Has international data storage become a strategic choice following the Microsoft judgment?

Written on 22 Sep 2016

A
US court has recently ruled that Microsoft does not have to allow the US
government access to personal data (in the form of a Microsoft Hotmail user’s
emails) stored on an overseas server. The case is significant because it has
provided US cloud service providers, which have invested heavily in setting up
data centers in the EU, with greater legal certainty regarding access to data
by US authorities. In refusing to hand over the data, Microsoft has publicly
drawn a line in the sand, demonstrating to its European customers that it is
prepared to challenge the US legislature in order to protect EU-based personal
data and prevent its transfer to, or access by, the US government (the only
exception to this perhaps being some cases related to criminal and terrorist
investigations). Since the ruling Microsoft has also boosted its EU data center
capacity by announcing that its first UK cloud computing data centers are up
and running.

What
happened?

Following
an attempt by the US government to access e-mails (in relation to a narcotics
case) from a personal email account held on a server in Ireland under the
Stored Communications Act of 1986 (SCA), the U.S. government obtained a warrant
to gain access to the emails of a Microsoft customer held by Microsoft on a
server in Dublin.

Microsoft
refused to hand over the data, arguing that such a warrant should not apply to
data held outside of the United States. The US government, however, argued that
the physical location of the files was irrelevant, as Microsoft (as a U.S.
company), had full control over them.

Central
to the case was the interpretation of the SCA in the context of international
data storage. The SCA itself is part of the Electronic Communications Privacy
Act (ECPA). The ECPA, being 30 years old, was (unsurprisingly) not drafted in a
way which predicted the concept of data stored across multiple jurisdictions.
One of the key issues considered was whether US law should be applied
internationally. According to the US Supreme Court, this should not take place
unless Congress is clear during its development and enactment that any such law
should apply beyond America’s borders. Microsoft argued that applying US search
warrants outside the United States would set a dangerous precedent, and
generate a “global free-for-all” in the use of such warrants which
would directly conflict with general data privacy principles.

The
second circuit court agreed with Microsoft, holding that the SCA was not
drafted in a way which envisaged searches taking place outside its borders, and
there was no evidence to demonstrate that international application had been
anticipated by Congress in the SCA. It is worth noting, however, that the judge
here also argued strongly that the SCA needs to be updated in order to take
into account developments in relation to the storage of electronic personal
data. It remains to be seen whether the decision will be appealed to the
Supreme Court.

Interestingly,
the case turned on where the data was actually stored – a decision which was
not taken by the Microsoft Hotmail user but by Microsoft itself as part of its
international technology infrastructure (i.e. there was no active decision by
the Hotmail account owner to store data outside of the US). It is also
interesting that the judge noted that there was nothing in the record to
indicate whether the owner of the e-mails being sought by the U.S. government
was a U.S. citizen or resident. By its nature, cloud storage means that the
location of data storage is often largely irrelevant from a consumer
perspective, although in this case the physical location of Microsoft’s server
was pivotal in the decision to uphold its argument. Indeed, the nature of
contemporary data storage means that often different pieces of related data can
be held in multiple jurisdictions, rather than on one server rack in a single
country.

For
now, the case seems to strengthen the position of those technology companies
wishing to store personal data across multiple jurisdictions and offer their
customers relative confidence about the privacy of their information. However,
it does not completely rule out access through other well-established, but more
stringent and specific routes, such as international mutual assistance legal
treaties, which are applicable in limited circumstances.

What
about government access to data?

As
well as providing US cloud service providers, which have their servers outside
of the US, with greater legal certainty regarding the data protection law
compliance of their services offered in the EU, this judgment could pose a
serious question as to the relevance of the levels of data protection in the US
in cases where data is stored on EU servers, as the US government may no longer
have access to data stored on servers outside of the US. Many cloud service
providers (such as Amazon Web Services) now offer users the option to choose
where their data is stored. If the rationale of the judgment is followed and a
user consciously opted to store their data on an EU server, the US government
would no longer have access to that data (as opposed to a situation where data
was held on a US server), potentially creating a way to circumvent US government
data access.

The
bigger picture

This
case also comes at a time when international data transfers and data privacy
rules are under even more scrutiny as a result of the introduction of the EU –
US Privacy Shield, challenges to EC approved Model Clauses for transferring
data to the U.S. and the introduction of the new EU
General Data Protection Regulation
(GDPR) in May 2018.

These
recent regulatory changes are generally perceived to be a step in the right
direction for data privacy law, and it may be that the US legislature will face
increasing pressure to update US law (in the form of the SCA) at a time when EU
regulation is undergoing significant overhaul. If this is the case however, the
challenge will be to ensure that any new legislation is flexible enough to
remain relevant as technology continues to evolve at its seemingly exponential
rate. As far as international data storage is concerned, until such change
occurs the debate will continue and we will have to wait and see whether the
Supreme Court will get to have the final say in the matter.