When we reported back in January that Microsoft planned to offer non-US customers international data storage, on the basis that the data would be safer from US government snooping because it resided outside the United States, we were somewhat surprised.
As we discuss in some detail here, the US Patriot Act allows US agencies to access any data held by a US company on non-US European citizens, as longs as that company has any servers inside the EU (as nearly all major US companies do). The Foreign Intelligence Surveillance Act (FISA) similarly allows US agencies to access information stored in cloud databases located in the EU, but owned by US companies. All that US authorities need do is get a secret court to issue a secret surveillance order, which when presented to a US company they have no option but to comply.
It therefore comes as no surprise that a US judge has ordered Microsoft to hand over a customer’s emails, even though these are stored in Ireland. The ruling by New York Judge James Francis supported a search warrant issues by US law enforcement officials, demanding information associated with an individual’s email account, including their name, credit card details and the contents of all messages.
Microsoft had made its determination to oppose the warrant clear, and David Howard, Microsoft’s deputy general counsel, said in a blog post last Friday that,
‘A US prosecutor cannot obtain a US warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States… We think the same rules should apply in the online world, but the government disagrees.’
Indeed it does, and Judge James Francis found that the warrant should be treated more like subpoena for documents, in which case the information must be provided, irrelevant of where it is held. Francis argued that law enforcement efforts would be seriously impeded and the burden on the government would be substantial if they had to co-ordinate with foreign governments to obtain this sort of information from internet service providers such as Microsoft and Google.
It is precisely because of this kind of situation that the EU is now drafting tough new data protection laws to ensure that data belonging to EU citizens, and that is stored in Europe, cannot be directly shared with US authorities without going formal and agreed upon channels,
‘The commission’s position is that this data should not be directly accessed by or transferred to US law enforcement authorities outside formal channels of co-operation, such as the mutual legal assistance agreements or sectoral EU-US agreements authorising such transfers,’ Mina Andreeva, European Commission spokeswoman for justice, fundamental rights and citizenship, told the BBC.
‘Access by other means should be excluded, unless it takes place in clearly defined, exceptional and judicially reviewable situations. The European Parliament reinforced the principle that companies operating on the European market need to respect the European data protection rules – even if they are located in the US.’