Microsoft won a significant legal victory when the U.S. Circuit Court for the Southern District of New York found on July 15 that the company was right to refuse to turn over the contents of an email account to investigators from the U.S. Department of Justice.
But it was also a win for every other company in the United States that has data stored outside the United States. It was also a victory for overseas companies and governments around the world that were concerned about the U.S. government’s efforts to access data stored around the world or even as it zipped along the Internet.
That concern was so great that the DOJ demands on Microsoft were one of the reasons the European Courts of Justice invalidated previous agreements between the United States and the EU on sharing data. Those demands were effectively driving a wedge between the United States and the EU because European legislators feared how far the U.S. intelligence and police agencies would go to gain access to data on European servers.
In this case, the data in question was the contents of email stored on a Microsoft server located in Ireland that belonged to a person who was a citizen of the EU. The court found that the warrant that the Justice Department was attempting to use to force Microsoft to turn over the email was invalid since it could only apply to data located within the United States.
For now, at least, Microsoft is off the hook in regards to the email in Ireland. In an effort to make sure it stays that way, the company has begun implementing a series of data centers that cannot be accessed from the United States as a way to prevent having to comply with such demands in the future. But Microsoft may not have heard the last of this case from the DOJ.
While at this point the DOJ has not announced any plans to appeal, a number of observers have said that an appeal to the U.S. Supreme Court is likely. The reason is that the DOJ wants to be able to continue demands for information located overseas and isn’t likely to give up without a fight. Meanwhile, there are growing cries for legislative clarification.
In his concurring opinion to the majority ruling, Circuit Judge Gerard Lynch wrote strongly of the need for Congressional action. “Although I believe that we have reached the correct result as a matter of interpreting the statute before us, I believe even more strongly that the statute should be revised with a view to maintaining and strengthening the Act’s privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications and other data where compelling interests warrant it.”
There is a need, Lynch wrote, to clarify “the international reach of those provisions after carefully balancing the needs of law enforcement (particularly in investigations addressing the most serious kinds of transnational crime) against the interests of other sovereign nations.”
Microsoft’s Win in Email Case Brings Calls for Legislative Reforms
Judge Lynch’s concerns were echoed by Microsoft President and Chief Legal Counsel Brad Smith, who said in his blog that Congress needed to act now. “Today’s decision means it is even more important for Congress and the executive branch to come together to modernize the law. This requires both new domestic legislation and new international treaties. We should not continue to wait.”
There is a real risk to prolonged delay on legislation. While Microsoft has won this round, and while there’s no indication as yet of whether the DOJ will appeal, the fact is that the DOJ is not going to give up unless it’s forced to do so. The only way for that to happen is for legislation specifically laying out what the department is allowed to do and what it’s not allowed to do.
By failing to act, one thing is certain—that the DOJ will keep trying to find ways to grab the information it wants, regardless of whether it’s protected by the U.S. laws, by international treaties or by the laws of other nations. If the DOJ doesn’t get legislative direction, those attempts will continue.
The outcome of such continued attempts to gain access to information held in other countries will be that those other countries will try to gain access to information in the United States. Such a race to extract information from other countries by other countries will turn into a free-for-all where international agreements cease to matter.
Fortunately, there are currently international agreements that do matter. But the DOJ has apparently decided they are too inconvenient to use. Those agreements, known as mutual legal assistance treaties or MLATs, provide the means for law enforcement agencies in one country to request data from another.
The circuit court pointed out the existence of these treaties between the United States and Ireland and the United States and the EU as a primary reason for overturning the previous decisions and the warrants that were involved.
Both Smith and Lynch have stressed that part of the solution has to be updating those existing agreements. Now that new treaties will have to be negotiated with the exit of the United Kingdom from the EU, perhaps this is the perfect time.
But no matter how the process works, the Department of Justice can’t simply be allowed to demand whatever data it wants, wherever in the world it might reside, regardless of the laws in those other countries.
Besides hurting the privacy interests of U.S. citizens and U.S. business interests, the lack of clear legislative guidance will lead to chaos when authorities in other nations either demand access to data residing in the United States or decide to restrict the international flow of data to defend their own sovereign privacy interests.