Microsoft Email Case Triggers WarningsEurope Rebuffs U.S. Ruling, Demands Privacy Law Compliance
European officials plan to continue pushing for stronger EU data protection and privacy rules in the wake of a controversial U.S. court ruling that authorizes the U.S. Justice Department to seize data stored outside the country.
On July 31, U.S. District Court Judge Loretta A. Preska ruled that Microsoft must comply with a search warrant requiring that it share copies of emails stored in a Microsoft data center in Dublin. "It is a question of control, not a question of the location of that information," ruled Preska after a two-hour hearing in New York, reported the Guardian.
But officials at the European Council -- the executive branch of the EU -- have criticized Preska's decision, and warned in a public statement that there's strong backing from both the European Parliament and EU member states to rewrite current data protection rules to make explicit that anyone doing business in Europe must comply with local privacy rules. "The proposed reform of EU data protection rules will ensure that EU rules apply to all companies, even those not established in the EU, whenever they handle personal data of individuals in the EU," an EC spokesperson says in the statement.
Microsoft Appeal Rebuffed
The U.S. court-ordered search warrant for the emails being stored in Dublin -- which reportedly relate to a narcotics investigation -- was issued in December 2013 and immediately contested by Microsoft. But the warrant was upheld in April by a magistrate judge, who ruled that Microsoft's ability to access the information means it must comply.
Microsoft moved for the magistrate judge's ruling to be dismissed, backed by supporting court briefs filed by a number of other technology firms and telecommunications providers, including AT&T, Apple, Cisco and Verizon.
After Preska upheld the ruling in July, however, Microsoft said it will take the case to the Second U.S. Circuit Court of Appeals (see Microsoft to Appeal E-Mail Ruling). "We will appeal promptly and continue to advocate that people's email deserves strong privacy protection in the U.S. and around the world," Brad Smith, the company's general counsel, said in a statement. In the interim, Preska has temporarily suspended her ruling.
Stick to Procedures
The European Commission, meanwhile, has criticized the U.S. Department of Justice for violating diplomatic protocols by not seeking the information via EU-U.S. "mutual legal assistance agreements," which provide a formal mechanism through which a foreign prosecutor can file a request for information related to an investigation. But U.S. prosecutors can face challenges in seeing their related information requests get fulfilled, owing to suspicion that's resulted from the National Security Agency's data-interception practices, as well as concerns over whether shared information might be used to seek the death penalty, which the EU is working to abolish worldwide.
Outstanding Jurisdiction Questions
If Microsoft loses its further appeals and is forced to comply with the U.S. court's ruling, the company could find itself violating both Irish and EU data protection laws, and placing it at a disadvantage against local competitors.
Of course, the case is being closely watched on both sides of the Atlantic. "The Irish government is aware of the case in question and is monitoring developments," says Fiona O'Sullivan, a spokeswoman for the Irish government's Department of Justice and Equality. "The legal issues involved are complex and relate to U.S. and EU law as well as Irish law."
While complex, these cross-border legal issues aren't new, legal consultant Mark Rasch, a former Justice Department computer crime prosecutor, tells Information Security Media Group. "In many ways this has been percolating as part of the Internet since we've had the Internet," he says. "It's been one of those things we've chosen to ignore, and it's been recognized in every online contract, in every cloud contract, as something that's a problem. So in a sense what the court did was, it picked at the scab of transnational jurisdiction."
Cloud Search Warrants
The underlying issues are much broader than what's being debated in the Microsoft case, and center on "possession, custody and control" -- the U.S. court's test for whether it will grant a search warrant -- in the cloud era, Rasch says. The case is also a test of whether U.S. courts can apply the Stored Communications Act, which authorizes the federal government to obtain warrants for stored communications, to information stored outside U.S. borders.
Traditionally, a U.S. search warrant -- for example, for documents stored in a warehouse in Ireland -- would never have been applied internationally, and theoretically the same holds true for cloud data. "The law respects geography, the government respects geography. Borders mean something," says Rasch. "It makes a difference, in some respects, if my data center is in Dayton, Dublin, Dusseldorf or Dubai."
But if the U.S. appeals court rules in Microsoft's favor, and says the SCA can't be applied overseas, says Rasch, then would-be criminals could frequent data havens that U.S. justice can't reach. On the other hand, if the court rules that court-ordered search warrants -- be they granted in response to requests from U.S. federal prosecutors, state prosecutors, or divorce attorneys -- apply overseas, it sets a dangerous legal precedent, especially for foreign countries seeking data stored in the United States.
"What that means is a court in Pyongyang can authorize North Korean officials to legally and virtually kick in the door of a U.S. company -- and I don't mean hacking, I mean executing a search warrant -- on a company in Panama City, Florida," says Rasch, provided the Florida company had any connection to North Korea, such as a customer located there.
Microsoft attorney Joshua Rosenkranz posed a similar warning in the July 31 court hearing, saying the effect on U.S. sovereignty of upholding the search warrant would be "astounding." But Judge Preska replied that while the prospect was "pretty scary," she couldn't interpret the law based on how other countries might respond.
The U.S. Justice Department, however, didn't have to try and execute a search warrant internationally, as Microsoft argued before Preska. In response, however, a U.S. prosecutor said requesting the information via treaty arrangements would have been too "cumbersome," reported the Irish Examiner.
But the government's approach may now create a precedent whereby foreign prosecutors can likewise compel firms based outside the United States to release information on U.S. citizens without going through U.S. courts, says Rasch.
"So what's the solution? Better cooperation," he says. "We should have relied on the laws of Ireland, and asked Ireland to compel the production of those records, rather than simply asserting that we can do anything we want.
"That represents an appropriate balance between respect for jurisdiction, but it's still retaining the ability to get written documents and records necessary for a criminal investigation," he says.