“Top of the stairs, first cloud on your right”
18 April 2018 (Rome, Italy) – One of the nice things about spending a week doing a bit of R&R after a mega-event like the International Journalism Festival is that although you need to suffer through crap views ….
… you get a chance for leisure reading and catch-up with “other stuff”. And in my e-discovery folder, the big “catch up” news was that the U.S. Supreme Court has dodged a critical legal question about the reach of America’s courts in the internet era, deciding to drop what many thoughts would be the test case on data stored overseas between Microsoft and the U.S. Department of Justice (DOJ). In a decision released yesterday, the Court decided that the case, in which Microsoft refused to hand over to the Feds emails held on its servers in Ireland, was moot because of a new law — the Cloud Act — passed by Congress last month.
But we all knew it was coming. As I had reported in several posts, the U.S. Congress had mulled … and mulled, and mulled … new laws to strengthen Federal powers to access American citizens’ private messages and files stored on computers overseas. So rather than actually debate and refine such legislation, lawmakers decided to bury it onto the massive 2018 Omnibus Spending Bill (sneaky bastards!) which was passed to avoid a U.S. government shut-down, so the CLOUD Act passed by the backdoor.
That Omnibus bill … 2,232-pages, by the way; my Washington, DC intern got a copy and she actually read it … had buried it (on page 2,201; I told you she read it). It was/is the “Clarifying Lawful Overseas Use of Data Act” (CLOUD Act). Yes, catchy isn’t it? That act obliges companies in the U.S. to provide access to all content, whether held on a server in the U.S. or outside the country if they are hit with a warrant.
So the rest of this story became obvious. Following the Cloud Act being signed into law, the DOJ issued a new warrant to Microsoft and it duly complied … handing over all the content that it had been protecting since 2013. As a result, the Supreme Court decided, “no live dispute remains between the parties” and so “this case has become moot.”
There are still questions. The new law notes that a company is obligated to hand over content held on a server in a foreign country so long as doing so wouldn’t break that country’s laws – which can cover everything from banking to privacy to data protection laws. Which of course immediately opens up the question: what happens when a company refuses to hand over content citing local laws? The Supreme Court could have tackled that question but consciously decided not to, leaving data’s status uncertain in the eyes of the law; a situation made all the more confusing by the fact that federal appeals courts across the U.S. have come to different conclusions about the best way of dealing with the issue.
And I have some issues:
- I am dubious that releasing the data was legal under Irish law, but they just made it before the GDPR went into effect when it would definitely have been illegal.
- You have to believe the CLOUD act will be challenged sooner or later, but with the new DOJ seizure request under the act, they had a small window of opportunity to settle this without loss of face to either side. And let’s be frank: with U.S. politics being the minefield that it is at the moment, Microsoft would far prefer the politically expedient solution than getting ready for another round on the barricades against the DOJ and everything else trying to wade in.
- I also think this impacts the shell companies the U.S. tech firms set up around the world in order to avoid paying taxes. The only reason this works is because, as a legal fiction, each company is supposedly a separate entity. So, as an example, Apple USA can charge Apple UK for “using its services” which means Apple UK, come tax time, suddenly has little or no income to tax thanks to all those pesky fees. But if the DOJ is now trying to maintain that it can force Microsoft USA into handing over data held by Microsoft IE, then the whole legal fiction comes crumbling down, yes? The DOJ has, a priory, stated that Microsoft USA and Microsoft IE are the same entity as far as they are concerned.
-
And of course it’s more fodder for the Uncle Sam over-reach (and legal reach-around) arguments. As Ned Tussant of Politico told me this morning “it just continues to show what little respect the U.S. has for the rest of the world. Team America is basically claiming it’s their way or the highway and every other sovereign state isn’t worthy”. His feeling is this legislation and these rulings are not just going to hurt Microsoft, but any other U.S. based company doing business in overseas jurisdictions, making a mockery of data sovereignty laws. And GDPR?:“Ha. Don’t hold your breath. I have seen the arguments that the big law firms are devising to fight its application. And remember: it’s a whole new Commission next year. New players, new teams, new agendas. The law firms are in the sweet spot”.
“The EU likes what it sees in the CLOUD”
So yesterday the European Commission moved front-and-center with its proposed European Production Order which I wrote about last year. That Order is a desire for a new legal instrument that would require carriers, clouds, email service providers and operators of messaging apps to produce a user’s data in six hours to assist investigations of “criminals or terrorists”. The proposed Order will:
“allow a judicial authority in one Member State to request electronic evidence (such as emails, text or messages in apps) directly from a service provider offering services in the Union and established or represented in another Member State, regardless of the location of data”.
And yes, you’ve interpreted that correctly: it does mean that if an organization has an office in one European Union member state, or stores its data outside the EU, the EU wants the right to retrieve that data within six hours. That super-short deadline will only be imposed in the case of an “emergency”. Less urgent investigations have been offered a ten-day deadline.
The Commission’s justification for the new power is that access to electronic evidence is critical, but current instruments to obtain it move too slowly to help investigators and have therefore eroded public confidence. It therefore also wants a “European Preservation Order” to stop service providers deleting data. The package of measures also calls for any service providers that operate within the EU to have a designated legal representative within the Unions borders.
Safeguards? The Commission thinks it has them:
- The Production Orders will be applicable only to crimes punishable with “a maximum sentence of at least three years, or for specific cybercrimes and terrorism-related crimes”.
- Offshore providers will be able to open local proceedings to dispute an order.
- And there will also be an avenue of appeal if an Order “manifestly violates the Charter of Fundamental Rights of the European Union”.
A reminder of what Article Eight says:
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
This Order was a major legislative priority for the EU as laid out in the Commission’s 2018-2019 agenda last year which my Brussels’ intern tracks. But as she noted, whether the rest of the world knew it would soon be required to cough up data on such short notice is debatable, although the recent passage of the CLOUD Act heightened activity over the last month.