Security

US wants to force Microsoft to break EU data protection laws in landmark case

A Supreme Court case could decide whether US law forces tech companies to give data stored overseas to prosecutors.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • The US Supreme Court will hear arguments in a major privacy rights case between Microsoft and the US Justice Department, to determine whether US law forces tech companies to give data stored overseas to prosecutors in criminal and counterterrorism cases.
  • IBM, Amazon, Apple, Verizon, and Google all filed court papers backing Microsoft in the Supreme Court case against the Justice Department.

On Tuesday, the US Supreme Court began hearing arguments in a major privacy rights case between Microsoft and the Justice Department that could determine whether US law forces tech companies to give data stored overseas to prosecutors in criminal and counterterrorism cases, Reuters reported.

The case could set the standard of whether or not US courts can make companies break international data privacy laws, including the EU's General Data Protection Regulation (GDPR), which goes into effect in May.

The case kicked off in 2013, when prosecutors obtained a warrant for the emails of a suspect in a drug trafficking investigation, which were stored on Microsoft servers in Dublin, our sister site ZDNet reported. Microsoft challenged whether a US warrant covered data stored abroad, but the Justice Department said that because the company is based in the US, prosecutors are entitled to the data.

The decision will have a large impact on major tech companies—the majority of which host servers around the world. IBM, Amazon, Apple, Verizon, and Google all filed court papers backing Microsoft, Reuters reported.

SEE: Electronic communication policy (Tech Pro Research)

"This Supreme Court case is of critical importance to the tech and business community," said Geoffrey Sant, partner in the trial department of the law firm Dorsey & Whitney LLP. "The US government wants to order Microsoft and other companies to turn over electronic records that are held on servers in a foreign country—even when doing so would violate foreign laws."

The EU and other foreign countries and organizations have strict laws on privacy, cybersecurity, and bank secrecy, Sant said. "If Microsoft loses this case, it and other companies will be placed in the position of having to either violate US court orders and legal subpoenas, or violate the laws of the foreign country where they store information," he added. "In other words, they will be forced to violate the law in one location or the other."

In a brief to the Supreme Court, Microsoft noted that if it is forced to produce electronic records in violation of GDPR, it could be penalized in Europe with a fine of up to 4% of the company's worldwide revenues—an amount equal to $3.6 billion, Sant said.

"Even putting aside the potential for massive fines, US tech companies and other businesses will be placed in a tremendous strategic disadvantage because the US companies could not guarantee the privacy of the data of its users, while competing non-US businesses and tech companies may be able to provide those guarantees," Sant said.

In 2016, the 2nd US Court of Appeals sided with Microsoft on the case. President Donald Trump's administration appealed that ruling to the Supreme Court. The appeals court said that the emails were beyond the reach of domestic search warrants obtained under the 1986 Stored Communications Act, according to Reuters.

Microsoft and the Trump administration are now backing bipartisan legislation to update the statute. If Congress passes this bill before the Supreme Court rules on the case, it will likely no longer be relevant, Reuters noted.

"We need a legal framework to govern the stockpiles of digital information that moves around the globe," said Craig A. Newman, chair of the Data Privacy Practice at the law firm Patterson Belknap Webb & Tyler. "As important as this case is, that's not something the Supreme Court can solve. It's ultimately going to be up to Congress to craft a solution that respects both global privacy rights and the legitimate needs of law enforcement. Until that happens though, everyone loses—law enforcement, global privacy rights, and the US technology community."

The Supreme Court is set to rule on the case by the end of June.

Also see

istock-654085162.jpg
Image: iStockphoto/Zolnierek

About Alison DeNisco Rayome

Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.

Editor's Picks

Free Newsletters, In your Inbox