We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A View from Christopher Kuner

U.S. Warrants for Overseas Data Trample Foreign Privacy Laws

Microsoft’s failed efforts to resist a U.S. warrant for data stored in Ireland show how American law enforcement policies conflict with foreign privacy laws.

  • August 22, 2014

U.S. Internet companies, and indeed all multinationals with a presence in the United States, appear to be trapped between the data access requirements of U.S. law enforcement agencies and foreign privacy laws.

Microsoft is involved in ongoing litigation against a search warrant issued in December 2013 by a U.S. magistrate, authorizing the search and seizure of e-mail accounts hosted by Microsoft. The company objected to the warrant with regard to data stored at its data center in Ireland, claiming that U.S. courts are not authorized to issue warrants for extraterritorial searches. Microsoft also argued that if it turned over data stored abroad to the U.S. government, it would be more difficult for the company to resist requests by foreign governments for data stored in the U.S. But on April 25, the magistrate judge who issued the warrant found in favor of the government. On July 28, Judge Loretta A. Preska of the U.S. District Court for the Southern District of New York affirmed that decision.

These two decisions turned on the question of whether the search warrant constitutes an extraterritorial search and seizure. Microsoft argues that it does, since it directs the company to produce information stored outside the United States. The government’s argument is that because Microsoft is subject to U.S. jurisdiction, it must turn over data it controls regardless of where the data is stored.

This may be the first case in which a company has formally opposed a U.S. search warrant concerning data stored abroad. But it is not surprising that other major companies (like Apple, AT&T, and Verizon) have publicly supported Microsoft’s position. The revelations of Edward Snowden have put them all under increasing pressure to resist U.S. requests for data access. The disclosures have also intensified their awareness of conflicts between foreign privacy legislation and the demands of U.S. law enforcement.

Dozens of countries around the world grant broad privacy protection to data processed for commercial purposes (the U.S. is one of the few that do not). They generally do not allow data to be transferred to foreign authorities without the approval of local regulators.

U.S. companies have already begun losing business with foreign customers because they are subject to U.S. data access requests. (For example, in June the German government cancelled a contract with Verizon for Internet services). Many more companies have a commercial incentive to contest these cross-border requests for data. The issues raised in the Microsoft case are relevant to all companies subject to U.S. jurisdiction, not just those in the Internet sector—including companies based abroad but active in the U.S. market.

Microsoft has stated that it will appeal Judge Preska’s decision, and sources in the U.S. legal community tell me that the case could eventually go all the way to the U.S. Supreme Court. But while Microsoft’s argument that the case has major policy implications is compelling, the U.S. government’s position may be difficult to overcome under the current state of the law.

What is disappointing about the discussion in this case so far is that it concentrates on the respective interests of companies and law enforcement. The privacy expectations of the Internet users whose data may be accessed have received little attention.

The best way to resolve this conflict would be to make changes to U.S. legislation that balance the interests of companies and law enforcement while taking the privacy expectations of individuals into account. However, the current gridlock in Washington seems to make that impossible. An international treaty being negotiated between the United States and the E.U., known as the “Umbrella Agreement,” might provide some relief by establishing formal rules about data sharing. But its final form and completion date remain unclear. I fear that the tension between the requirements of U.S. law enforcement and foreign privacy laws will get worse before it gets better. And the privacy of individuals whose data is held by companies with a U.S. presence will remain largely unconsidered.

Christopher Kuner is senior privacy counsel with Wilson Sonsini Goodrich & Rosati in Brussels and associate professor of data protection law at the University of Copenhagen.

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Basic.
  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Print Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.