Can US Law Enforcement Access Information on Irish Servers? – The Microsoft Saga
11 September 2014
In the past few months, Ireland has found itself at the centre of an intense battle over whether US authorities can access data on Irish-based Microsoft servers. The debate has continued with a recent decision of the New York District Court to remove the suspension on the warrant ordering the handover. Following this decision, on 5 September 2014 the case shifted up a gear with Microsoft voluntarily entering contempt and proceeding to the Second Circuit Court of Appeals to continue the case. With the case soon entering Round 3, we take a look at the issues.
In late 2013, a federal Magistrate in New York granted a search warrant under the US Stored Communications Act (“SCA”) against data held by Microsoft Corporation. The warrant was issued for both user and content (email) data as part of an on-going investigation into narcotics trafficking. The relevant data is stored on Microsoft’s Irish servers. Microsoft unsuccessfully challenged the warrant in front of the issuing Magistrate. Microsoft then appealed this decision to a District Court Judge, but the Magistrate’s ruling, and consequently the warrant, was confirmed.
What is disputed?
Microsoft, supported by other large internet companies such as AT&T, Apple, Cisco and Verizon, contends that the data held on Irish servers is not subject to US jurisdiction. While Microsoft produced the non-content data held on its US servers, it filed a motion to overturn the warrant upon discovery that the emails were located in its Dublin data centre. Microsoft argues that the SCA warrant cannot reach data held in Ireland and official international channels must instead be pursued. In addition, Microsoft points out that even if such access were permitted under US law, the warrant itself would be unconstitutional for failing to be sufficiently specific.
In the Magistrate’s ruling, however, the judge reasoned that although the SCA uses the term warrant, it is “a hybrid”. While it is obtained like a search warrant, it is executed like a subpoena. In essence, this means that rather than the authorities breaking down the door and taking evidence (warrant), Microsoft is served with the request and required to produce the data (subpoena). Consequently, regardless of the location of the servers and data, Microsoft was required to produce the relevant information.
However, the case is less than clear-cut given a number of ambiguities identified in both the SCA’s interpretation and its historical drafting. Of particular note was the fact that the Magistrate examined Microsoft’s arguments in light of the “practical considerations” of overturning the warrant. From an Irish perspective, the Magistrate made some novel points in support of the warrant. He referred to the suggestion that a search only occurs when the data is “exposed to human observation”, such as appearing on a screen. In the current situation, this would mean the search would deemed to be occurring within the US, since the servers would be accessed from there. In addition, he indicated that the Patriot Act - one of the more controversial pieces of US law - deems that the “property” (which is to be searched) is located where the ISP (and not the server) is located.
The conventional route for seeking evidence in another nation is by way of Mutual Legal Assistance Treaty (MLAT), such as that in place between Ireland and the US since 2001. These treaties formalise the process that law enforcement must follow in order to obtain evidence from another territory. In Ireland, the process is established under the Criminal Justice (Mutual Assistance) Act 2008. While the Magistrate in the original ruling acknowledged the existence of the MLAT procedure, he noted that the process can be cumbersome and requires the engagement and agreement of both governments. The court declined to consider the terms of the MLAT that is currently in place between Ireland and the United States.
From an Irish data protection standpoint, compliance with the warrant by handing over the data may breach Irish and EU law. Certain provisions of the Data Protection Acts 1988 and 2003 (“DPA”), such as processing the data fairly, keeping the data secure and restricting non-EEA transfers of the data, would likely be breached. While the DPA provides a number of exemptions usually availed of in these situations, they are unlikely to apply. Microsoft itself adduced expert evidence, from the former Attorney General of Ireland, that compliance would likely cause it to breach Irish law. Consequently, Microsoft finds itself in a catch-22 situation between the US authorities on the one hand, and the Irish and European data protection regime on the other.
Current status and next steps
In the most recent decision of 29 August 2014, the District Court Judge removed the suspension on the warrant. Additionally, the judge found that, on jurisdictional grounds, Microsoft has no right to directly appeal the decision of the Court. This meant that Microsoft was now legally required to immediately hand over the emails sought by prosecutors.
Consequently, at its own request, Microsoft was found in contempt of court on 5 September 2014 for failure to comply with the warrant. The judge imposed no further sanctions on the company, noting that the contempt order now permitted Microsoft to immediately appeal her earlier ruling.
Microsoft has since signalled an appeal, with its filings due to be entered on 8 December 2014. It remains to be seen whether Microsoft’s arguments will prove more successful before the US appeal courts than they have been to-date.
Views of the Irish government
Reacting to the case on behalf of the Irish government, Dara Murphy TD, Minister for EU Affairs and Data Protection, has said that the manner in which the US authorities is attempting to force disclosure of foreign data held by Microsoft is “objectionable”. The Minister further warned that any such attempt by the US authorities to compel disclosure may result in Microsoft, and other US companies with operations in the EU, which are served with such warrants in the future being in breach of the Irish Data Protection Acts and the EU Data Protection Directive. Any such scenario would create significant legal uncertainty for Irish and EU consumers and companies regarding the protection of their data.
The Minister has stated that cooperation in the area of law enforcement is a “fundamental element” of Ireland’s international relations. The government is not objecting to the principle of data transfer but rather the process that the US authorities are attempting to use. Minister Murphy has said that the Irish government is committed to ensuring that data is only transferred to law enforcement in other jurisdictions in compliance with the MLAT process.
What does the case mean?
This case comes at a time when both the US government and US intelligence agencies are increasingly under pressure, both nationally and internationally, with respect to online data and evidence gathering. In line with this, perceived trust in the cloud has decreased significantly, not least due to hacks in recent days, and cloud providers are eager to build and restore that trust.
It also poses significant questions for US technology companies with data centres located in the European Union. The ruling handed down suggests that despite the storage of data beyond US borders, US courts can and will interpret US law as requiring the disclosure of such data, even if it would cause the recipient of the warrant to act inconsistenty with the laws of another state.
For now, the warrant remains on hold pending further decisions of the superior US courts. Watch this space.
The content of this article is provided for information purposes only and does not constitute legal or other advice. Mason Hayes & Curran (www.mhc.ie) is a leading business law firm with offices in Dublin, London and New York.