When Microsoft loses on an international legal technology matter, you know there is still a degree of unknown unknowns when it comes to data protection and the cloud, writes Ben Weinberger.
In a recent proceeding before the US Court, Microsoft was ordered to turn-over email belonging to a user of its hosted mail service. That email belonged to a user outside the US. The email itself was located on a server in a data centre in Ireland – outside the US, which should be out of the reach of US authorities and subject to the requirements of the EU privacy laws. Microsoft challenged the order and lost.
They argued that the Court lacked jurisdiction over this particular data as it was stored outside the US, and therefore it was not subject to disclosure.
They were wrong.
On 25 April, 2014, Magistrate Judge James C. Francis of the Southern District of New York issued a memorandum and order upholding a subpoena ordering Microsoft to turn-over information held on a server in a data centre in Ireland.
Microsoft had contested the subpoena and argued that courts in the United States do not have jurisdiction and therefore are not authorised to issue a warrant for an “extraterritorial search and seizure.”
Relying upon the Stored Communications Act (the “SCA”), passed as part of the Electronic Communications Privacy Act of 1986 (the “ECPA”), the judge found that, even when applied to information that is stored in servers abroad, an SCA warrant does not violate the presumption against extraterritorial application of American law and therefore denied Microsoft's motion to quash the subpoena.
Patriots as defined by law
Though the judge relied upon the SCA in making his determination, he also cited the Patriot Act as evidence of legislative intent to not limit jurisdiction, which is the crux of the issue.
He recognised and relied upon the fact that Microsoft is a US business – and, more so, that it has a US presence from which it has access to the data on the servers in Ireland (regardless of where that data itself is stored, which is where he relies on a provision of the Patriot Act for clarification). As a US business, Microsoft is subject to US jurisdiction and laws.
Arguably, Microsoft might not have to have been a US business for the Court to have reached the same conclusion.
In theory, the Court’s finding suggests that any business operating in the US could be subject to the same demand regardless of where its data resides. It could readily extend to any hosted/service provider with a US presence, regardless of where datacenters are sited or where customer data is stored.
A world without borders
In essence, a company providing a hosted service (be it email, finance, document management, whatever) anywhere could be subject to the same demand to turn-over customer data of a foreign customer, regardless of where that data is held.
Therein lies the challenge such a ruling now presents to data protection laws.
This takes us back to the obvious question – that, in a modern world, where the internet connects everyone and everything, well beyond borders, is it really reasonable to expect that data in one jurisdiction will only remain in that jurisdiction and not be accessible or discoverable outside that jurisdiction?
In reality and in light of what we know today of various governmental entities and their international surveillance programs – not to mention hacking (be it state-sponsored or otherwise), the answer is probably “no.”
So, what are the implications of that?
The UK Law Society and the SRA have issued guidance on the use of “cloud” technologies. While they are not completely proscriptive, they do provide advice and guidelines that, presumably, create certain expectations.
In essence, the Law Society states that any cloud solution must comply with the Data Protection Act of 1998 (“DPA”). The considerations of this law on the adoption of cloud technologies are summarised by the information commissioner’s office on their site and include a variety of recommendations.
Some of the key elements of this act addressed by the Information Commissioner’s Office (ICO) include:
● The use of encryption of data in transit and at rest;
● Prevention of unauthorised access to client data by the cloud providers’ personnel, and;
● Access to data by intelligence agencies.
The document on their site gives general guidance and recommends a variety of measures to be employed to safeguard data placed into the cloud.
The ICO specifically notes that the DPA requires that personal data “shall not be transferred to any country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
Arguably, as the US. and EU created the “Safe Harbor” agreement, this statement could readily be interpreted to mean that it is assumed that the US meets those specific criteria such that a mandated disclosure of personal data to the US government is not in violation of those laws.
Further, all of the various provisions make reference to guidelines in contractual agreements. There are few steadfast rules with regard to how data is treated and communicated that mandate specific contractual obligations.
Companies can meet the requirements of the DPA and various other regulations as may be called for by the Law Society or SRA and still have contractual language that could very likely contradict or otherwise limit the protections intended.
Though, in essence, vendors do have to provide some very precise protections, the regulations and guidance are not so strict as to prohibit or preclude the type of data transfer and disclosure that was ordered in the instant scenario.
So, what does all this mean?
At the very least, I’d suggest it means that, a firm that is truly ‘worried’ about their data not leaving the EU (and many seem to be) perhaps will think twice about where that data is and where it may end-up. Taken to the extreme, I think firms outside the US (especially those within the EU) who are worried about their data being accessed by the US will probably want to avoid using ISPs or hosting providers (software as a service providers or otherwise) with ANY presence within the US.
While that may seem a bit excessive, given the instant facts and the relevant guidance, it’s completely plausible to expect that data held and hosted by a company with presence in both the US and EU will certainly be subject to the same disclosure: if the hosting company has access to it from the US, it could be subject to the same requirement to disclose for the same reason.
That won’t stop these firms from building infrastructure to accomplish the same purpose (mobility, accessibility, etc.) or adopting technologies (such as a private cloud) that will prepare them for the eventual move to a hosted/cloud environment.
Regardless, as the decision isn’t about technology, but, more so the overall business need and value (what is gained and at what price, especially considering factors such as the total cost of ownership), firms will add this to their list of considerations when choosing whichever technology posture they feel is most appropriate.
Whether or not this potential for disclosure will have the effect of dissuading firms from adopting various technologies and platforms today or in the near or distant future remains to be seen. For those firms who want to adhere to a more strict interpretation, they may choose to avoid various cloud providers with regard to placing client data into their data centres.
Those firms will not necessarily be limited with regard to the functionality they provide their end-users as the concept of cloud computing, in and of itself, offers no functional advantage over on premises solutions (accessibility of data/programs, disaster recovery / business continuity, etc.) – it merely offers a different financial model and a shifting of the management from an internal to an external resource (which, again, in that regard, an owned yet externally managed service also accomplishes if that is a preferred option).
Policies change – and regulations evolve. As such, this concern over where data resides and whether or how it is discoverable will change.
It remains to be seen how firms – and providers – will react to this most recent development.
Ben Weinberger (pictured) is the Chief Strategy Officer for Phoenix, a global software and consultancy business. A lawyer and former CIO, Ben has more than 20 years of experience directing IT and operations in a variety of public and private organisations. Ben will be speaking on the topic of Productivity Equals Profit – Knowledge Management and technology’s role in productivity enhancement at the Janders Dean Legal Knowledge & Innovation Conference in Sydney.
The Conference will run from 18 to 19 September.