Widespread adoption of cloud computing has been a game changer for many businesses. However, the high-profile data privacy case that pits Microsoft Corp. against the U.S. Department of Justice may be a prelude to stormy weather. The case, which will be argued in the U.S. Court of Appeals for the Second Circuit on Sept. 9, could determine whether the U.S. government has the power to seize the personal data of a company’s clients, even when that data resides overseas.
The case has attracted a lot of attention because Microsoft and the many companies and organizations that have supported its position fear that an adverse ruling could shake customer trust in U.S. cloud providers. Andrew Pincus, a Mayer Brown partner who filed an amicus brief for the U.S. Chamber of Commerce and other organizations, said that a government win would set a “very dangerous precedent” that could lead other countries to seize data on U.S. servers. “If the U.S. government does the same thing, how is the U.S. government supposed to oppose that?” he said.
Microsoft v. United States (aka the “Microsoft Ireland” litigation) began as a narcotics case. In December 2013, the DOJ, which declined to comment for this report, issued a warrant to access email communications of an unnamed user of Microsoft’s MSN email service in order to investigate drug trafficking. The user’s email records were stored on a Microsoft server in Dublin. But instead of seeking access to the emails through the government’s mutual legal assistance treaty (MLAT) with Ireland, the DOJ ordered Microsoft to copy the records and turn them over. The company refused and lost in the ensuing litigation before a federal magistrate judge and a district judge in the U.S. District Court for the Southern District of New York.
For its Second Circuit appeal, Microsoft has broad support from 88 amici, including the government of Ireland, numerous technology and media companies, and trade associations and advocacy groups that run the political gamut. The arguments presented by these organizations center on the Electronic Communications Privacy Act (ECPA) of 1986 and a section of the law called the Stored Communications Act, which protects data stored by third-party service providers.
The ECPA rules relevant to the case haven’t been updated since they were enacted. David Howard, Microsoft’s deputy GC and litigation chief, says the law is badly outdated. “The notion that there would be such a thing as cloud computing, that U.S. companies would have data centers outside the United States and would be holding vast amounts of people’s personal information in those data centers could not have possibly been envisioned at the time that law was enacted,” he says.
Not anticipating the cloud or other innovations, the ECPA states nothing about whether the government can access private electronic data stored extraterritorially. Microsoft argues that this silence means unless the U.S. Congress acts specifically to change this, the company isn’t obliged to turn over the data.
This disagreement highlights a problem. The definition of search and seizure in the physical world is usually straightforward, but when data is stored in the digital world, it’s not necessarily so. The district court held that Microsoft should hand over the data because the “Fourth Amendment moment” doesn’t actually occur until it is seized and reviewed by the government, an event that happens within the U.S. However, Microsoft and supporters see the key moment happening when the data is copied, an event that would take place in Ireland.
Supporters of Microsoft’s stance, such as Alex Abdo, staff attorney at the ACLU Speech, Privacy and Technology Project, are concerned the court’s position could lead to mass data collection. “It would mean that the government could acquire all sorts of sensitive information about Americans without ever having to satisfy their commitment under the Fourth Amendment until it later wanted to review the information,” he says.
Microsoft has also objected to the notion that the government’s warrant, which lower courts reframed as a hybrid warrant with certain powers reserved for subpoenas, applies to customer emails. “Microsoft’s position is that these aren’t our records, they are the records of the people whose emails these are, and that creates a very, very significant distinction,” says Howard. He gives an analogy: If law enforcement subpoenas a phone company for its records, that’s one thing. But a full-fledged warrant is needed to tap a phone and listen to customers’ conversations. “We think this is a similar type of situation, and the government’s position that these are merely Microsoft’s business records is simply wrong,” he says.
So what’s the outcome if the government prevails? “This provides a reason for non-U.S. companies to say, ‘Don’t use U.S. company cloud services because that means the DOJ will have access to everything. Use ours instead,’” Mayer Brown's Pincus suggests.
For the average in-house counsel, then, the case poses not just legal compliance questions, but business concerns. Perry Robinson, associate general counsel at managed cloud computing company Rackspace Inc. (which also supports Microsoft), says if legal protections no longer apply to data stored in the cloud or through other online services, companies may drift away and have to develop—at no small expense—tools that these services once provided. “It’s going to slow their ability to operate their business and increase the cost of doing so,” Robinson says.
Regardless of who prevails, there seems to be broad consensus that data searches shouldn’t happen under a legal framework built in the 1980s. One bill circulating in Congress, the Law Enforcement Access to Data Stored Abroad Act, promises to update the ECPA by requiring that law enforcement seeking U.S. citizens’ data on servers located abroad use a warrant. Another idea is reforming the MLAT system, which includes the treaty with Ireland and which some have argued is too cumbersome.
Whatever the specifics look like, Microsoft believes that to accommodate the exponentially growing amount of information stored in the cloud, new rules need to be well-balanced.
“We’re going to continue to have this vast explosion of data in the cloud,” says Howard, “and on the other hand we’re going to continue to have this conflict and tension about who can access it, how long it can be stored, where it can be stored, until we can arrive at some sort of process and formula and methodology for how to govern these things and do so not only on a national basis but on an international basis.”
Reprinted with permission from the August 21, 2015 edition of Corporate Counsel © 2015 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.