Microsoft Case: How to Avoid Conflict While Working with Personal Data in Europe and the USA?
We already wrote earlier about the concept of “ data sovereignty ” or the question of the laws of which country should regulate data cases: the one where they are? Or the laws of the country to which the company belongs that owns the data? Maybe you need to be guided by the laws of the country of origin of the company that hosts them? These questions have gained new meaning in light of Edward Snowden's revelations and the fact that the NSA (US National Security Agency) has been observing, which has led companies in some countries to avoid storing data in the United States.
A recent court ruling made the matter even more complicated and put US companies in a position where they had to follow mutually exclusive laws of different countries.
Consider a specific case : Microsoft was presented with a search warrant issued by the US government (it is not known by which authority; all court records are sealed) regarding data on one of the users of Internet mail. Microsoft has determined that data about this user is stored on a server located in Dublin, Ireland. On this basis, the company stated that the US jurisdiction does not apply to this server. But Justice of the Southern District of New York, James Francis, ruled that Microsoft would have to provide data anyway.
“This would be true in relation to“ traditional ”orders, but not to those issued for inspection of the contents of Internet resources and regulated by the federal law“ On the storage of information ”, the BBC explains . “According to him, the warrant should be considered, rather, as a subpoena for submitting documents to the court. He stated that anyone who received a subpoena from the US court should provide the information sought, regardless of where it was stored. ” Francis also added that this part of his decision is justified by the fact that for the United States it would be too difficult to negotiate with all foreign states.
So what's wrong with that?
This means that any of the companies around the world that use the company that stores their data in the USA - Microsoft, Google, Amazon, etc., may find that operations with its data are governed by US laws. In some cases, these laws violate the laws of other countries on privacy and the protection of information.
At least the foreign companies that are concerned about this are much less likely to use the services of US companies to store their data. This will not affect the business of American companies very well. “If the cloud technology industry in the United States were concerned about the lack of trust of foreign customers in them earlier, this court decision would simply significantly increase rates,” he saidBritish newspaper The Guardian Caspar Bowden, an independent privacy researcher.
“This unexpected court decision could have had a significant impact not only on the use of free email services like Hotmail and Gmail. It could also affect all cloud services such as Office 365, Google Apps, and even cloud application providers such as Amazon, ”said three lawyers from Drinker Biddle & Reath in a response published by the National Law Review.
What can be interesting - if by “interesting” you really mean “scary and very bad” - the likelihood that other countries will take this case as a precedent and decide that their various laws on information, such as “the right to be forgotten ”must be valid in the United States. In the end, it can take the form of a messy Balkanization of data management, which can put an end to the existence of the Internet that we are used to.
For example, Microsoft got into it, as lawyers admitted. Well, they didn’t say "got in". Being professional lawyers, they put it more gracefully. “Apparently, Microsoft was faced with an unpleasant choice: either a violation of European data transfer laws or a failure to comply with a US court order,” writes Rob Corbet, partner at Arthur Cox, at Data Protection Ireland.
Microsoft said it was going to appeal the decision of the court and in fact made it clear that it was ready for anything to solve the issue. “When we filed the complaint, we knew that the process had to start with the justice of the peace, and in the end, we had the opportunity to refer the case to the judge of the US District Court and, possibly, to the federal court of appeal,” writes David Howard ), Vice President of Microsoft and Deputy General Counsel. "This is the first step to raising this issue in the courts, which have the power to influence the outdated views of the government regarding the application of search warrants to information stored in digital form outside the United States."