Expert Speak Digital Frontiers
Published on Jul 18, 2016
The Microsoft-Ireland Ruling is a game changer for data protection and #MLAT regimes

The US Second Circuit Court of Appeals ruled last week that internet giant Microsoft had no legal obligation to turn over its stored emails from servers in Ireland to the US government. While this may seem as a reprieve for the private sector that is locked in a struggle with the US government over the custody of consumer data, it is important to analyse the verdict and gauge its significance to the evolution of privacy rights.

< style="color: #163449;">What was the case about?

Friday’s verdict is a consequence of an appeal by Microsoft from the ruling of a New York Court District Judge in April 2014 in the context of an narcotics-related investigation. The judge held that Microsoft, was obliged to turn over the contents of e-mails stored in Hotmail servers in Ireland as per a warrant issued pursuant to Section 2703 (a) of the  Stored Communications Act (SCA), which was enacted as Title II of The Electronic Communication Privacy Act,1986.

Microsoft based its arguments on the territorial limitations inherent in the concept of a  “warrant.” Microsoft argued that the United States law enforcement authorities may be empowered by a court-issued warrant to seize material located in the United States or territories controlled by the US government. This power, however, does not extend to material or data stored overseas, it said.

Deriving its arguments from the ruling of the District Court Judge, the government offered two main planks of response. First, it characterised the court warrant under the SCA as a ‘hybrid’ between a traditional warrant and a subpoena because it is executed by a service provider and not a law enforcement official. Relying on the 1983 US Supreme Court decision in Marc Rich, the government argued that a subpoena could compel disclosure of documents stored not just in the United States, but also, overseas. Second, they argued that the presumption against extra-territoriality clearly stipulated in Morrisson v. Australian National Bank would not apply here as Microsoft is an entity incorporated in the United States and the seizure of data would take place only after the data is copied in the United States.

Basing their ruling on the legislative intent of Congress, the Court ruled clearly that the SCA was not meant to apply extra-territorially. Relying on Morrisson, it held that in the absence of a clear indication within the text stipulating extra-territorial application, a statute must be presumed not to have such application. Further, given the firm legal establishment of warrants and subpoenas as two separate legal instruments issued for different purposes and under different circumstances, it also remained unconvinced by the ‘hybrid warrant’ argument offered by the United States government. Finally, it ignored the US government’s attempt to import the ratio of Mark Rich-law that was developed in the context of subpoenas to apply in the present case concerning a warrant. It stated that a subpoena issued in a tax investigation case concerning a Swiss businessman was not applicable as Microsoft was merely a caretaker of the data in the present case rather than the object of investigation.

< style="color: #163449;">A victory for data protection?

A concurring opinion by Judge Gerard Lynch in this case notes that it is not about the right to privacy of US citizens as Microsoft also disputes its obligation to facilitate disclosure of data stored on its servers in the United States in the case of pressing national security concerns. At first glance, therefore it appears that the data of US citizens are at the mercy of the corporations that hold them.

However, the majority concurring opinion chalks out an eloquent exposition of individual privacy. The Court recognised that the ECPA was enacted to protect the privacy of users of electronic communication services or remote computing services and imposed obligations of non-disclosure on service providers. However, the statute contained exceptions such as the warrant provisions and was drafted well before the era of ‘cloud storage.’ There is therefore an urgent need for Congress to update the antiquated legislation for its original purpose to be served in the present day and age. The Court, however, does state that it is well within the Court’s powers to protect the privacy interests enshrined in the Fourth Amendment although this case did not include such questions. By doing so, the Court enables future judicial intervention in the continuing balancing act between privacy and national security concerns.

< style="color: #163449;">Implications for the MLAT process?

The Irish government had filed an amicus curiae brief in the present case before the Second Circuit Court stressing that the data could only be obtained by following the procedures outlined in the Mutual Legal Assistance Treaty (MLAT) between USA and Ireland. While the Court recognised that obtaining the data through a MLAT is an arduous process, in the absence of Congressional intent to apply the ECPA extra-territorially, the data could not be procured from the Irish servers. The ruling should therefore come as a major relief to the international community, which was wary of snooping by the United States government. Traditional principles of international law on jurisdiction apply to data stored on clouds as well and cannot be subverted by the United States. At the same time, the court has arguably left it open for Congressional amendments to further streamline MLAT processes.

This ruling will certainly have an impact on the ongoing negotiations between US and UK on cross-border data flows that gets around the excruciatingly slow information sharing process. The US government may consider negotiating a similar deal with Ireland. Coincidentally, two days after the ruling, the European Commission formally adopted the EU-US Privacy Shield that regulates transatlantic data flows. Formerly known as the Safe Harbour Agreement that was invalidated by the European Court of Justice (ECJ) in a judgment last year, the Privacy Shield imposes stronger obligations on US companies to protect the personal data of Europeans and is modelled on the guidelines provided by the ECJ. The US government’s manoeuvres in response to the enactment of the Privacy Shield will be one of the key drivers in the landscape.

2016 has already been a pivotal year in the discourse on privacy and data protection. Much like the recent ruling by a New York District Court judge on the unlocking of an iPhone, the judiciary in this case has reserved the right to shape the contours of data protection. With the stunning pace of developments in this field, it may only be a matter of time before we see more concrete intervention from the judiciary.

The author is at The West Bengal National University of Juridical Sciences.

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.