Microsoft Wins Major Data Privacy Decision For Users

Microsoft won a major privacy legal victory for users today when the 2nd U.S. Circuit Court of Appeals ruled that the Department of Justice (DOJ) can't use a U.S. search warrant to access customer data stored overseas.  The unanimous 3-0 ruling is a victory for the rule of law, privacy, and the usage of new technologies such as the cloud.

The case started in 2013 when a New York federal judge issued a warrant for the emails of a drug trafficking suspect.  Some of the requested content was stored in Microsoft's computers in Ireland so the company refused to turn the data over unless the U.S. government followed well established international rules on obtaining evidence in a foreign country. 

In 2014, the U.S. Southern District of New York ruled that search warrants issued under the Stored Communications Act (SCA) enable the government to access data stored anywhere in the world. This ruling had affirmed a magistrate judge's decision that focused on who controls the data and not the location of the data.  The 2nd U.S. Circuit Court of Appeals unanimous ruling clearly demonstrates that the lower courts misinterpreted the SCA and Congress' intent on digital privacy.

During the past several years, I have attended numerous conferences and congressional hearings on the issues surrounding this case.  I have listened to many of the legal and public policy arguments as to why the lower courts' rulings must stand or be reversed. Today's ruling is a victory for privacy rights in the Digital Age, democracy, and technology public policy.  In short, the general legal protections that apply to the physical world have been extended to the digital world.

My hope is that other courts focused on similar privacy issues take notice of this decision and that Congress sooner rather than later enacts common sense data privacy laws for the Digital Age. The U.S. must be a leader in technology public policy and the 2nd U.S. Circuit Court of Appeals has taken our country a step in the right direction.  

Copyright 2016 by Bradley S. Shear, Esq. All rights reserved.     

U.S. Dept. Of Justice v. Microsoft: The Fight For Digital Privacy

Last week, the U.S.government issued new guidance regarding when and how federal law enforcement may deploy cell phone site simulators (i.e. stingray technology) that collect consumer mobile phone/digital device data.  In general, the U.S. Department of Justice (DOJ) will now require federal officials obtain a warrant to deploy these technologies and utilize the data collected.  This change in policy signals that the U.S. government is beginning to understand that it must create reasonable rules and procedures regarding the collection and usage of digital evidence that adheres to the principles of the Fourth Amendment. 

While the federal government has changed its policy regarding the use of cell site simulators, I am perplexed that it hasn’t changed its position about some other digital data privacy issues. For example, in a New York City federal appeals courtroom later this week the DOJ will be squaring off against Microsoft in a matter about digital privacy law that has tremendous international ramifications.  In short, the federal government wants to be able to require U.S. based companies to turn over digital data that is held in foreign based servers without being required to follow the evidence collection laws of the countries where the data is located.  This position is very troubling and goes against well-established national and international law regarding the collection and usage of evidence. 

In general, to obtain physical evidence law enforcement must follow the laws of the jurisdiction where it is located.  In some circumstances jurisdiction occurs by citizenship.  However, here the data is located outside the U.S. and the user (DOJ target) doesn't appear to be American.  Under these facts, I question the DOJ's theory as to why it has the legal authority to obtain the requested information without the cooperation of the government of Ireland.  

The DOJ is arguing that data stored in digital clouds should be treated differently than evidence stored in physical filing cabinets.  Interestingly, the DOJ has so far won its flawed argument in federal court so Microsoft has taken its fight to the federal second circuit  court of appeals.  

Multiple academics (i.e. here and here) have previously written about this case (and so have I) because it sounds like a law school final exam.  For non-lawyers this means that the law is not clear on how to handle this specific situation.  If general jurisprudence on how to handle physical evidence is followed, the DOJ would be required to contact law enforcement agencies in the country (in this case it is Ireland) where the digital data is located.  However, since this is technology, and the information requested is stored in the cloud the courts are grappling with how to handle these issues.

DOJ is claiming (among other things) that since Microsoft (i.e. or other technology providers) has legal control over its servers in Ireland it should be required to turn over the data requested without going through the legal process in Ireland.  With this same argument, a foreign government could in turn claim that it doesn’t have to follow U.S. law when demanding access to U.S. consumer digital data located in the U.S. if the server provider has operations in that foreign country.

If the DOJ wins its legal argument, in addition to foreign governments making the same access demands to digital accounts located in the U.S., a win may also encourage U.S. tech companies to change the legal structure of their foreign subsidiaries to be able to legitimately claim that they do not have the authority to access and/or turn over customer data located in a foreign country.  This may lead to many high paying jobs being transferred from the U.S. to other countries to oversee the operations of these new legal entities. 

Amicus briefs from not only other technology companies, but also from civil rights groups, academic scholars, and privacy advocates supporting Microsoft's position demonstrate that this case is more than just about protecting the bottom line of the U.S. cloud industry. This case goes to the heart of the proper way to handle unique digital law and public policy issues.  Whether its through the federal courts, or via congressional action such as the Law Enforcement Access To Data Stored Abroad (LEADS) Act, or other similar legislation, the U.S. must set an example and take a leadership role on how to properly balance lawful access with personal privacy.  

Regardless of the outcome of this case, it is imperative that a broad international discussion occur on how to handle this and similar burgeoning digital law and public policy issues.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.