:
“Even when applied to information that is stored in servers abroad, an SCA warrant does not violate the presumption against extraterritorial application of American law. Accordingly, Microsoft’s motion to quash in part the warrant at issue is denied.”
Microsoft defies Court ruling
However, Microsoft has defied the District Court’s ruling – a ruling it cannot appeal – which may lead to Microsoft being found to be in contempt of the Court which Microsoft will then be able to appeal.
Microsoft’s Executive Vice President and General Counsel, Brad Smith, said in July: “The only issue that was certain this morning was that the District Court’s decision would not represent the final step in this process. We will appeal promptly and continue to advocate that people’s email deserves strong privacy protection in the U.S. and around the world.” Microsoft had previously filed objections where Microsoft argues that:
“[T]he Government cannot conscript Microsoft to do what it has no authority itself to do — i.e., execute a warranted search abroad. To end-run these points. the Government argues, and the Magistrate Judge held, that the warrant required by ECPA is not a “warrant” at all. They assert that Congress did not mean “warrant” when using that term, but instead meant some previously unheard of “hybrid” between a warrant and subpoena duces tecum. The Government takes the extraordinary position that by merely serving such a warrant on any U.S.-based email provider, it has the right to obtain the private emails of any subscriber, no matter where in the world the data may be located. and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.”
An International Case of Jurisdiction and Data Protection
Now, Ireland’s Minister for European Affairs and Data Protection, Dara Murphy T.D, has called on the European Commission to submit observations on the Microsoft case and consider the arguments Microsoft has made:
“This is clearly an area where technological advances have taken place in a very rapid fashion. The right to privacy should be afforded maximum protection whilst ensuring that law enforcement agencies have the necessary mechanisms at their disposal to effectively fight serious crime. This is made ever more complex when different jurisdictions are involved, especially given the ease with which data can be transferred. It is within this context, that I urge the Commission to consider the arguments that Microsoft are making with respect to this case.”
The outcome of this case may have major consequences to the online world, affecting hosting companies, data centers, user privacy and data protection. And indeed, companies such as Verizon, Cisco and Apple have all voiced their concerns. It could be argued that a company should not be allowed to hand over data to comply with a court order outside the host country, unless it also receives a court order to do so in the host country. That would require a country – within which jurisdiction the data is hosted – to determine through its own legal system whether said data be handed over to the authorities of a foreign country due to the foreign court order issued. The process of obtaining private data needs to be as transparent as possible and owners of personal data need to be fully informed about the privacy of their data or lack thereof.
By bypassing a judicial process in the host country, the legislative environment sought by the hosting company is rendered absolutely meaningless. This would impact one of IMMI’s core aims, which is to implement a legislative framework in Iceland by creating a safe haven for information. IMMI is among the plethora of institutes, NGOs, governments and individuals anticipating an emphatic stance by the European Commission to protect data and privacy.
Photo by Bob Mical (CC BY 2.0)