Think your online privacy is free from prying eyes outside of sovereign jurisdiction? Think again. In late July, Microsoft was ordered by a US judge to disclose email data of a customer, even with the actual data being stored on servers in Dublin, Ireland. The court ruled that control, not physical jurisdiction, determined whether data can be turned over for investigation. This has been challenged by Microsoft through an appeal, and other technology companies and privacy advocates have likewise expressed that this will set a bad precedent for international business relations.
Control, not physical location
In an August 2014 ruling, US District Judge Loretta Preska affirmed the earlier decision that required Microsoft to lawfully hand over email data pertaining to a certain account regardless of where it is actually stored. Data jurisdiction is dependent on the control of the company, regardless of the physical location of the servers, said the ruling by Judge Preska. Thus, service providers like Microsoft are legally bound to turn over data to government in the event of an inquiry, even if these are stored in a foreign country.
Said warrant was issued in light of the Stored Communications Act, requiring the service provider to disclose records under its control. It is necessary to note that the earlier court order stemmed from a criminal case involving narcotics, and government lawyers intend to use email records as evidence. Government has since sought for the judge to hold Microsoft in contempt in view of the company’s firm resolve against turning over the email data. In a statement, the Redmond firm says it “will not be turning over the e-mail.” General counsel Brad Smith stressed that in its appeal, Microsoft will “continue to advocate that people’s emails deserve strong privacy protection in the US and around the world.”
Data jurisdiction in question
This particular case will set a precedent among future court cases that involve data retrieval from cloud service companies. Cloud providers and telecom firms have actually weighed in on the issue, challenging the ruling. AT&T, Verizon and Apple, among others, have filed amicus briefs in court expressing their stance.
If anything, this legal battle puts into light the validity of data sovereignty, as well as conflicting legal frameworks in different countries. In its amicus brief in support of Microsoft, Verizon said such a ruling “would have an enormous detrimental impact on the international business of American companies, on international relations, and on privacy.” In fact, some governments, such as Germany, are already banning the use of cloud services run by American providers in order to mitigate the risk of data being accessed by authorities in the US.
And even if companies like Microsoft were to comply with the US court ruling, turning over data might, in turn, constitute an illegal breach of privacy in other jurisdictions. This has become the central argument in a so-called Umbrella Agreement for data sharing that the US and the EU are trying to work out.
Cloud computing has changed the dynamic of data storage and information storage, particularly with respect to jurisdiction, legal oversight and compliance. Data sovereignty is certainly among the key concerns for individuals or institutions who require a certain level of privacy and security. But if a country’s government can claim control over data that is supposedly physically stored in another country’s jurisdiction, then it’s a whole new ball game. With data being in the cloud, does control take precedence over physical jurisdiction? This argument will need threshing out amongst stakeholders, including governments, foreign policy-making bodies, technology providers and privacy advocates, among others.
