by David Horrigan
on July 21, 2016
Cyber Security & Data Privacy
Legal & Industry Education
July has been a big month for the law of international data transfers, with two long-running legal sagas coming to a conclusion—at least for the moment.
On July 12, the EU and the US announced the adoption of the EU-US Privacy Shield Framework, and on July 14, the US Court of Appeals for the Second Circuit reversed a district court and held in favor of Microsoft in Microsoft v. United States, known commonly as the Microsoft Dublin warrant case.
In examining how these events evolved, the biggest takeaway is that, for now, the US technology industry and the economies of the US and the EU have avoided a potential crisis.
For business transactions, e-discovery, and even email communications, in today’s digital world, data must cross international borders. The difficult reality is that the laws and regulations governing the handling of electronic data often change substantially across those borders. The data laws of the US and the member states of the European Union are a prime example.
Americans tend to place great value on access to information. US businesses, law enforcement, and litigants are able to collect vast amounts of data—especially compared to Europe, where the right to privacy is fundamental under the European Convention on Human Rights.
Despite these differences, data can’t just stop at the border. Because US laws did not meet the adequacy standard of the 1995 EU Data Protection Directive, the US and the EU negotiated the EU-US Safe Harbor Framework that enabled transfers of personal data to the US if organizations met certain requirements. With American companies allowed to self-certify their compliance, the Safe Harbor was never particularly popular with European privacy advocates. In addition, Europeans criticized US enforcement efforts.
In the aftermath of the September 11, 2001 terrorist attacks, the US passed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act. There was immediate alarm in Europe that the Patriot Act would allow the US government to access European personal data in violation of EU law.
European data privacy advocates’ disapproval of the act came to a head when the 2013 Edward Snowden-National Security Agency controversy revealed broad US government data surveillance.
Although the US was not alone in this surveillance, the controversy was the final nail in the Safe Harbor’s coffin. In its October 2015 decision, Schrems v. Data Protection Commissioner, the EU Court of Justice invalidated the 2000 decision that legalized the Safe Harbor.
Negotiations ensued, and in February of this year, the US Department of Commerce and the European Commission announced the proposed EU-US Privacy Shield Framework.
After the European Parliament adopted a resolution in May citing problems with the agreement, a deal has now been reached. The July 12 announcement of the Commission’s adoption of the Privacy Shield addressed some European concerns. The provisions include:
As the Safe Harbor was going by the wayside and the negotiations on the Privacy Shield continued, a dispute over US criminal prosecutors’ attempts to obtain data in Ireland threatened to create even bigger problems for the international transfer of data.
As part of a criminal investigation, US prosecutors sought email data from a Microsoft web-based email account. In December 2013, US Magistrate Judge James Francis IV issued a search warrant for information for an email account “stored at premises owned, maintained, controlled, or operated by Microsoft Corporation.”
Microsoft produced non-content information housed in the US, but refused to turn over data from servers in a Dublin, Ireland, data center operated by a wholly owned Microsoft subsidiary.
In seeking a motion to quash the warrant, Microsoft argued such an extraterritorial search was beyond the authority of US prosecutors.
In denying the motion to quash, Judge Francis had to cite the applicable law, the Stored Communications Act (SCA), a law passed as part of the Electronic Communications Privacy Act (ECPA) in 1986—before web-based email, cloud computing, and remote servers were even an issue.
In its most simplified form, the rationale for siding with the government was that, under the SCA, what matters is not where the data are housed, but who controls the data—in this case, Microsoft, a US corporation subject to US laws.
After a US district judge affirmed Judge Francis’ ruling, Microsoft appealed to the US Second Circuit Court of Appeals in Microsoft v. United States. Ninety-three individuals and organizations filed or joined amicus briefs filed with the court, including major US technology companies, academics, and not surprisingly, the Republic of Ireland.
In last week’s decision, the Second Circuit sided with Microsoft and reversed the district court, relying, in part, on Congress’ legislative intent of protecting privacy when it passed the SCA and on the lack of guidance in the SCA on whether Congress intended for it apply outside the US.
Noting that international travel is much more common today than it was three decades ago, the court rejected the government’s interpretation of “warrant” under the SCA, adding, “Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas.” In addition, the court said it followed the presumption against extraterritoriality articulated recently by the US Supreme Court.
In his concurring opinion, Circuit Judge Gerald Lynch was careful to note that the government’s interest was significant, and—as many have before him—he called on Congress to revisit the SCA to address issues that simply didn’t exist in 1986.
Judge Lynch also made an observation about why the case is so significant: “It is important to recognize, however, that the dispute here is not about privacy, but rather about the international reach of American law.”
As Judge Lynch noted, the policy questions raised by the US government in Microsoft are significant; however, the US tech industry has faced fears that data shouldn’t be housed in the US because of inadequate privacy protections. The Microsoft Dublin warrant controversy compounded the challenge with a new argument: not only should you not let your data in the US—you shouldn’t even house it with an American vendor in servers outside the US. The Second Circuit’s decision will help calm these fears.
In 2016, you can’t conduct business without transferring data. Were there no agreement on data transfers, it would have affected US-EU trade substantially—after all, trade in goods and services between the US and the EU exceeded $1.1 trillion in 2015, with the US exporting $500.7 billion and importing $603.7 billion. (For comparison, US trade with China totaled about $662.3 billion.)
Just as there were European legal challenges to the Safe Harbor, there are legal challenges to the Privacy Shield, and the upcoming EU General Data Protection Regulation will change the landscape again. In addition, Judge Lynch and others have invited Congress to revisit the SCA. It certainly won’t happen in a US election year, and perhaps it won’t happen soon, but it’s bound to happen at some point. The law can’t live in 1986 forever. With concerns about international terrorism, the government’s arguments for extraterritorial law enforcement will be revisited.
David Horrigan is kCura’s e-discovery counsel and legal content director. An attorney, law school guest lecturer, e-discovery industry analyst, and award-winning journalist, David has served as counsel at the Entertainment Software Association, reporter and assistant editor at The National Law Journal, and analyst and counsel at 451 Research.