Security

Cloud data privacy for businesses unclear after Supreme Court drops Microsoft case

The case led to the CLOUD Act, which requires tech companies comply with court orders for data stored in the US and overseas.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • The US Supreme Court has dropped the Microsoft vs. Department of Justice case over data privacy, after new legislation requires cloud providers to comply with court orders for data, regardless of whether the information is located in the US or overseas.
  • It's likely that we will see more conflicts between US legal demands and foreign legal requirements in the near future.

On Tuesday, the US Supreme Court dropped the Microsoft vs. Department of Justice case over data privacy, which ushered in new legislation around cloud provider data privacy.

The case began in December 2013, when federal law enforcement agents filed a warrant requiring Microsoft to disclose emails and other information from one of its users based on probable cause that the account was being used for drug trafficking activity.

Microsoft determined that the emails were stored in a data center in Dublin, Ireland, and challenged the warrant, arguing that the company could not be required to turn over the emails because US law does not apply overseas.

SEE: Electronic communication policy (Tech Pro Research)

The case led to the passage of the Clarifying Lawful Overseas Use of Data (CLOUD) Act in March 2018, which now renders the debate moot under law. The CLOUD Act requires cloud providers to comply with court orders for data, regardless of whether the information is located in the US or overseas.

After the passage of the CLOUD Act, the federal government attained a new warrant, which replaced the original warrant served on Microsoft in 2013. The court concluded Tuesday that there is no longer a "live dispute" between the US and Microsoft based on the legal changes, and directed the district court to dismiss the case.

"Unfortunately, this ruling means that businesses continue to face uncertainty about how to deal with situations where US litigations require them to do things that would be illegal in foreign countries," said Geoffrey Sant, a partner at the international law firm Dorsey & Whitney LLP. "For example, many companies are ordered to hand over documents during US litigations even though doing so violates foreign laws regarding privacy, bank secrecy, and other issues. It looks like companies will need to continue to wait for guidance on this issue, considering that a number of federal courts have reached wildly different conclusions as to the appropriate 'test' to use when considering whether or not to order the production of documents in violation of foreign laws."

It's likely that we will see more conflicts between US legal demands and foreign legal requirements in the near future, especially with the EU's General Data Protection Regulation (GDPR) about to go into effect, Sant said.

It remains unclear how much personal privacy individuals can expect when US litigations require documents to be produced, Sant said. "In criminal cases, the ruling has made clear that there are very few protections for personal privacy even in electronic documents held overseas, so long as the US government follows proper procedures in obtaining a warrant," he added.

Microsoft officials stated that they were in favor of legislation rather than legal action when it comes to settling these types of matters, ZDNet reported. The company actually backed the CLOUD Act, as it creates a legal framework regulating how law enforcement can access data across borders.

"We welcome the Supreme Court's ruling ending our case in light of the CLOUD Act being signed into to law," Microsoft president and chief legal officer Brad Smith said in a statement on Tuesday. "Our goal has always been a new law and international agreements with strong privacy protections that govern how law enforcement gathers digital evidence across borders. As the governments of the UK and Australia have recognized, the CLOUD Act encourages these types of agreements, and we urge the US government to move quickly to negotiate them."

Also see

istock-627764424.jpg
Image: iStockphoto/sframephoto

About Alison DeNisco Rayome

Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.

Editor's Picks

Free Newsletters, In your Inbox