Out-Law News 2 min. read
08 Dec 2017, 3:07 pm
The Commission said the case, which is before the US Supreme Court, concerns the application of EU data protection laws. It has therefore decided to submit an 'amicus brief' to the court. It said the papers "will not be in support of either one of the parties".
"This case raises the question whether, under the US Stored Communications Act, US courts can require a US-based service provider to produce the contents of a customer's email account stored on a server located outside the United States, in this case Ireland," the Commission said in a statement.
"Given that the transfer of personal data by Microsoft from the EU to the US would fall under the EU data protection rules, the Commission considered it to be in the interest of the EU to make sure that EU data protection rules on international transfers are correctly understood and taken into account by the US Supreme Court," it said.
In October, Microsoft confirmed that the US Supreme Court had decided to hear an appeal from the US government in the case. The US Court of Appeals rejected an application by the US government to re-hear the case earlier this year, despite the US government arguing that the ruling would allow "electronic communication service providers" to "thwart legitimate and important criminal and national security investigations, while providing no offsetting, principled privacy protections".
The Court of Appeals ruled last year that Microsoft did not have to disclose data on a customer it held on the basis that the warrant issued under the 1986 US Stored Communications Act did not apply to data held outside the US. The data sought by the US authorities was stored on Microsoft's servers in Ireland. The authorities were looking for the information as part of a criminal investigation.
"This is an important case that people around the world will watch," said Microsoft president and chief legal officer Brad Smith in October.
"If US law enforcement can obtain the emails of foreigners stored outside the United States, what’s to stop the government of another country from getting your emails even though they are located in the United States?" Smith said in a blog. "We believe that people’s privacy rights should be protected by the laws of their own countries and we believe that information stored in the cloud should have the same protections as paper stored in your desk. Therefore, Congress needs to modernise the law and address these fundamental issues."
A proposed new International Communications Privacy Act (ICPA) was introduced before Congress earlier this summer. Smith said Microsoft backed the draft legislation.
"ICPA provides sensible ways for cross-border data access, including a robust legal process to access the email of Americans and notification of foreign countries, when required under international law," Smith said. "Without these important clarifications, technology companies, law enforcement and the courts will continue to interpret and apply a law to technologies and circumstances far beyond what Congressional leaders envisioned in 1986."
However, in written submissions to the Supreme Court, the US government said Microsoft could comply with the warrant it has been issued "by undertaking acts entirely within the United States".
The US Department of Justice (DoJ) said (76-page / 573KB PDF): "At most, Microsoft need only take the initial step of 'collect[ing]' data stored abroad by inputting commands at its facility in the United States… Because [the US Stored Communications Act] focuses on the domestic disclosure of information to the government, this case involves a permissible domestic application of the statute."