Over the past couple of years, the U.S. government and Microsoft have been fighting a legal battle over whether Microsoft has to provide customers’ email that is stored on company servers located in Ireland. On Thursday, a federal appeals court ruled against the government, saying Microsoft was under no legal obligation to provide the data.
This case has been very closely watched, as it has very important implications for how the U.S. legal system deals with a world where data moves easily across borders.
Jennifer Daskal is an assistant professor at American University’s Washington College of Law. I asked her to explain the issues at stake in the case, and what is likely to happen next.
HF: A U.S. appeals court has just ruled that the government cannot compel Microsoft to provide customer data that was held offshore. This is a big defeat for the U.S. government. Why did the court rule this way?
JD: The question before the court was whether the government could compel, via warrant, the production of emails that were held by Microsoft in a data center in Ireland. This required an evaluation of the 30-year old Electronics Communications Privacy Act, written when the Internet was still in its infancy, to determine whether Congress intended for the relevant warrant authority to reach data held outside the United States’ borders. It turns out that Congress didn’t even contemplate, let alone intend, that possibility. Relying in large part on the presumption against extraterritoriality, the Second Circuit ruled in favor of Microsoft and concluded that the warrant authority does not reach the communications content stored abroad. If U.S. law enforcement agents want to access such data, they now need to make a diplomatic request to the foreign government where the data is located to get it.
HF: In your academic work, you’ve suggested that major problems arise when states try unilaterally to get access to data that is held outside their territory. Did these problems surface in the Microsoft case?
JD: This wasn’t directly an issue in the Microsoft case, since the U.S. government was proceeding by a warrant based on probable cause (a privacy-protective standard) and its actions did not directly conflict with Irish law. But one could easily imagine a situation in which governments around the world asserted the right to unilaterally access data, without regard to other states’ equities in the data. This would yield an almost inevitable race to the bottom in terms of the privacy protections that would apply. It would, for example, be increasingly difficult for the United States to protect its citizens’ and residents’ data from the reach of foreign jurisdictions if at the same time it was unilaterally compelling production of data from foreign jurisdictions via the kind of broad-reaching warrant authority it claimed in this case.
HF: You’ve also pointed out the problems with territorial limits on data that goes across borders. What problems are likely to arise now that Microsoft has won at the appellate level?
JD: The result is concerning. (I also would have said the same if the government had won; as I’ve written before, both sides’ positions in this case were unsatisfactory.) It will provide a strong incentive for mandatory data localization initiatives as a means of both ensuring and controlling governmental access to sought-after data. This has negative consequences for the innovative potential of the Internet, for U.S.-based companies (who are likely to be increasingly subject to competing sets of legal obligations), and for privacy rights of both American and foreign-based users. After all, the U.S. requirement — that law enforcement officials obtained warrant issued by a neutral magistrate based on a standard of probable cause before accessing the content of stored communications — is as high a standard as one will find anywhere. Data localization mandates are likely to result in foreign governments being able to compel the production of data —including of Americans — based on a much lower standard than what would apply if the data were sought by the United States.
HF: You have noted that whichever way the court ruled on this case, the political system will have to get involved in crafting a real solution. What options do American (and non-American) policymakers have to deal with these problems?
JD: Congressional action is now key. And this isn’t just me saying so. Judge Lynch wrote a powerful concurrence urging congressional action in response to the ruling. Even Microsoft’s president and chief legal officer, Brad Smith, urged Congress to reform the law in the same breadth that he welcomed and praised the ruling. The bipartisan International Communications Privacy Act — which explicitly authorizes law enforcement to obtain, via warrant, the data of U.S. citizens and other persons located in the United States, regardless of the location of the data — offers one approach to be considered. A comprehensive piece of legislation that addresses the reciprocal problem — of foreign governments seeking access to data of their own citizens and residents that happens to be located in the United States — should be considered as well. Ultimately, neither United States nor foreign government ability to access sought-after communications should turn exclusively on where data happens to be located at any given moment. It’s now up to Congress to make this change.