It has been one of the most crucial issues in international data privacy law: Is a country (like the US) allowed to compel a company (like Microsoft) to provide data stored on a server outside this country (e.g. in Europe)? Now, the EU Commission filed a brief in this case...
The story behind the dispute
in Microsoft Corp. v. United States,5. 829 F.3d 197 (2d Cir. 2016). the Second Circuit held that the government cannot compel Internet Service Providers (ISPs) to turn over data stored outside the US, even with a warrant.
In 2013, Microsoft received a search and seizure warrant for the email data of a particular user. Microsoft then provided responsive data stored in the United States, but not the data which was stored on a Microsoft server in Ireland (which was most of the data). Microsoft argued that the data stored in Ireland was not within the jurisdiction of the warrant and moved to quash the warrant, harvardlawreview reports.
Data on servers abroad
The magistrate judge denied Microsoft’s motion to quash, stating that the Stored Communications Act (SCA) authorized the district court to issue a warrant for “information that is stored on servers abroad.”
Microsoft appealed the magistrate judge’s decision, and the district court affirmed after reviewing de novo. However, it was the Second Circuit who finally found that the SCA does not authorize courts to issue and enforce against US-based service providers warrants for the seizure of customer email content that is stored exclusively on foreign servers and thus reversed the district court’s denial of the motion to quash, vacated the finding of contempt, and remanded the case to the district court, oyez reports.
The role of the EU
Everyone who is familiar with the basics of data protection law, knows that there is a huge difference between the concepts of European and American data protection law. The case Microsoft v. United States is therefore crucial for the general question whether data stored in the EU is really `safe` – i.e. when there are legal disputes in the US.
“[would] not be in support of either one of the parties” but was filed to “make sure that EU data protection rules on international transfers are correctly understood and taken into account by the US Supreme Court.”
The Commission makes it clear that it “takes no position on the ultimate question of the SCA’s proper construction under U.S. law”, IAPP reports.
Obligations of the GDPR
According to the Commission’s brief, the EU has two main interests in the litigation between Microsoft and the United States:
- Ensuring the Supreme Court proceeds with the case based on a correct interpretation of EU law.
- To “reaffirm” the EU’s commitment to international law enforcement cooperation between it and the United States.
On the second point, the Commission states that it
“has an interest in ensuring that … law enforcement cooperation continues to take place within a legal framework that avoids conflicts of law, and is based on ongoing dialogue, voluntary cooperation, and respect for each others’ fundamental interests in both privacy and law enforcement.”
Of course, with the amicus curiae brief, the EU commission also wants to ensure that the General Data Protection Regulation (GDPR) which comes into force in May this year, will be followed. Being a data controller in the EU means that certain obligations have to be followed. Thus, the question remains whether disclosing data stored within the EU/EEA to a party in the US based on a warrant, means that the GDPR is violated…