Brad Smith, Microsoft's Chief Legal Officer, said in a blog post (opens in new tab) that it's time for both the U.S. and EU governments to guarantee their citizens' data is protected even when crossing borders. He laid out four necessary steps the governments must take to protect user privacy, while still allowing transfers of data across borders in a safe and legal way.
Preserving Privacy Rights Across Borders
Smith said that people's legal rights should move with their data. This would mean that if the data is stored on U.S. servers but belongs to an EU national, then the U.S. government should only be able to get access to that data in a manner that conforms to EU laws. The reverse should also be true: If the EU government wants access to an American citizen's data stored on EU servers, it should comply with U.S. laws when doing so.
New Trans-Atlantic Agreement
Smith suggested that the U.S. and EU should agree to create an expedited process where whenever they need to get access to each other's citizens' data, first they need to comply with their own laws, and then they need to ask the citizens' governments for permission to the data. The citizens' governments can then either accept or reject the request, depending on whether they believe it's in compliance with their laws or not.
Smith believes that if this agreement were put in place, data transfers would comply with the recent Court of Justice of the European Union (CJEU) ruling that said the U.S. government must guarantee "essentially equivalent" data protection as to the protections available in the EU, because the U.S. government could only get that data if the EU authorities think their request complies with EU laws.
Moving Physically Across The Atlantic
Smith thinks that there should be an exception to the above proposals when a citizen is traveling across the Atlantic. In this case, the law of that jurisdiction should apply, in order to be consistent with longstanding legal principles, as well as the practical reality that public safety is more pronounced when a suspect is physically present in the given jurisdiction. Therefore, if an EU citizen travels to the U.S., Microsoft's legal officer believes that the U.S. law should apply when dealing with his data.
Asking The Right Company For Data
Right now, the U.S. government, and perhaps other governments as well, likes to go to cloud services providers to ask for data of another company's employees who use Microsoft's services, because it's easier to go to Microsoft than to all of its corporate customers individually.
However, Smith pointed out that in the physical world, the authorities go to the company where the employee works with a warrant to ask for the data, rather than to a third-party provider that may be holding that data. Therefore, the U.S. and EU national governments should also go to the directly-involved company and not to a third-party cloud services provider such as Microsoft.
Microsoft is also promoting this idea because it has seen that some businesses in the EU (and elsewhere) have stopped trusting American service providers because the U.S. government can go directly to them to ask for those companies' data. What Microsoft is saying here is that the U.S. and EU governments should agree to go directly to the party responsible and leave Microsoft and other third-party service providers out of it.
As more and more user data moves to the cloud, average citizens become vulnerable to having their data easily accessed by governments, too, even with a warrant. In the physical world, law enforcement must come with a warrant before entering someone's house in the U.S., but that doesn't seem to apply when it comes to digital data that's stored on someone else's servers.
As Microsoft is proposing here -- that when governments want a corporation's data they should go directly to that corporation -- it stands to reason that the governments should also go with a warrant to the user whose data they require, rather than gagging the service provider and then accessing the data in secret. However, this is not something Microsoft is suggesting in this case; the company is only asking for this sort of protection for its corporate customers, but not individual users of its cloud services such as Skype, Outlook, and so on.
21st Century Privacy Laws
Privacy laws in the U.S. or in the EU were passed decades ago, and Microsoft believes that they haven't aged well. The old laws are obsolete when it comes to protecting digital data in the twenty-first century, but they are also obsolete when it comes to providing a clear path for transferring data across borders in a way that protects user data against abusive government requests.
A new Judicial Redress Act has just passed the U.S. House, which gives EU citizens and other foreigners the same privacy protections that Americans get from the Privacy Act of 1974, which deals with how federal agencies can handle citizens' data. The recent CJEU ruling does mention that the U.S. would have to offer some way of judicial redress for EU citizens, but it's not clear whether the Privacy Act of 1974 is also "essentially equivalent" to the data protection laws in the EU.
If it's not, then this new Judicial Redress Act won't make a new Safe Harbor agreement any more likely or legally sound, unless the U.S. reforms its privacy laws to be at least as strong as those in the EU, per CJEU's ruling.
For now, Microsoft seems to believe that even in the absence of a Safe Harbor agreement, it can continue to transfer data within EU, but also to the U.S., by transferring it first to other EU companies. According to Maximilian Schrems, who made the original Safe Harbor complaint that led to its recent invalidation, this sort of solution would at the very least be in a legal gray area, but likely still illegal under the recent CJEU ruling.
Ultimately, this is only a trick to make it look like the EU data transfers are legal because they first happen between EU companies if in the end the data still reaches the U.S. under the same weak privacy protections as before. Therefore, there's no reason to believe this is legal or that it would pass CJEU's muster. However, a new Safe Harbor agreement must be reached by the end of January 2016 (pdf), so the company must believe it won't have to use this solution for long anyway, until a real one appears.
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.