A View from Christopher Kuner
U.S. Warrants for Overseas Data Trample Foreign Privacy Laws
Microsoft’s failed efforts to resist a U.S. warrant for data stored in Ireland show how American law enforcement policies conflict with foreign privacy laws.
U.S. Internet companies, and indeed all multinationals with a presence in the United States, appear to be trapped between the data access requirements of U.S. law enforcement agencies and foreign privacy laws.
Microsoft is involved in ongoing litigation against a search warrant issued in December 2013 by a U.S. magistrate, authorizing the search and seizure of e-mail accounts hosted by Microsoft. The company objected to the warrant with regard to data stored at its data center in Ireland, claiming that U.S. courts are not authorized to issue warrants for extraterritorial searches. Microsoft also argued that if it turned over data stored abroad to the U.S. government, it would be more difficult for the company to resist requests by foreign governments for data stored in the U.S. But on April 25, the magistrate judge who issued the warrant found in favor of the government. On July 28, Judge Loretta A. Preska of the U.S. District Court for the Southern District of New York affirmed that decision.
These two decisions turned on the question of whether the search warrant constitutes an extraterritorial search and seizure. Microsoft argues that it does, since it directs the company to produce information stored outside the United States. The government’s argument is that because Microsoft is subject to U.S. jurisdiction, it must turn over data it controls regardless of where the data is stored.
This may be the first case in which a company has formally opposed a U.S. search warrant concerning data stored abroad. But it is not surprising that other major companies (like Apple, AT&T, and Verizon) have publicly supported Microsoft’s position. The revelations of Edward Snowden have put them all under increasing pressure to resist U.S. requests for data access. The disclosures have also intensified their awareness of conflicts between foreign privacy legislation and the demands of U.S. law enforcement.
Dozens of countries around the world grant broad privacy protection to data processed for commercial purposes (the U.S. is one of the few that do not). They generally do not allow data to be transferred to foreign authorities without the approval of local regulators.
U.S. companies have already begun losing business with foreign customers because they are subject to U.S. data access requests. (For example, in June the German government cancelled a contract with Verizon for Internet services). Many more companies have a commercial incentive to contest these cross-border requests for data. The issues raised in the Microsoft case are relevant to all companies subject to U.S. jurisdiction, not just those in the Internet sector—including companies based abroad but active in the U.S. market.
Microsoft has stated that it will appeal Judge Preska’s decision, and sources in the U.S. legal community tell me that the case could eventually go all the way to the U.S. Supreme Court. But while Microsoft’s argument that the case has major policy implications is compelling, the U.S. government’s position may be difficult to overcome under the current state of the law.
What is disappointing about the discussion in this case so far is that it concentrates on the respective interests of companies and law enforcement. The privacy expectations of the Internet users whose data may be accessed have received little attention.
The best way to resolve this conflict would be to make changes to U.S. legislation that balance the interests of companies and law enforcement while taking the privacy expectations of individuals into account. However, the current gridlock in Washington seems to make that impossible. An international treaty being negotiated between the United States and the E.U., known as the “Umbrella Agreement,” might provide some relief by establishing formal rules about data sharing. But its final form and completion date remain unclear. I fear that the tension between the requirements of U.S. law enforcement and foreign privacy laws will get worse before it gets better. And the privacy of individuals whose data is held by companies with a U.S. presence will remain largely unconsidered.