At the Congress of the International Association of Privacy Professionals in Brussels last week, I had the opportunity to participate in a discussion on “Finding Solutions for Law Enforcement Access to Digital Evidence.” Our conclusion: We need to find solutions, and we have some important choices to make.
Microsoft has been engaging and recruiting people to join this dialogue for solutions as a top priority. Finding good solutions within a country requires balancing public security, personal privacy and technological progress. Reaching good solutions becomes doubly hard when national borders are involved because solutions need to work within the framework of international law and national sovereignty.
The internet spans national borders and connects us all seamlessly. But those national borders and national sovereignty remain the foundation of our international legal system. National sovereignty over national territory has been the organizing principle of nations since the Treaty of Westphalia in 1648.
In our modern world, we can deal with the sovereignty issues in one of two ways: work through the issues constructively, or simply ignore them. We believe that countries should work constructively to reach international agreements to build cross border issues solutions that protect fundamental rights and avoid conflicts of law.
Some countries are pursuing the “easy” solution of Digital Evidence by unilaterally asserting police powers outside their own territory. Many laws have extraterritorial effects, often for very valid purposes. And so for example competition laws typically prohibit anti-competitive conduct that takes place outside the regulator’s jurisdiction if the conduct has anti-competitive effects within the jurisdiction. In international law this is described as “prescriptive” jurisdiction. But criminal search warrants that reach across borders pose a different problem: they are involve execution of police powers within the territory of another sovereign. In international law this is described as “enforcement jurisdiction.” Such conduct violates international law and another country’s sovereignty.
European laws do not permit foreign authorities to perform such police functions within European territory. And neither does U.S. law. So when European law enforcement authorities want to access electronic data (or physical evidence) located in the US, they need to make a request to the US through a Mutual Legal Assistance Treaty.
But for the US to obtain electronic data located in Europe, the U.S. Government wants no such limitation. For a criminal investigation in New York, the US is seeking a Microsoft customer’s email account processed and stored in our Dublin data center. Microsoft challenged the search warrant, and with the support of more than 80 companies, associations and experts, as well as the government of Ireland, we won an important victory in the Court of Appeals. Recently the US Supreme Court agreed to review the case. In the Supreme Court, interested stakeholders are able to express their views on the case.
In the Supreme Court, Microsoft will argue that its obligations to European customers under European law do not permit us to disclose our customer’s personal data to foreign authorities except under conditions defined by European law. We encourage European authorities to help explain those obligations to the Supreme Court as well.
The litigation points to potential conflicts of laws between countries. Such conflicts are a cross-border problem that cannot be solved unilaterally by any country, either the US or an EU member state. The law, including treaties governing cross-border relations and assistance in criminal investigations, need to evolve to reflect the current technology environment.
If the U.S. Government position would prevail, it would in effect mean that a U.S. search warrant overrules the sovereignty of nations and the privacy and legal defense rights of its people. And it would mean that companies, which hold data located in Europe could be forced to choose which laws to break.
It would also mean that electronic communication would be significantly less protected than more traditional forms of communication.
Law enforcement authorities in all countries need to be able to collect evidence in investigations, but Microsoft believes laws and protections need to apply when electronic evidence is sought from abroad. If the evidence is in the form of physical documents in someone’s office or home outside the U.S., it is legally mandated for a US prosecutor to seek cooperation of local authorities to search premises and seize such evidence. We believe the same rules and the same legal protections apply to digital evidence in the context of cross-border law enforcement seizures.
Finding solutions to cross-border issues requires dialogue and agreement across borders. Microsoft strongly supports the legal reform efforts in both the US and the EU. But we also need the additional step of a transatlantic agreement to enable data to be accessed lawfully for law enforcement purposes, with appropriate safeguards of fundamental rights and with respect for the laws of each region.