Over the past few years, the U.S. government has continued to request more and more data about tech companies’ users. Disregarding any surveillance that may or may not happen against foreign targets, the U.S. government has more recently also started asking for warrants to data that's stored overseas, too, even if the data belongs to foreign citizens and not Americans. The U.S. government’s argument is that because the data is held by American companies, that gives it the right to ask for all of these companies' data.
In a previous case involving Microsoft, the Court of Appeals for the Second Circuit overruled a lower court judge and agreed with Microsoft that the U.S. government can’t request foreigners’ data. However, the U.S. government continued to fight, so now the case has ended up at the Supreme Court.
In a way, this is not all good news, because Microsoft had effectively already won the case when the Appeals Court agreed with the company in its ruling. The Supreme Court could overturn that ruling now and set a new precedent in favor of the government. On the other hand, if the Supreme Court rules the other way, it could make it quite explicit that the government can’t request foreigners’ data from American companies.
Obsolete ECPA At Fault Again
The law that the U.S. government thought allows it to obtain foreigners’ data was the Electronic Communications Privacy Act, a three-decade piece of legislation that Microsoft, other companies, as well as many civil liberties groups and the U.S. House are fighting to update and modernize.
Microsoft believes that as far as the law is concerned, there shouldn’t be a difference between the papers on your disk and your digital files stored in the cloud. The government should still have to go straight to the user with a warrant to obtain someone’s digital files, just like it needs to come with a warrant to search that person’s house.
Similarly, the FBI can’t go into another country to search someone’s property and take their documents, even if their home was built by an American company, so it shouldn’t be able to do the same to foreigner’s data online. Just like in the offline world, the FBI would first need to obtain permission from that country’s government to obtain someone’s data, and that country’s government would also be bound by its own laws.
What about Privacy Shield?
The Microsoft case involved a person from Ireland, which is a European Union member. The EU now has a data transferring deal with the U.S. that gives American companies the permission to transfer EU citizens’ data to the U.S. as long as that data is (supposedly) protected by the same privacy rights from which EU citizens benefit when it's on EU soil.
The deal has been criticized as ineffective, largely due to the fact that the U.S. continues its mass surveillance operations unabated and because of overreaches such as the one in the Microsoft case.
The U.S. government also seems to want to put Americans under the same type of mass surveillance with the recently introduced “USA Liberty Act.” Given that the U.S. government intends to actually expand its surveillance operations even against its own citizens, there’s not much hope that EU citizens’ data will be treated any better--Privacy Shield or not.
Between A Rock And A Hard Place
American companies’ ability to send EU citizens’ data to the U.S. will also be put once again under scrutiny by the Court of Justice of the European Union (CJEU), which could soon decide potentially new limits of those data transfers in the context of U.S. mass surveillance.
If the CJEU does enact new limits, while the U.S. Supreme Court rules that the U.S. government is allowed to obtain foreigners’ data, including EU citizens’ data, that could further complicate the relationship between the U.S. and the EU. Technology companies will be caught between a rock and hard place, having to follow the law of the land in both places, even if those laws are in conflict with each other.
Another outcome of the Supreme Court ruling in favor of the government in this case, which would be even worse, is that other countries could make similar demands of U.S. companies:
“It puts everyone’s emails at risk,” said Microsoft in a recent blog post. “If the U.S. government can unilaterally use a warrant to seize emails outside the United States, what’s to stop other governments from acting unilaterally to seize emails stored inside the United States? At a time when countries are rightly worried about foreign government hacking, the DOJ’s interpretation would open the door to accomplishing the same thing,” added the company.
Time For Congress To Act
Microsoft believes that instead of fighting with U.S. federal agencies over interpretations of a three-decades-old law applied to today’s world of cloud services, it would be better if Congress worked to modernize the law.
The company said that Congress should support the International Communications Privacy Act (ICPA) of 2017, which was introduced in Congress this past July. This bill clarifies when governments can access data across borders in a reasonable way and with permission from the respective countries, when required by international law.