Public Services

Microsoft wary of US Supreme Court foreign data access review

Neil Merrett Published 27 June 2017

Corporation’s president backs regulatory changes as opposed to allowing authorities unilateral e-mail access that could significantly infringe European and UK laws


Microsoft has warned of a potential conflict with European law should the US Supreme Court rule in favour of warrants unilaterally applying to data it holds abroad, with uncertain implications for service providers and public bodies using its services.

The US tech giant said that the country's Justice Department has asked the Supreme Court to reconsider a legal decision in favour of Microsoft that rejected allowing unilateral access for e-mail it holds in other countries if warrants are exercised.

As the UK must begin to consider its own data sharing arrangements and compliance with EU law post-Brexit, the Supreme Court's decision could have significant impacts on data privacy and international obligations in an already shifting regulatory landscape.

Legal challenges are underway on both sides of the Atlantic around the legality and effectiveness of current data sharing arrangements in and out of the EU, including the recently approved EU-US Privacy Shield replacement agreement.

The Privacy Shield had been devised to set out clear safeguards and transparency obligations for US-based organisations processing data from EU citizens, ensuring their rights with regard to confidentiality in the United States, impacting technology functions across the public and private sector.

Although there are other mechanisms available to use, the arrangement is seen as streamlining many key considerations around data handling and resolving the complex and ongoing court battles about information rights for European citizens.

However, Microsoft has now expressed concerns about the fresh US Department of Justice appeal in the Supreme Court over how it can access data held by US organisations in other countries such as the company's data centres.

Brad Smith, the company's president and chief legal officer, argued that the reconsideration by the US' top court served as a "backward step" at a time where Congress is looking at how best to revise data sharing laws for modern needs.

"The DOJ's position would put businesses in impossible conflict-of-law situations and hurt the security, jobs, and personal rights of Americans," he said.

Smith added that the incoming EU General Data Protection Regulation (GDPR), which becomes law for all member states from next year as part of a wider shift linked to privacy and online information handling, would be problematic for any unilateral right to claim data abroad.

"[Under GDPR] it would be illegal for a company to bring customer data from Europe into the US in response to a unilateral US search warrant," he said. "This type of legal conflict isn't theoretical. We have declined to comply with similar legal orders in Brazil because they conflict with US law. As a result, we have been fined, and one of our local employees was criminally charged. Neither people nor companies should be put in a position where complying with the laws of one country puts them in conflict with another country under whose laws they must operate."

Alongside potential negative impacts for the company at a time where it and major competitors such as Amazon Web Services (AWS) are expanding foreign data centres in order to better tackle customer need for 'sovereign data', Smith also warned of detrimental impacts on national security.

"While the DOJ understandably is focused on effective law enforcement investigations across borders, we're hard pressed to believe that a reversal of our case would make that situation better. Under current law we're already able to act in emergency situations and when law enforcement works together across borders," he said.

"For example, when the French authorities and the FBI cooperated and pursued proper legal process following the terrible Charlie Hebdo attack in 2015, we provided responsive emails in less than 45 minutes. Our current policy, underpinned by the standing decision in our case, also enables us to reject requests from other governments that want the email of Americans without the consent or knowledge of the US government."

Smith argued therefore that the company favoured a new law to replace legislation introduced three decades earlier as part of a process involving the Justice Department and Senate to put in new requirements and rules for information sharing.

"The litigation path the Department of Justice (DOJ) is now trying to extend in parallel to legislative progress seeks to require the Supreme Court to decide how a law written three decades ago applies to today's global internet," he said.

"The previous decision was soundly in our favour, and we're confident our arguments will be persuasive with the Supreme Court. However, we'd prefer to keep working alongside the DOJ and before Congress on enacting new law."

On the back of wider debate in the UK and other EU countries about balancing national security interests with the right to secure and private online correspondence via public and private sector service providers, human rights campaigners have argued that not enough is being done to guarantee online privacy.

The emergence of Internet of Things (IoT) technology and the implications for all personal data generated by their use is among a broader number of considerations that privacy campaigners argue will need to be addressed in future EU legislation that would have ramifications for UK law at least until 2019.

While the European Parliament's Committee on Civil Liberties, Justice and Home Affairs has recommended further safeguarding electric data and preventing any efforts to weaken encryption technology, these proposals would need support from across the EU.

At present, individual member states are looking at trying to ensure improved access to online information citing national security concerns, raising important questions about the effectiveness of encryption to safeguard communications.

In light of multiple recent terrorists attacks in the UK, Prime Minister Theresa May has accused "big companies" that provide internet-based services of giving extremist ideologies a safe space to be published and disseminated online, requiring tighter legislation.

During last week's Queen's Speech. May's government committed to protecting critical national infrastructure, as well as establishing a commission focused on countering extremism, with a particular focus on the internet and preventing safe spaces online to spread illegal material.

"A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the UK is the safest place to be online," said the speech.

Considering the political will to revise existing privacy legislation, the US Supreme Court decision on unilateral warrants could have significant impacts on future regulation for the UK and Europe.

Related articles:

European Parliament justice body warns against weakened encryption

Queen's Speech focuses on data, digital courts and Brexit laws

EU parliament committee raises Privacy Shield adequacy concerns


Post a comment

Comments may be moderated for spam, obscenities or defamation.

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.