From a data protection perspective, over the past twelve months some very important developments in data protection law have taken place. On July 14, 2016 another milestone emerged.
In 2013 a New York magistrate judge issued a warrant in a drug trafficking investigation, directing Microsoft to seize and produce certain e-mails by granting the F.B.I. access to a customer’s email-account under § 2703 of the Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701 et seq.
The catch, however, is that the server containing the emails is located in Ireland.
Is it legal to access a server located in another country? The U.S. Government thinks it is.
The U.S. Government claimed that it had the right to order Microsoft to grant the FBI remote access to the relevant information, arguing that is was irrelevant, in which country a subject to U.S. law stored their records.
Microsoft challenged the warrant in court, arguing that the U.S. government would violate territorial limitations of jurisdiction and thus another nation’s sovereignty. When the motion to quash the warrant was denied by the district judge, Microsoft was held in contempt of court for refusing to execute the warrant.
Microsoft soon gained tremendous support: 28 technology and media companies, 23 trade associations and advocacy groups, and 35 leading U.S. computer scientists. Even the Government of Ireland itself filed amicus briefs with the court. Also, Ireland reminded the U.S. Government that there were bilateral agreements in force that would actually enable the United States to receive administrative assistance from Ireland. The U.S. Government did not cease to insist on enforcing their warrant.
U.S. based companies feared the action’s outcome and supported Microsoft in the warrant case
Despite the attention this case gained internationally, at least in the data protection community, the odds seemed to be in favor of the Governments’ position, when in April of 2016 the U.S. Supreme Court upheld amendments to Rule 41 of the Federal Rules of Criminal Procedure, allowing magistrates to issue warrants to use remote access in order to search storage media and to seize copy stored information located within or outside that district. Beforehand, a magistrate’s authority was limited to his jurisdiction’s boundaries.
In its ruling, the Second Circuit’s Court of Appeals found that rule 41 cannot be applied in the present case:
“In light of the plain meaning of the statutory language and the characteristics of other aspects of the statute, we conclude that its privacy focus is unmistakable.”
(…)
„ We conclude that Congress did not intend the SCA’s warrant provisions to apply extraterritorially. The focus of those provisions is protection of a user’s privacy interests. Accordingly, the SCA does not authorize a US court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States. The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s e‐mail account stored exclusively in Ireland”
The court upheld data protection principles and effectively limited the FBI’s attempt to expand their competencies beyond U.S. borders under the Stored Communications Act.
Now, why do we think this case must be viewed as a landmark for data privacy? Now, in our view this case truly is a landmark in data protection law for two reasons:
First of all, we believe that an adverse ruling would have been a major blow to using cloud services offered by U.S. companies: The possibility to “search and seizure” data stored in Europe would virtually have compromised the entire cloud business model, as data controllers wouldn’t be able to adequately secure their data subject’s data.
Secondly, it shows us that –be it out of business interests or morally driven reasons– IT companies all over the world start to accept data privacy as a major factor for gaining and maintaining their customers’ trust and confidence.
Along with the invalidation of Safe Harbor, Apple’s refusal to follow the FBI’s order to help circumventing their iPhone security measures, and the adoption of the European General Data Protection Regulation, we deem this ruling one of data protection’s landmarks of the past 12 months.
What does Brad Smith say about Microsoft winning the Warrant Case?
As a closing note, we would like to quote Brad Smith, Microsoft’s Chief Legal Officer, who wrote in the Microsoft blog:
“(…) since the day we filed this case, we’ve underscored our belief that technology needs to advance, but timeless values need to endure. Privacy and the proper rule of law stand among these timeless values. We hear from customers around the world that they want the traditional privacy protections they’ve enjoyed for information stored on paper to remain in place as data moves to the cloud. Today’s decision helps ensure this result.
Finally, as we’ve recognized since we filed this case, the protection of privacy and the needs of law enforcement require new legal solutions that reflect the world that exists today – rather than technologies that existed three decades ago when current law was enacted. We’re encouraged by the recent bipartisan support that has emerged in Congress to consider a new International Communications Privacy Act. We’re also encouraged by the work of the U.S. Justice Department in pursuing a new bilateral treaty approach with the government of the United Kingdom.
Today’s decision means it is even more important for Congress and the executive branch to come together to modernize the law. This requires both new domestic legislation and new international treaties. We should not continue to wait. We’re confident that the technology sector will continue to roll up its sleeves to work with people in government in a constructive way. We hope that today’s decision will bring an impetus for faster government action so that both privacy and law enforcement needs can advance in a manner that respects people’s rights and laws around the world.”