WASHINGTON—A panel of legal experts says that a case in which federal prosecutors are demanding email data from Microsoft that resides on a server in Ireland could result in violations of the U.S. Constitution as well as international law and a variety of treaties.
In that case, Microsoft declined to provide the emails in question when served with a warrant under the terms of the Electronic Communications Privacy Act (ECPA). The company objected, saying that a warrant can’t compel the delivery of evidence outside the borders of the United States. The government is using a warrant because it doesn’t want Microsoft to tell the sender of the email about the demand for information.
Legal experts in the U.S. and in Europe say that the attempt to gain access to information held on European servers is a violation of international law in addition to an existing mutual assistance treaty already in place between the U.S. and the EU.
Panelist James Garland, a partner in the law firm of Covington & Burling, who represents Microsoft in this case, said that if the federal courts uphold the prosecutor’s demands, other nations will have a free hand to gather data from computers in the U.S. This could mean, for example, that China or Russia could sift through the data of U.S. companies within the U.S., using warrants as a pretext, and do it legally.
But the potential damage goes far beyond the threat to corporate data in the U.S. According to Michael Vatis, a partner at Steptoe & Johnson, who represents Verizon, a decision that would allow U.S. prosecutors to ignore foreign privacy rules also would erode trust in U.S. companies.
“This puts American companies at a disadvantage,” Vatis said. He noted that senior officials at the EU are expressing alarm at the potential conflict with laws in Europe.
One such official is EU Vice President Viviane Reding, who expressed her concerns in a letter to European Parliament Member Sophie in ‘t Veld, which was provided by Ms. Veld, who represents The Netherlands.
“The [European] Commission’s concern is that the extraterritorial application of foreign laws (and orders to companies based thereon) may be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the Union,” she wrote. Reding noted that the effect of the U.S. District Court magistrate order is that it bypasses existing formal procedures between the U.S. and the EU.
Microsoft Lawyer Warns of Dire Consequences if U.S. Wins Warrant Case
“The Commission has raised this issue with the U.S. government on a number of occasions,” she wrote. So far there’s no indication that the U.S. government has responded to the concerns of the European Commission.
Meanwhile, the EU is taking action on its own. The British Parliament has recently passed a law that would allow law enforcement in the UK to serve warrants on companies with a presence in Europe for information, even if it’s regarding events outside the UK. The law is written so that British law enforcement and intelligence agencies could read foreign emails on the basis of such a warrant.
Until this case, warrants in the U.S. were held to apply to information and evidence that is within the borders of the United States. Now, the Department of Justice is presenting the theory that if the person reading the information is in the U.S., it still counts.
This problem has arisen because the ECPA allows warrants for data stored electronically and those warrants don’t have to be disclosed to the person who is the subject of the investigation. But to get to data held by a company outside the U.S., a subpoena is required and a subpoena can be disclosed to the target of the investigation so that they can object to it, go to court to have it overturned or take other action.
Because the Department of Justice wants the emails of the subject of the investigation, but doesn’t want them to find out about their inquest, they want to use a warrant. To accomplish this, the DoJ has invented the concept of a hybrid warrant that is also part subpoena. This is a novel concept that hinges on the agreement of the courts. So far a single magistrate has agreed with the government.
Complicating matters is the existence of mutual assistance treaties between the U.S. and the EU, and between the U.S. and Ireland, which is where the email data is actually located. So far there’s no indication that the prosecutors have made any attempt to utilize this existing pathway to get what they want. The reason, as explained in the government’s court documents, is that the process is difficult and it’s slow.
The bottom line is that the Department of Justice would rather violate the privacy of email users, create an unwinnable international legal conflict, strain relations between the U.S. and Europe and ruin the trust in U.S. companies instead of putting forth a little effort and following the law. The case goes to trial in the U.S. District Court for the Southern District of New York on July 31. You can assume that no matter who wins, it will be appealed.