Tuesday, September 16, 2014

United States v. Microsoft (and Ireland)

I have a short piece in today's Irish Independent on the remarkable legal battle between Microsoft and US prosecutors over access to data on non-US users which is stored in Ireland, which has now resulted in a finding that Microsoft is in contempt of court.

The Irish Independent doesn't allow inline links to resources in stories, so for background here are:
In the piece I suggest that Microsoft might commit a criminal offence under Irish law if it discloses user emails without an Irish court order or other Irish law entitlement to do so. The relevant provision is section 21(2) of the Data Protection Acts which makes it an offence for any data processor to knowingly disclose personal data without the prior authority of the data controller on whose behalf the data were processed.

This does, of course, assume that Microsoft would be a data processor rather than a data controller in respect of the contents of user emails. While there is some debate as to when a cloud service operator should be treated as a data controller rather than a data processor, guidance from the Article 29 Working Party (Opinion 1/2010 on the concepts of "controller" and "processor", p.11) strongly suggests that Microsoft should be treated as a data controller only in relation to content (such as traffic data) which it generates - in relation to the emails themselves Microsoft would be treated as a data processor and would therefore be exposed to criminal liability.

2 comments:

  1. Hi TJ,

    The first 90% of what you said is well established, and for an interesting example of an indifferent U.S. court see the 2010 case, AccessData Corporation v. Alste Technologies, GmbH.

    The U.S. Patriot Act (which isn't being mentioned for a change) grants U.S. authorities access to data relating to matters of national security under Sections 215 and 505. If a company is based in the U.S. or conducts a certain level of business with the U.S. then that company (and its data) comes under the reach of the U.S.

    The following did, however, surprise me: "The emails held in Dublin could have been legitimately accessed under that treaty - but US prosecutors argued that they should not have to follow that approach on the basis that it was too slow and cumbersome. If this is true then the MLAT system should be reformed - if not, then the US courts should know that they have been misinformed".

    This is really strange as you and Mr. McDowell say MLATs are in fact efficient. What will be crucial to this case are the facts which haven't been outlined in your links; what was the nature of the unlawful conduct for which the U.S. authorities were seeking the data, was is of such a level that necessitated immediate action and MLAT circumvention e.g. potential terrorist threat? Also, does the data belong to U.S. citizens? This would surely strengthen the U.S. argument.

    Microsoft and the cloud industry need to show strength for customers after being bullied for at least since 2008 (see recent Yahoo case disclosures) so this case will be fascinating to watch. If the data requests lack a very, very strong justification I expect Microsoft to prevail.

    Lorcan

    ReplyDelete
  2. Hi TJ,

    The first 90% of what you said is well established, and for an interesting example of an indifferent U.S. court see the 2010 case, AccessData Corporation v. Alste Technologies, GmbH.

    The U.S. Patriot Act (which isn't being mentioned for a change) grants U.S. authorities access to data relating to matters of national security under Sections 215 and 505. If a company is based in the U.S. or conducts a certain level of business with the U.S. then that company (and its data) comes under the reach of the U.S.

    The following did, however, surprise me: "The emails held in Dublin could have been legitimately accessed under that treaty - but US prosecutors argued that they should not have to follow that approach on the basis that it was too slow and cumbersome. If this is true then the MLAT system should be reformed - if not, then the US courts should know that they have been misinformed".

    This is really strange as you and Mr. McDowell say MLATs are in fact efficient. What will be crucial to this case are the facts which haven't been outlined in your links; what was the nature of the unlawful conduct for which the U.S. authorities were seeking the data, was is of such a level that necessitated immediate action and MLAT circumvention e.g. potential terrorist threat? Also, does the data belong to U.S. citizens? This would surely strengthen the U.S. argument.

    Microsoft and the cloud industry need to show strength for customers after being bullied for at least since 2008 (see recent Yahoo case disclosures) so this case will be fascinating to watch. If the data requests lack a very, very strong justification I expect Microsoft to prevail.

    Lorcan

    ReplyDelete