In 2014, Microsoft received a search warrant from the Department of Justice (DoJ) asking the company to hand over data from its data centre in Dublin as part of its investigation on drug trafficking. The DoJ wanted to access private emails and other data belonging to a suspected trafficker.
Reuters reports that the court case is currently being heard by the US Supreme Court, after the Department of Justice appealed the rulings of the lower courts. Microsoft successfully challenged the DoJ in the appeals process, after losing at first instance.
The wider issue at stake here is whether law enforcement should be able to demand access to data in third countries from US-based companies.
The European Commission has submitted its opinion to the Court on behalf of the European Union, acting as amicus curiae. The EU aims to remain neutral in this case, but the brief states that the EU-US data transfers are bound by the EU data protection rules as well. Such requests from the US government would likely contravene the existing laws, let alone the GDPR which further restricts the possibilities for data transfers to countries outside the EU.
Many took exception to the US Government’s attempt to apply its own search warrants to another country. The New Zealand Privacy Commissioner has also filed a submission to the Supreme Court decrying these attempts and stressing the importance of mutual cooperation between the countries, which Microsoft also argues for. Official channels for this exist in the form of “mutual legal assistance requests”.
This attempt to exercise extraterritoriality is generally frowned upon, but the DoJ argued that this doesn’t apply since Microsoft can easily retrieve the data from within the US, thus falling within the US jurisdiction. The US already has similar provisions for US banks, which in some cases must provide data such as financial records even outside the US, as they are considered to be ‘data controllers’. The DoJ extends the similar line of thought to Microsoft.
The UK also passed a similar law in 2014, requiring IT companies to provide e-mails from all over the world when asked by their agencies.
Microsoft, which owns over 100 data centres in over 40 countries, considers these warrants an attack into the integrity of cloud services. If these data requests prove to be legal, then the consumer confidence in cloud-based storage services could plummet.
Most of the tech companies support Microsoft’s stance. They fear that they would find themselves in a very difficult situation. If they had to provide the data, they would essentially face the choice of violating either the US or EU law. At the very worst, it could lead to US tech companies being shut out of the EU market altogether.