Microsoft’s data sovereignty battle: a disaster or triumph in the making
Did you hear the one about a US judge claiming its Jurisdiction extends to the Republic of Ireland? Possibly not – data sovereignty isn’t exactly sexy – but the outcome of a long-running legal battle between Microsoft and the Southern District of New York, which revolves around exactly this issue, could be one of the most important legal decisions in the history of the internet.
The dispute focuses on emails from a single Outlook.com account, which are stored in Microsoft’s Dublin data centre. In December 2013, a New York court issued a search warrant compelling Microsoft to hand over the emails, so they can potentially be used as evidence in a federal narcotics case. Microsoft searched for the relevant account and found all the data was stored in Ireland. Consequently, it refused to hand over the information, claiming the court has no jurisdiction overseas and therefore the the warrant was void.
The court disagreed, with chief judge Loretta Preska of the US District Court in Manhattan saying: “It is a question of control, not a question of the location of that information.”
Nevertheless, Microsoft has stuck to its guns, and refused to hand over the information. It’s most recent reply brief, in which it calls the warrant “impermissible”, is available to read in full here.
While Microsoft is putting up a valiant fight, eventually, the company and the unnamed US agency that applied for the warrant (thought to be the FBI but, as the warrant was sealed, there’s no way of confirming this) will run out of appeal options. Which side the chips fall on will determine the future of web-based email and cloud services in general.
Following the introduction of the Patriot Act in 2001, an exception known as “Safe Harbour” was introduced to allow tech companies handling customer data to continue to operate within the EU without breaking data protection regulation.
Safe Harbour has consistently been used by cloud service providers to reassure businesses in particular that using their products is both secure and legally compliant. Preska’s ruling effectively obliterates this agreement, and would mean US courts could issue warrants for execution in foreign countries without consulting the nation in question’s law enforcement agencies.
If the US agency wins
Of the two possible outcomes of this case, this would be the worst for all American multinationals that store customer data. They would lose massive amounts of business as EU companies withdraw from their cloud-based services in order to comply with our stringent data protection rules. It would likely lead to a tightening of our legislation as well.
From a consumer point of view, it could prevent these companies from processing customer transactions electronically, as doing so could also be in breach of data protection legislation. In short, it would open up a huge can of worms on the business side, although European cloud providers would probably get a boost, providing they have no US presence.
Given this potential outcome, it’s no wonder companies like Apple, Amazon, HP, eBay and Rackspace, as well as American business organisations have come out in support of Microsoft.
Such a decision could also have a serious impact on diplomatic relations. To say the Irish Republic has a close relationship with the US would be putting it extremely mildly, and yet the nation’s government has already waded into the argument on the side of Microsoft. Declaring unilaterally that you have jurisdiction in another territory is a big deal, and one that’s unlikely to impress that nation.
It also sets a dangerous precedent in terms of privacy, sovereignty, and the role of America in the world – theoretically, we would be subject to US laws as well as our own. This is likely why the ACLU, Electronic Frontier Foundation and Center for Democracy and Technology have waded into the discussion on Microsoft’s side as well.
If Microsoft wins
I’ll make no bones about it, this is undoubtedly the best possible outcome of the case. For the cloud industry, it would solve once and for all the question of whether companies’ sensitive data is safe with American providers. For companies, it would potentially remove some of the compliance barriers currently faced when moving to the cloud. For everyone in general, it would mean we’re safe from the intrusion of a foreign legal system, and foreign agencies, into our digital lives (overtly at least…).
But, there’s still a potential fly in the ointment. As Microsoft has pointed out repeatedly in its court filings, only the US Congress can change legislation. The problem is that, while unlikely, the change could be made in favour of executing search and seizure warrants on data held abroad.
There is a third option, though. Microsoft has already shown it’s willing to be in contempt of court by refusing to obey previous orders to hand over the data. It would be a gamble on the company’s part, but it could defy a final ruling in the event it lost the case. As the data is physically stored overseas, US law enforcement would be unable to raid Microsoft and take the storage media in question – the only way to access it would be to seek a judgment through the Irish courts, which may or may not be granted.
It could be some time – maybe even another 12 months – until this case comes to a final conclusion, but whatever the outcome it will have a profound impact on our lives, and one that all of us will see and feel.