The Microsoft Ireland case goes before a Second Circuit Court of Appeals on September 9. The case raised this fundamental question: when U.S. law enforcement wants a U.S. email provider to provide them with information about a foreign national, whose law applies? U.S. law or the law of the data subject’s country? Microsoft’s brief, the United States brief, and legal commentary all focus on the location of the data as the key element in reaching a decision. But this leads to insoluble difficulties, not matter who wins the case. A better alternative would focus on the citizenship or the location of the user as the key element. This appropriately takes into account the privacy interest of the user in that country as well as the sovereignty interests of the country itself.
In this case, U.S. law enforcement obtained a warrant asking Microsoft for the email communications of a subscriber that were stored in Ireland. The U.S did not assert that the data subject was a U.S. citizen or resident in the U.S. So it is widely assumed that the data subject was an Irish citizen residing in Ireland. Microsoft did not retrieve the emails from its server in Ireland and said in court that the account was subject to Irish law, that compliance with the warrant would violate Irish law and that the US warrant did not apply overseas.
The district court disagreed, relying on the rule articulated in earlier court cases, that the “test for production of documents is control, not location.” Microsoft replied that this test works for business records, not for a subscriber’s personal property such an email communication.
Microsoft and others say that the right way to get this information is through Mutual Legal Assistance Treaties (MLATs), which provide bilateral frameworks for law enforcement to work together. In this case, U.S. law enforcement should file an information request under Irish law for the emails, and Microsoft would produce the data subject’s records in response to a valid request from the Irish government.
The case will probably go to the Supreme Court and the Congress, since the consequences of a loss on either side are significant.
If the government wins, U.S. warrants apply overseas, regardless of where the data is stored. One consequence would be to create an explicit conflict of law for Microsoft and other similarly situated companies. US law would compel Microsoft to disclose information; Irish law would forbid it. In addition, other countries and global customers would reassess the extent to which they wanted to do business with U.S. companies, since by storing information with these companies they would automatically accept the application of US law regarding access to information, regardless of where it is stored. So the business effects would be substantial for U.S. technology companies operating in a globalized information economy.
The potential effects on U.S. citizens would be equally concerning. Other countries would take the view that they can compel companies operating in their jurisdiction to produce information about U.S. citizens even if the data is stored in the United States. U.S. companies operating in China, or Russia or Saudi Arabia would have to make available information they have about U.S. citizens to local governments under provisions and processes of local, not U.S. law, even if the information is stored in the United States.
But there is a reason to be concerned if Microsoft wins the case and U.S. warrants do not apply overseas – it would simulate the adoption of data localization laws. As the Center for Democracy and Technology put it in their commentary:
“We are not unmindful of the negative policy outcomes that a Microsoft victory could propel. If warrants issued by US courts do not have extraterritorial effect and a similar rule is applied world wide on a reciprocal basis, governments may increasingly require providers (including those based in the US) to store data locally to ensure access by local officials.”
We are already seeing a proliferation of data localization laws throughout the world, most recently in Russia. But companies want the flexibility to store information wherever the network efficiencies dictate, rather than being subject to the location demands of every jurisdiction within which they operate. A Microsoft victory would convince many countries, including perhaps the U.S., that the needs of law enforcement require local storage of data where it would be subject to local access laws.
This is a no-win situation. No matter what the outcome of the court case, the result is miserable for U.S. business, U.S. citizens and indeed for all who rely on a free and open global Internet. So it is important to re-think the issue. The good news is that Congress is considering legislation. Senators Hatch and Coons have introduced the LEADS Act which is flawed, but a good first step toward setting up a workable jurisdictional framework.
The bill says that U.S. law enforcement can access information about a U.S. citizen through a warrant served on a U.S. company, regardless of where the data is stored.
However, when information about a foreign national is stored overseas, the warrant to the U.S. company would not be valid.
The bill rightly disregards location when dealing with U.S. citizens, but oddly makes it determinative when dealing with foreign nationals. As a result, if a U.S. company stored information about a foreign national in the United States, it would be subject to U.S warrants, even though the person involved lived abroad and was subject to foreign jurisdiction. To protect their citizens, then, other countries would require that information about their citizens not be stored in the United States.
So, the LEADS Act as drafted will foster mandated data localization rules. It creates incentives for other countries to require data to be hosted outside the U.S., so as to avoid U.S. jurisdiction.
Basing the validity of warrants on the location of data is inconsistent with cloud computing norms, one of the leading forms of computing for the Internet. Cloud computing often relies upon storing data in multiple locations for redundancy, security, and latency. The LEADS Act legislates against this 21st century business model attuned to the needs of a global economy.
An alternative approach would focus jurisdiction rules on a user’s citizenship or location – rather than where the data is stored. There is broad industry support for this approach, which addresses concerns about data localization while strengthening the privacy of foreign citizens in the U.S. legal process.
But doesn’t this leave U.S. law enforcement powerless to access information about foreign nationals if they cannot get it through warrants served on service providers? No. When the data concerns a foreign national the US government can go through the MLAT process.
The U.S. has a substantial number of these agreements with countries throughout the world. Reform of the MLAT process to make it more efficient and streamlined, including through adequate funding, is therefore crucial for a comprehensive response to the issues raised in the Microsoft – Ireland case.