Privacy Watch: The U.S. and Europe Collide in the Microsoft Email Case

Abdeslam Afras

May 11 2016

U.S. courts spark European ire when they order U.S. companies to give U.S. law enforcement data stored on European soil. This collision is not one-sided, however. European governments also increasingly demand that U.S. tech companies divulge customer message content to combat terrorism, even after updating the EU General Data Protection Regulations to protect the digital privacy of Europeans.

This is the first in a series of blogs on the privacy quandary affecting digital investigations and e-discovery/e-disclosure in the U.S and Europe.

Microsoft v. United States
Nowhere is this collision more striking than in the Microsoft email case (14-2985-cv). Mired in a multi-year appeals process, the tech leader continues to refuse to deliver suspected drug trafficker emails stored in their Irish data center to New York prosecutors.

This case has huge ramifications for internet and cloud provider companies that store customer data all over the globe. Tech companies are frequently asked to give such data to U.S. law enforcement authorities. The rulings by the District Court for the Southern District of New York has also angered Europe, where this extraterritorial reach of a US law is viewed as an insulting disregard of sovereignty and data protection laws.

Microsoft holds that divulging the emails to U.S. prosecutors violates EU data protection laws, and that the extraterritorial application of the warrant based on the U.S. Stored Communications Act (SCA) is illegal. The Redmond, Washington-based company urges the U.S. to invoke the United States-Ireland Mutual Legal Assistance Treaty (“MLAT”) to get the emails. MLATs, mutual law enforcement treaties the U.S. has in place with many countries, establish intra-governmental channels to approve and coordinate just this type of data request.

“This is the first step towards getting this issue in front of courts that have the authority to correct the government’s longstanding views on the application of search warrants to content stored digitally outside the United States.”
Brad Smith, EVP & Chief Legal Officer, Microsoft

Two District Court judges have ruled that the warrant for digital content in this case is more like a subpoena that applies no matter where data is located, asserting that what is important is control over the data, not physical location. Moreover, the court maintains that the SCA is about disclosure of data, not storage. According to the District Court, the MLAT process is not a practical solution as it would take months, impeding the government’s case.

We will continue to follow this landmark case now under review by the U.S. Court of Appeals for the 2nd Circuit, with Microsoft vowing to go all the way to the Supreme Court if needed. Here is the U.S. Appellate brief and Microsoft’s Reply Brief and Appellant brief.

Ireland Very Concerned
Ireland is home to not only Microsoft data centers, but many others including Facebook, Google and Amazon Web Services. The Irish Data Protection Authority has expressed serious concerns, saying the U.S. court actions would create significant legal uncertainty for data protection in the EU. Ireland filed a brief supporting Microsoft’s position that the MLAT should be used, saying it would expedite the process.

U.S. Privacy Laws.
To protect citizen’s privacy, the U.S. Electronic Communications Privacy Act (ECPA) broadly prohibits electronic communication service providers from divulging customer communications. The Stored Communications Act, part of the ECPA, accords email the highest level of protection, requiring a warrant for any search and seizure by the government. Many are calling for long-needed updates to these U.S. privacy laws, enacted long before the rise of cloud providers and storage of digital content all over the globe.

In April 2016, the U.S. House of Representatives passed a
bill to amend the ECPA to require a warrant to obtain emails. Previously, the 30-year old law had only applied to communications service providers, creating a huge loophole that may be closed if the bill becomes law. Though today’s tech companies generally all require a warrant as good practice already, having the law in place is a good move. The issue of the extraterritorial reach of such warrants was not addressed.

To learn more about the collision of global data movement and privacy laws in the U.S and Europe, join us in June at one of the AccessData Cross Border Quandary Tour panels in London, Amsterdam and Frankfurt.

Contact us today to learn more about our products and our
approach to improving how you collect, analyze and use data.
Tell Me More