Today, CDT argued in an amicus brief filed with the U.S. Supreme Court in the Microsoft-Ireland case that warrants issued by U.S. courts cannot compel the disclosure of communications content stored outside the United States. We explain in the brief that a contrary rule authorizing extraterritorial U.S. warrants would be an open invitation to foreign governments to insist that their own legal process compels the disclosure of data stored in the United States. This would create chaos at the expense of privacy. We also explain that authorizing the U.S. government to compel the disclosure of data stored abroad would damage the cloud computing industry by reducing trust.
Twelve civil society groups and trade associations joined CDT on the brief, including Americans for Tax Reform, New America’s Open Technology Institute, the U.S. Chamber of Commerce, the National Association of Manufacturers, and the Business Software Alliance.
We have followed the Microsoft-Ireland case closely because the Court’s decision will have worldwide implications for privacy and could spur Congressional movement on the Email Privacy Act, H.R. 699, which passed the House unanimously last year but is stalled in the Senate. The Email Privacy Act would require law enforcement officials in the U.S. to obtain a warrant in order to gain access to the contents of online, non-public communications.
The Court’s decision in this case is just one part of addressing the growing problem of cross-border data demands. Increasingly, data needed to investigate a crime in one country is stored in another country. The Microsoft-Ireland case is about whether law enforcement officials in the country conducting the investigation can, in essence, use the coercive power of a warrant served on a communications service provider to reach outside its borders to gain access to the data they need. The country where the data is stored may have data protection rules that bar or place conditions on the transfer of data, which may conflict with granting such access.
Other, more cooperative mechanisms are being explored to address this problem. These include improving the existing system of disclosures pursuant to Mutual Legal Assistance Treaties (MLATs, or bilateral agreements permitting access across borders with certain limitations); a multi-lateral agreement in the form of a protocol to the Budapest Cybercrime Convention that is currently being negotiated at the Council of Europe; and an initiative at the European Commission. CDT believes that robust human rights protections need to be built into any mechanism designed to facilitate cross-border demands for users’ internet communications.