Data dominos: The complex jurisdictional argument over information
While technology is enhancing opportunities around the world, it is also introducing some very complex issues around data privacy and data jurisdiction. With the advent of cloud computing, global corporations have in effect erased jurisdictional boundaries to connect people, processes and information. But this leap in technology is causing countries to deliberate and define new information boundaries for companies as well as private citizens.
In June, the European Council and the Council of the European Union came to an agreement about a set of rules to adapt to the new digital paradigm. These new rules — the EU Data Protection Directive — were created to enhance the level of protection for personal data and to increase business opportunities. Other countries like Australia, Singapore, Germany and Malaysia are following suit with their own federal privacy legislation. As each country implements its own legislation on these issues, a new trend is emerging that enhances domestic data sovereignty requirements for all businesses. Eventually, these requirements will drive a new set of global best practices and/or require compliance with multiple sets of new national regulations.
As countries around the world race to put rules and best practices in place, all eyes are trained on one international legal case that could have ramifications for both businesses and consumers across the globe: Microsoft v. United States of America, In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation. At the core of this case is the ability of the U.S. to compel disclosure of Microsoft-controlled data stored in Ireland.
The case dates back to 2013 when the U.S. Department of Justice issued a warrant to Microsoft to turn over emails that may have relevance in a suspected drug trafficking case. Microsoft has refused to turn over the emails arguing that the U.S. did not have jurisdiction over data located in another country. Microsoft lost the case and is now on its second appeal in the Second Circuit Court of Appeals.
The government is arguing that the warrant pertains to Microsoft and not the end user, so the company should comply with the law in the country where the service is based. Government attorneys argue that the result of a ruling against the United States would mean that criminals could hide their incriminating data simply by choosing a provider that stores email somewhere else.
Microsoft argues that a ruling in favor of the U.S. government would be disastrous because it would open the way for any country with jurisdiction over any provider to reach into any other country and demand data. One immediate impact would be that non-U.S. countries could begin to require access to data on U.S. citizens stored in the United States. It would, Microsoft argues, threaten the sovereignty of the U.S. and other countries. The secondary effect would be that companies, and users, globally would actively avoid U.S. businesses because their data isn’t safe from government spying.
Therein lies the crux of the matter. Other countries are definitely watching how this case plays out.
There is merit to both sides of the argument, and the issues become even more complicated when you add in the challenges of encryption, key disclosure and mutual legal assistance treaties — international agreements that govern cooperation on legal maneuvers like subpoenas and arrests. However, one piece of legislation currently before Congress would be a good place to start. It is the Law Enforcement Access to Data Stored Abroad Act, known as LEADS, which basically says that the U.S. government can’t compel disclosure of data via a warrant if that data is stored outside the U.S., unless the account holder is a U.S. citizen. This legislation is currently “in committee” in both houses of Congress.
I hope this case will serve as the starting point for conversations as the presidential campaign heats up. Data jurisdiction is just one powerful aspect of this case, cybersecurity is another. Ultimately, this decision will impact every government agency, business and individual in the U.S.
