Privacy and law enforcement – a matter of principle

Microsoft is currently fighting a court case in the United States, challenging a federal law enforcement warrant issued for customer emails stored in Microsoft’s Dublin data center.

The warrant was first served on Microsoft just over a year ago, and since then we’ve been resisting what we see as an attempt to stretch the bounds of law enforcement authority. Emails are the personal property of our customers and as caretakers we must be extremely respectful of their rights. Of course, law enforcement must be able to do its job, but when the seizure of personal correspondence is necessary, clear procedures must be followed.

In this case, the procedures that should be followed involve cooperation with the Irish authorities via well-established agreements – Mutual Legal Assistance Treaties (MLATs). These exist precisely to allow the U.S. government to seek information from other countries, without impinging on the privacy protections offered by national laws.

Instead, the U.S. court has ruled that no other jurisdiction matters, and treated the emails not as personal data, but as Microsoft’s own business records. As such, Microsoft is expected to seize and deliver the emails to the U.S. authorities.

However, by overreaching its jurisdiction to grab personal data held in another country, the U.S. risks undermining consumer trust and confidence in cloud services. The Irish government themselves have highlighted how, if Microsoft were to acquiesce to the warrant’s demands, it would “create significant legal uncertainty for Irish and EU consumers and companies regarding the protection of their data”.

Former European Commissioner for Justice Viviane Reding also highlighted how the U.S. government’s actions could “be in breach of international law and may impede the protection of individuals guaranteed in the [European] Union.” And just last week, data protection authorities from across the European Union adopted the following declaration; that “foreign requests must not be served directly to companies under EU jurisdiction”, without prior authorization having been agreed via an MLAT.

Microsoft complies with lawful orders from U.S. authorities; however in this instance we believe that the U.S. government should cooperate with local authorities to allow investigations to continue, while also ensuring Irish sovereignty is respected and EU privacy laws are taken into consideration – which consumers expect.

The vital issues at stake in this case have united many industry competitors, media companies, academic institutions and activist organizations. On Monday, ten “friends of the court” briefs were filed with the US Court of Appeals on behalf of over 80 organizations and individuals expressing their support for Microsoft’s position. Following the filing, Microsoft hosted a discussion in New York with representatives from some of the organizations, with panelists considering key questions of trust, privacy and legal clarity.

These are issues which also have a significant European dimension. That’s why, following the New York event, Microsoft convened a discussion amongst key stakeholders in Brussels. Jens-Henrik Jeppesen, Director for European Affairs at the Center for Democracy & Technology; Hosuk Lee-Makiyama, Director of the European Centre for International Political Economy; and Megan Richards, Principal Advisor at the European Commission’s Directorate-General for Communications Networks, Content and Technology, were our expert panelists on Monday evening – and their comments made clear that the implications of this case go far beyond a narrow legal ruling:

  • Megan Richards highlighted how the potential of the cloud to drive significant growth – 2.5 million new European jobs and a €160 billion boost to European GDP by 2020, according to the European Commission – will only be realized if consumers and businesses trust the technology they are using.
  • Jens-Henrik Jeppesen warned that the ability of one government to reach beyond national borders and seize data without proceeding through proper legal channels sets a dangerous precedent, saying “we will see more and more cases where more than one government will be able to claim legitimate access to the same piece of data”.
  • Hosuk Lee-Makiyama pointed out that tech companies should not be placed in a position to decide which jurisdiction applies in any given instance. In this case, he noted, it is “not really an issue between the U.S. and Microsoft, but between the U.S. government and the Irish government”.

To hear more thoughts from Monday’s discussion on the principles which underpin transnational data issues, have a look at the video below.

One common theme shines through the remarks of our panelists on both sides of the Atlantic and in the wide variety of “friends of the court” briefs: the urgent need for an international dialogue over how we apply privacy and rule of law principles in the online world.


YouTube Video

Mark Lange
Director EU Institutional Relations, Microsoft

Mark Lange is Director of EU Institutional Relations. He joined Microsoft in 1998 and currently works on policy issues relating to cloud computing, privacy, security and data governance in the European Union, as well as interoperability and intellectual property across Europe, Middle East and Africa. He previously worked for law firm Covington & Burling in Washington, D.C. and Brussels, from 1989 to 1998. His practice included general litigation, international trade, and intellectual property. Mark Lange graduated from the University of Virginia in 1981 and from Northwestern University Law School in 1989.