I have a short piece in today's Irish Independent on the remarkable legal battle between Microsoft and US prosecutors over access to data on non-US users which is stored in Ireland, which has now resulted in a finding that Microsoft is in contempt of court.
The Irish Independent doesn't allow inline links to resources in stories, so for background here are:
This does, of course, assume that Microsoft would be a data processor rather than a data controller in respect of the contents of user emails. While there is some debate as to when a cloud service operator should be treated as a data controller rather than a data processor, guidance from the Article 29 Working Party (Opinion 1/2010 on the concepts of "controller" and "processor", p.11) strongly suggests that Microsoft should be treated as a data controller only in relation to content (such as traffic data) which it generates - in relation to the emails themselves Microsoft would be treated as a data processor and would therefore be exposed to criminal liability.
The Irish Independent doesn't allow inline links to resources in stories, so for background here are:
- The Magistrate Judge's original ruling that Microsoft must hand over the data;
- The opinion of Michael McDowell SC on Irish law as it applies to the Microsoft case;
- The Mutual Legal Assistance Treaty between Ireland and the US (which I argue US prosecutors should have used); and
- The Department of Justice Guide to Mutual Legal Assistance in Ireland.
This does, of course, assume that Microsoft would be a data processor rather than a data controller in respect of the contents of user emails. While there is some debate as to when a cloud service operator should be treated as a data controller rather than a data processor, guidance from the Article 29 Working Party (Opinion 1/2010 on the concepts of "controller" and "processor", p.11) strongly suggests that Microsoft should be treated as a data controller only in relation to content (such as traffic data) which it generates - in relation to the emails themselves Microsoft would be treated as a data processor and would therefore be exposed to criminal liability.
Hi TJ,
ReplyDeleteThe first 90% of what you said is well established, and for an interesting example of an indifferent U.S. court see the 2010 case, AccessData Corporation v. Alste Technologies, GmbH.
The U.S. Patriot Act (which isn't being mentioned for a change) grants U.S. authorities access to data relating to matters of national security under Sections 215 and 505. If a company is based in the U.S. or conducts a certain level of business with the U.S. then that company (and its data) comes under the reach of the U.S.
The following did, however, surprise me: "The emails held in Dublin could have been legitimately accessed under that treaty - but US prosecutors argued that they should not have to follow that approach on the basis that it was too slow and cumbersome. If this is true then the MLAT system should be reformed - if not, then the US courts should know that they have been misinformed".
This is really strange as you and Mr. McDowell say MLATs are in fact efficient. What will be crucial to this case are the facts which haven't been outlined in your links; what was the nature of the unlawful conduct for which the U.S. authorities were seeking the data, was is of such a level that necessitated immediate action and MLAT circumvention e.g. potential terrorist threat? Also, does the data belong to U.S. citizens? This would surely strengthen the U.S. argument.
Microsoft and the cloud industry need to show strength for customers after being bullied for at least since 2008 (see recent Yahoo case disclosures) so this case will be fascinating to watch. If the data requests lack a very, very strong justification I expect Microsoft to prevail.
Lorcan
Hi TJ,
ReplyDeleteThe first 90% of what you said is well established, and for an interesting example of an indifferent U.S. court see the 2010 case, AccessData Corporation v. Alste Technologies, GmbH.
The U.S. Patriot Act (which isn't being mentioned for a change) grants U.S. authorities access to data relating to matters of national security under Sections 215 and 505. If a company is based in the U.S. or conducts a certain level of business with the U.S. then that company (and its data) comes under the reach of the U.S.
The following did, however, surprise me: "The emails held in Dublin could have been legitimately accessed under that treaty - but US prosecutors argued that they should not have to follow that approach on the basis that it was too slow and cumbersome. If this is true then the MLAT system should be reformed - if not, then the US courts should know that they have been misinformed".
This is really strange as you and Mr. McDowell say MLATs are in fact efficient. What will be crucial to this case are the facts which haven't been outlined in your links; what was the nature of the unlawful conduct for which the U.S. authorities were seeking the data, was is of such a level that necessitated immediate action and MLAT circumvention e.g. potential terrorist threat? Also, does the data belong to U.S. citizens? This would surely strengthen the U.S. argument.
Microsoft and the cloud industry need to show strength for customers after being bullied for at least since 2008 (see recent Yahoo case disclosures) so this case will be fascinating to watch. If the data requests lack a very, very strong justification I expect Microsoft to prevail.
Lorcan