Microsoft case underscores legal complications of cloud computing
A CASE OF GLOBAL INTEREST
The Supreme Court heard arguments late last year in another case involving the Stored Communications Act, Carpenter v. United States. At issue is whether the government’s pursuit of cell-tower data from a criminal suspect requires a warrant or merely a court order authorized under the statute that does not require meeting the same probable cause standard of a warrant.
That case is mostly an issue of domestic concern. But the Microsoft case has attracted interest from as far away as New Zealand, Ireland, the United Kingdom and the European Union.
Allyson Ho, a partner at Morgan, Lewis & Bockius, filed an amicus brief on behalf of the New Zealand privacy commissioner. In support of neither party, she wrote in the brief: “Applying [the Stored Communications Act] to data held in New Zealand could entail civil and, for certain data protected under New Zealand law, criminal liability.”
U.S. technology industry groups and other business interests, as well as privacy advocates and others, back Microsoft. The federal government, meanwhile, is supported by a group of 35 states that worries a ruling for Microsoft could hamper state investigations of crimes such as drug trafficking and child sexual exploitation.
“The risks to public safety of the 2nd Circuit’s decision are real and immediate,” says Benjamin D. Battles, the solicitor general of Vermont and the main author of the states’ brief.
SETTING A BAD PRECEDENT
Ireland, the host country of the data center at issue, argued in an amicus brief (in support of neither side) that it has a treaty with the United States for mutual cooperation on law enforcement matters.
“Ireland therefore considers that the procedures provided for in that treaty represent the appropriate means to address requests such as those which are the object of the warrant in this case,” the country’s brief said, suggesting it does not support the U.S. government’s broader view of its investigative authority.
The Brussels-based European Commission, representing the EU’s 28 member states, stressed in an amicus brief (also for neither side) the EU’s strong data privacy regulations.
Storing data in an EU country and “transferring it from the European Union to the United States constitutes data ‘processing’ to which the EU data protection rules apply,” the brief said.
Microsoft has expressed concern that fulfilling the U.S. government’s warrant in this case would subject the company to harsh financial penalties when even stronger EU data protection rules go into effect in May.
But the United Kingdom takes a different tack. It said in a brief that when seeking electronic data from a U.S.-based provider, it often seeks to make the request through an existing mutual assistance treaty with the United States.
But the nation passed a law in 2016 that “enables the compulsion of an overseas provider offering services in the U.K. to provide certain electronic communications sought by a U.K. warrant despite those communications being stored outside of the U.K.”
The United Kingdom argued that a location-based approach to law enforcement access to data “no longer makes sense in the digital age.”
Andrew J. Pincus, a Mayer Brown partner who filed an amicus brief on behalf of business and privacy groups, says the desire of the United States and United Kingdom to reach into other countries to obtain data sets a bad precedent.
The brief was signed by, among other groups, the BSA (an association representing tech companies that include Apple and Microsoft); the U.S. Chamber of Commerce; and the Center for Democracy and Technology, a Washington, D.C.-based privacy advocate.
“If the Chinese government—or pick your country—could call in Microsoft and say, ‘Get me Andy Pincus’ emails, or get me this reporter’s emails,’ that would be quite concerning to most Americans,” Pincus says. “Both consumer advocates and companies are worried about the government’s accessibility to their information without going through the legal process that protects them in their own country.”
This article was published in the February 2018 issue of the ABA Journal with the title "Data Reach: How far can law enforcement authorities go when seeking electronically stored information outside the United States?"