Forcing Microsoft Corp. to turn over to U.S. law enforcement customer emails stored in Ireland would violate European Union and other international privacy laws, according to friend of the court briefs filed in the U.S. Supreme Court.
The high court is reviewing whether a warrant issued by a U.S. court under the Store Communications Act can force Microsoft to hand over data that is stored outside the U.S. and is covered by EU privacy law.
A ruling for the U.S. may prompt countries to limit U.S. government access to data stored overseas.
In the case, U.S. law enforcement demanded Microsoft customer data stored abroad that allegedly was related to a drug case. The EU and other countries urged the high court to rule narrowly or in a way that pushes the U.S. government to take into account potential conflicts of law with foreign privacy laws.
The briefs, particularly those from the EU and Ireland, said that companies accessing email stored in the EU may run afoul of the EU’s new privacy regime, the General Data Protection Regulation (GDPR), if they are compelled to turn over data stored in the EU under an SCA warrant instead of through established international legal assistance treaties.
Companies are tracking the case to determine whether they’ll have to restructure the location of data centers, Matt Larson, a Bloomberg Intelligence technology litigation analyst, told Bloomberg Law. The case takes on more importance due to the increased spending and surging revenues in the tech and cloud computing sectors, he said.
It is notable that several foreign governments filed briefs in a Supreme Court case, Jennifer Daskal, associate professor of law at the American University Washington College of Law and former counsel to the assistant attorney general for national security at the Department of Justice, told Bloomberg Law.
The “biggest takeaway from the briefs is to remind the courts that if they rule in favor of the government the international implications are big,” Daskal said.
The European Commission, on behalf of the 28 EU member countries, said that rules under the GDPR limit law enforcement access to data stored in the bloc. GDPR Article 48 states that requests from foreign governments alone aren’t sufficient to justify transfers of personal data outside the EU, according to the EU brief. Other channels should be used to make law enforcement data transfer requests, such as mutual legal assistance treaties (MLATs) or under public interest exceptions to the GDPR, the EU said.
The commission filed its brief “to make sure that the EU data protection rules on international data transfers are correctly understood and taken into account,” Christian Wigand, a spokesman for the European Commission, told Bloomberg Law. The commission’s brief didn’t support Microsoft or the DOJ, he said.
A Microsoft spokesman told Bloomberg Law that Congress should update electronic communication access laws “to reflect advances in technology to protect people’s data online and ensure law enforcement has the modern tools needed to solve and prevent crimes.” The government’s position in the case, that the SCA allows it to force the release of the emails stored abroad, “would do neither of those things,” the spokesman said.
New Zealand in its brief voiced concerns similar to those of the EU.
International Data Pacts
In its brief, the U.K. said that a pro-Microsoft ruling could weaken existing law enforcement data sharing agreements with the U.S.
The U.K. argued that an invalidation of the reach of SCA warrants for data stored outside the U.S. can adversely affect MLATs, Edward J. McAndrew, litigation partner at Ballad Spahr LLP in Philadelphia and co-practice leader of the firm’s privacy and data security group, told Bloomberg Law.
A ruling for the U.S. government may lead EU countries to adopt more stringent requirements that data be stored within their borders in an effort to limit U.S. law enforcement access, McAndrew said. Such a move would build on EU concerns over U.S. law enforcement and intelligence surveillance activities that grew out of the Snowden disclosures, he said.
But data localization laws, which require data storage within a country’s borders, could backfire.
There would be “a lot of negative economic impact for countries that adopt data localization provisions” in response to a ruling for the U.S. government, Charlie Wood, privacy and cybersecurity attorney at Hogan Lovells LLP in Washington, told Bloomberg Law.
The case is United States v. Microsoft, U.S., No. 17-2, friend of the court briefs filed 12/13/17.
To contact the reporter on this story: Daniel R. Stoller in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com