Oral arguments were heard by the U.S. Court of Appeals Second Circuit on September 9, 2015, and the positions could not have been more starkly opposed. “This case is about sovereignty,” argued Microsoft in an appeal after the finding of contempt against it for not producing data held in its data center in Ireland that was subpoenaed by the Department of Justice. “It’s about control,” countered the U.S. government, contending that Microsoft had control over the data it placed in its Irish data center and, as a U.S. party, prosecutors may subpoena data held by that party, regardless of where it may be.
The stakes are very high. Microsoft, backed by companies such as Apple and Verizon, who filed amicus briefs, contends that a subpoena demanding data in another country is analogous to a warrant to search a home outside the U.S. It would be a violation of that country’s sovereignty. In addition, there are formal channels for obtaining evidence in another country that are consistent with that country’s laws, protections, treaties, and other agreements that were negotiated and agreed upon by nations and countries as equal sovereigns. One example of such an agreement is the Mutual Legal Assistance Treaty, which was raised in the briefs by Microsoft, and then countered by the U.S. government because the process for obtaining evidence pursuant to this treaty was too time-consuming.
With those agreements in mind, the U.S. government further argued that in a globally connected e-commerce world, nothing is that simple. Microsoft chose where to place its data, and if placement of data outside the boundaries of the U.S. keeps electronic evidence out of the hands of prosecutors, why couldn’t anyone with nefarious intent evade the government merely by sending data to a server in another country?
European data protection authorities are already on high alert about the reach of U.S. authorities for data within Europe as a result of the disclosures by Edward Snowden, and are watching this case closely. A ruling in favor of the government may result in tighter scrutiny and regulation of the e-commerce practices of U.S. companies with regard to data generated and stored in Europe and, possibly, reluctance to provide data to those companies on the part of European citizens. The question we ask ourselves next is: how will this affect U.S.-based e-commerce?
For more information about international data protection laws and regulations, please call Kenneth N. Rashbaum.