Should the FBI use US cloud companies to access data held in Europe?
And what does the European Commission have to say?
A critical case is now working its way through the US courts—one that raises important questions for users and providers of cloud services in both the US and Europe. As part of a US criminal investigation, a US federal court has ordered Microsoft to hand over a customer’s files that the company holds in its Ireland data centre. Microsoft has refused to comply with this order, arguing among other things that a warrant issued by a US court is not sufficient to reach content stored outside US territory, and that the US government must obtain the assistance of the Irish authorities.
The crucial question here is: what rules apply when one country demands that a service provider with a physical presence on its territory give its authorities access to communications stored in another country? Because larger policy questions are at stake, CDT and other public interest groups are filing briefs in the case on 15 December. And recently, Dara Murphy, the Irish Minister for European Affairs and Data Protection, asked the European Commission to file its observations. The Commission is now considering adding its voice to the conversation. CDT believes that the European Commission’s views would be helpful in shaping the outcome.
CDT believes that in the law enforcement context, the best way to accommodate the interests of both governments is through the process established under Mutual Legal Assistance Treaties (MLATs).
The European Commission has a responsibility to safeguard ‘fundamental rights’ in Europe, including the rights to privacy and data protection. The Commission takes this role very seriously. It has proposed a comprehensive and ambitious overhaul of EU data protection laws, and following the Snowden revelations, it urged the US to swiftly rebuild trust in EU-US relations.
The policy issues raised by the Microsoft case are important and complex, and deserve significant attention as well. Today, technology and communications companies offer their services to customers around the globe and store data on dispersed servers linked though global communications networks. This is the backbone of the booming cloud services. As this trend continues, we are likely to see more and more instances in which two or more governments claim legitimate interests in the same piece of data.
CDT believes that in the law enforcement context, the best way to accommodate the interests of both governments is through the process established under Mutual Legal Assistance Treaties (MLATs). Such agreements exist between the EU and the US, and between Ireland and the US. However, in the Microsoft case, the US government is seeking to avoid the MLAT process. Instead, the government is arguing that a US court can simply issue a warrant that would compel Microsoft to copy and disclose data stored in Ireland. While there are challenges with the MLAT process, MLAT reform – rather than trying to sidestep MLATs altogether – is the best path forward.
If the US government’s view prevails, other governments may feel justified in demanding access to communications content stored on servers in the US, pertaining both to US citizens and residents, and others. This is a very real concern, as demonstrated this past July when the UK Parliament passed legislation to extend the territorial reach of warrants issued by UK law enforcement authorities to the entire world. The European Commission was asked for its view on this legislation as well, although so far it has kept its own counsel about this.
An open debate, led by the European Union and the United States, should focus on improving the MLAT system.
On the other hand, if the court decides that warrants issued by US courts do not have extraterritorial effect and a similar rule is applied worldwide on a reciprocal basis, governments may increasingly require providers (including those based in the US) to store data locally to ensure access by local officials.
Both of these scenarios are unappealing and could have serious consequences for users’ interest in protection of their data, and for technology companies providing services worldwide. An open debate, led by the European Union and the United States, should focus on improving the MLAT system. In the meantime, many people and institutions – not least the US 2nd Circuit Court of Appeals, which is hearing Microsoft’s appeal of the decision in the lower court – might like to know what the European Commission has to say about the case and the questions it brings up.