The ruling by a US court on Thursday (July 14) that the American government could not gain access to data residing on a Microsoft server in Ireland is being hailed as victory by privacy campaigners, big tech firms, and legal experts alike. It’s a rare moment of clarity in the increasingly murky space of what rules govern what data as it flows across national boundaries.
The case centered on a suspected administrator of the Silk Road narcotics marketplace whose Outlook.com emails were stored on a Microsoft server in Dublin. The US government had a search warrant to compel Microsoft to hand over that data, but the ruling means the warrant can’t be used for data stored abroad, even if the company itself is based in the US. “First, this decision provides a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments,” Microsoft president and chief legal officer Brad Smith wrote in a statement.
It’s not just Microsoft who should be celebrating. The decision means that foreign governments who demand data stored within US borders haven’t been given legal ammunition. That’s a big part of the reason why more than 80 tech companies and privacy groups filed amicus briefs in support of Microsoft.
Although the ruling is unambiguous about how far the US government may reach in its search for evidence, it remains a stopgap in the face of an increasingly complex global data and privacy puzzle. The real battle lies in legislative chambers around the world, as lawmakers must grapple with reforming rules that are struggling to remain relevant.
Generally speaking, the rules that govern global data flows are a mess right now. Sure, the European commission officially adopted the so-called Privacy Shield this week (July 12), ending months of uncertainty over the legality of trans-Atlantic data flows. But it looks like it’ll only be a matter of time before this new framework is hauled before Europe’s highest court again, with a high chance that it will be struck down, meeting the same fate as its predecessor, the Safe Harbor agreement.
Then there is the European General Data Protection Regulation, a wide-ranging set of rules that has now been thrown into confusion by UK’s vote to exit the EU. For large multinationals with British headquarters or presences, it’s suddenly unclear whether the potentially expensive requirements of the EU rules are worth incurring if the UK is no longer part of the bloc, as the consultancy PwC noted in the vote’s aftermath.
And in Britain itself, the new prime minister, Theresa May, has a key piece of legislation wending its way through parliament. It’s called the investigatory powers bill, and it centers on a question of “extra-territorial jurisdiction,” which would allow the British government to intercept or demand access to data residing overseas, so long as the company that owns that data has a presence in the UK. Unsurprisingly, Silicon Valley’s biggest companies, many of whom generate significant revenues in the UK and Europe, have fought the bill from the start.
May’s surveillance bill is a glaring example of an attempt to enshrine extra-territorial reach in law. It has been vigorously debated in the UK, and remains under scrutiny. Microsoft, and its Silicon Valley compatriots, are hoping for a similar debate on Capitol Hill. “The protection of privacy and the needs of law enforcement require new legal solutions that reflect the world that exists today–rather than technologies that existed three decades ago when current law was enacted,” Microsoft’s Smith wrote.