find the latest legal job
Senior Property Lawyer I Commercial Litigator
Category: Property Law | Location: Arncliffe NSW 2205
· Rapidly growing law firm, working with a highly experienced team in a high growth industry across all areas of property and strata law
View details
Senior Property Lawyer I Commercial Litigator
Category: Property Law | Location: All Sydney NSW
· Rapidly growing law firm, working with a highly experienced team in a high growth industry across all areas of property and strata law
View details
Senior Property Lawyer I Commercial Litigator
Category: Property Law | Location: Sydney NSW 2000
· Rapidly growing law firm, working with a highly experienced team in a high growth industry across all areas of property and strata law
View details
4+ PAE Commercial Lawyer - Contract Role (Maternity cover)
Category: Corporate and Commercial Law | Location: All Sydney NSW
· 4+ years PAE · End-to-end deal carriage
View details
Partners and Senior Specialist Lawyers
Category: Corporate and Commercial Law | Location: All Australia
· Earn 70% of billings and fixed referral incentives · Full practice flexibility & freedom
View details
When technology worlds collide

When technology worlds collide

When Microsoft loses on an international legal technology matter, you know there is still a large degree of unknown unknowns when it comes to data protection and the cloud, writes Ben Weinberger.

When Microsoft loses on an international legal technology matter, you know there is still a degree of unknown unknowns when it comes to data protection and the cloud, writes Ben Weinberger.

In a recent proceeding before the US Court, Microsoft was ordered to turn-over email belonging to a user of its hosted mail service.  That email belonged to a user outside the US.  The email itself was located on a server in a data centre in Ireland – outside the US, which should be out of the reach of US authorities and subject to the requirements of the EU privacy laws.  Microsoft challenged the order and lost. 

They argued that the Court lacked jurisdiction over this particular data as it was stored outside the US, and therefore it was not subject to disclosure. 

They were wrong.

On 25 April, 2014, Magistrate Judge James C. Francis of the Southern District of New York issued a memorandum and order upholding a subpoena ordering Microsoft to turn-over information held on a server in a data centre in Ireland. 

Microsoft had contested the subpoena and argued that courts in the United States do not have jurisdiction and therefore are not authorised to issue a warrant for an “extraterritorial search and seizure.”

Relying upon the Stored Communications Act (the “SCA”), passed as part of the Electronic Communications Privacy Act of 1986 (the “ECPA”), the judge found that, even when applied to information that is stored in servers abroad, an SCA warrant does not violate the presumption against extraterritorial application of American law and therefore denied Microsoft's motion to quash the subpoena. 

Patriots as defined by law

Though the judge relied upon the SCA in making his determination, he also cited the Patriot Act as evidence of legislative intent to not limit jurisdiction, which is the crux of the issue. 

He recognised and relied upon the fact that Microsoft is a US business – and, more so, that it has a US presence from which it has access to the data on the servers in Ireland (regardless of where that data itself is stored, which is where he relies on a provision of the Patriot Act for clarification).  As a US business, Microsoft is subject to US jurisdiction and laws. 

Arguably, Microsoft might not have to have been a US business for the Court to have reached the same conclusion.

In theory, the Court’s finding suggests that any business operating in the US could be subject to the same demand regardless of where its data resides.  It could readily extend to any hosted/service provider with a US presence, regardless of where datacenters are sited or where customer data is stored.


A world without borders

In essence, a company providing a hosted service (be it email, finance, document management, whatever) anywhere could be subject to the same demand to turn-over customer data of a foreign customer, regardless of where that data is held. 

Therein lies the challenge such a ruling now presents to data protection laws.

This takes us back to the obvious question – that, in a modern world, where the internet connects everyone and everything, well beyond borders, is it really reasonable to expect that data in one jurisdiction will only remain in that jurisdiction and not be accessible or discoverable outside that jurisdiction? 

In reality and in light of what we know today of various governmental entities and their international surveillance programs – not to mention hacking (be it state-sponsored or otherwise), the answer is probably “no.” 

So, what are the implications of that?

The UK Law Society and the SRA have issued guidance on the use of “cloud” technologies. While they are not completely proscriptive, they do provide advice and guidelines that, presumably, create certain expectations.

In essence, the Law Society states that any cloud solution must comply with the Data Protection Act of 1998 (“DPA”).  The considerations of this law on the adoption of cloud technologies are summarised by the information commissioner’s office on their site and include a variety of recommendations.

Some of the key elements of this act addressed by the Information Commissioner’s Office (ICO) include:

● The use of encryption of data in transit and at rest;

● Prevention of unauthorised access to client data by the cloud providers’ personnel, and;

● Access to data by intelligence agencies.  

The document on their site gives general guidance and recommends a variety of measures to be employed to safeguard data placed into the cloud. 

The ICO specifically notes that the DPA requires that personal data “shall not be transferred to any country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.” 

Arguably, as the US. and EU created the “Safe Harbor” agreement, this statement could readily be interpreted to mean that it is assumed that the US meets those specific criteria such that a mandated disclosure of personal data to the US government is not in violation of those laws.

Further, all of the various provisions make reference to guidelines in contractual agreements.  There are few steadfast rules with regard to how data is treated and communicated that mandate specific contractual obligations. 

Companies can meet the requirements of the DPA and various other regulations as may be called for by the Law Society or SRA and still have contractual language that could very likely contradict or otherwise limit the protections intended. 

Though, in essence, vendors do have to provide some very precise protections, the regulations and guidance are not so strict as to prohibit or preclude the type of data transfer and disclosure that was ordered in the instant scenario.

So, what does all this mean? 

At the very least, I’d suggest it means that, a firm that is truly ‘worried’ about their data not leaving the EU (and many seem to be) perhaps will think twice about where that data is and where it may end-up.  Taken to the extreme, I think firms outside the US (especially those within the EU) who are worried about their data being accessed by the US will probably want to avoid using ISPs or hosting providers (software as a service providers or otherwise) with ANY presence within the US. 

While that may seem a bit excessive, given the instant facts and the relevant guidance, it’s completely plausible to expect that data held and hosted by a company with presence in both the US and EU will certainly be subject to the same disclosure: if the hosting company has access to it from the US, it could be subject to the same requirement to disclose for the same reason. 

That won’t stop these firms from building infrastructure to accomplish the same purpose (mobility, accessibility, etc.) or adopting technologies (such as a private cloud) that will prepare them for the eventual move to a hosted/cloud environment.

 Regardless, as the decision isn’t about technology, but, more so the overall business need and value (what is gained and at what price, especially considering factors such as the total cost of ownership), firms will add this to their list of considerations when choosing whichever technology posture they feel is most appropriate.

Whether or not this potential for disclosure will have the effect of dissuading firms from adopting various technologies and platforms today or in the near or distant future remains to be seen.  For those firms who want to adhere to a more strict interpretation, they may choose to avoid various cloud providers with regard to placing client data into their data centres. 

Those firms will not necessarily be limited with regard to the functionality they provide their end-users as the concept of cloud computing, in and of itself, offers no functional advantage over on premises solutions (accessibility of data/programs, disaster recovery / business continuity, etc.) – it merely offers a different financial model and a shifting of the management from an internal to an external resource (which, again, in that regard, an owned yet externally managed service also accomplishes if that is a preferred option).

Policies change – and regulations evolve.  As such, this concern over where data resides and whether or how it is discoverable will change.

It remains to be seen how firms – and providers – will react to this most recent development.

Ben Weinberger (pictured) is the Chief Strategy Officer for Phoenix, a global software and consultancy business.  A lawyer and former CIO, Ben has more than 20 years of experience directing IT and operations in a variety of public and private organisations.  Ben will be speaking on the topic of Productivity Equals Profit – Knowledge Management and technology’s role in productivity enhancement at the Janders Dean Legal Knowledge & Innovation Conference in Sydney.

The Conference will run from 18 to 19 September.


Like this story? Read more:

Book commemorates diamond milestone for WA law society

QLS condemns actions of disgraced lawyer as ‘stain on the profession’

NSW proposes big justice reforms to target risk of reoffending

When technology worlds collide
lawyersweekly logo
Promoted content
Recommended by Spike Native Network
more from lawyers weekly
Scales of Justice
Jan 17 2018
Lawyers lash out over latest Dutton attack
A number of legal bodies have condemned federal home affairs minister Peter Dutton’s latest commen...
Car crash, driverless cars
Jan 17 2018
Driverless cars a privacy car crash in the making
The testing of driverless cars on Australian roads has presented a new challenge, with serious conce...
new role with SA judicial appointment, scales of justice
Jan 15 2018
Worker's comp expert takes on new role with SA judicial appointment
An Adelaide barrister has been appointed deputy president of the South Australian Employment Tribuna...
Allens managing partner Richard Spurio, image courtesy Allens' website
Jun 21 2017
Promo season at Allens
A group of lawyers at Allens have received promotions across its PNG and Australian offices. ...
May 11 2017
Partner exits for in-house role
A Victorian lawyer has left the partnership of a national firm to start a new gig with state governm...
Esteban Gomez
May 11 2017
National firm recruits ‘major asset’
A national law firm has announced it has appointed a new corporate partner who brings over 15 years'...
Nicole Rich
May 16 2017
Access to justice for young transgender Australians
Reform is looming for the process that young transgender Australians and their families must current...
Geoff Roberson
May 11 2017
The lighter side of the law: when law and comedy collide
On the face of it, there doesn’t seem to be much that is amusing about the law, writes Geoff Rober...
May 10 2017
Advocate’s immunity – without fear or without favour but not both
On 29 March 2017, the High Court handed down its decision in David Kendirjian v Eugene Lepore & ...