Privacy in the Digital Age: The Microsoft Case, CLOUD Act and Overseas Data

Privacy in the Digital Age: The Microsoft Case, CLOUD Act and Overseas Data

In today’s era of digital communications, where data can be stored and accessed from almost anywhere in the world, and where privacy is becoming an increasing concern, how exactly do regulations come into play? For instance, can an email provider in the United States be compelled to turn over email content stored in another country? Where does one draw the line between privacy and the government’s investigation powers?

These were some of the questions posed in the highly anticipated case of United States v. Microsoft^[1] which began in 2013 when a New York federal judge granted the government’s application for a warrant under § 2703 of the Stored Communications Act (SCA) to obtain email content and information from Microsoft associated with a suspected drug trafficker.^[2]

Microsoft refused to provide the email content stored in Ireland, saying that the term “warrant” carries territorial limitations, meaning that U.S. law enforcement officers may be directed by a court-issued warrant to seize items in the U.S. only.^[3] The government, on the other hand, argued that the warrant was similar to a subpoena, which requires the recipient to deliver the records to the government, regardless of location.^[4]

After the district court ruled against Microsoft and held the company in civil contempt for refusing to provide the content, Microsoft appealed to the Second Circuit, which reversed the district court’s ruling.^[5] The Second Circuit found that because the SCA is silent as to its territorial reach, it must be read consistently with the presumption against extraterritoriality and thus does not apply abroad.^[6]

The case was elevated to the Supreme Court for oral arguments,^[7] but came to an abrupt end upon the passage of the CLOUD (Clarifying Lawful Overseas Use of Data) Act on March 23, 2018.^[8]

Prior to the CLOUD Act, the U.S. could only access data stored overseas through mutual legal-assistance treaties (MLATs).^[9] With a MLAT, nations could put in writing the terms of willingness to help each other with legal investigations.^[10] The Senate votes on each MLAT, which must receive a two-thirds approval to pass.^[11] Through the CLOUD Act, U.S. law enforcement officials at any level, from local police to federal agents, can compel tech companies to turn over user data, regardless of where the company stores the data.^[12] The CLOUD Act also gives the executive branch the ability to enter into “executive agreements” with foreign nations, which could allow each nation to get its hands on data stored overseas, no matter the hosting nation’s privacy laws.^[13] These agreements do not require congressional approval.^[14]

As a result of the CLOUD Act, the Department of Justice (DOJ) moved on March 30, 2018 to drop the Microsoft lawsuit as moot.^[15] A few days after, Microsoft filed a response agreeing with the DOJ’s motion.^[16] In effect, both the government and Microsoft agreed that the newly passed CLOUD Act renders the lawsuit meaningless.^[17]

According to Microsoft President Brad Smith, “the passage of the CLOUD Act is an important milestone in the journey to modernize the law, enable enforcement officials to do their jobs and protect people’s privacy rights across borders.”^[18] He added that “[w]hile the CLOUD Act creates new rights under new international agreements, it also preserves the common law right of cloud service providers to go to court to challenge search warrants when there is a conflict of laws – even without these new treaties in place.”^[19]

The dispute, however, is not yet over. The DOJ obtained a new search warrant requiring Microsoft to turn over the emails pursuant to the CLOUD Act.^[20]

While the CLOUD Act appears to resolve the gap in the SCA, some activists think that the new law could open the door to increased surveillance and erode protections for human rights.^[21] Significantly, the CLOUD Act allows for the president to enter into executive agreements with foreign governments covering data collection on criminal suspects.^[22] Thus, while the CLOUD Act makes allowances for entering into agreements with countries that respect the rule of law, repressive governments could benefit from the legal agreements allowed under the act.^[23]

According to David Ruiz of the Electronic Frontier Foundation (EFF), with the CLOUD Act in place, “US and foreign police will have new mechanisms to seize data across the globe.”^[24] “Your private emails, your online chats, your Facebook, Google, Flickr photos, your Snapchat videos, your private lives online, your moments shared digitally between only those you trust, will be open to foreign law enforcement without a warrant and with few restrictions on using and sharing your information.”^[25]

Joshua Rich, partner at McDonnell Boehnen Hulbert & Berghoff LLP and chairman of the firm’s Trade Secrets Practice Group also pointed out that the CLOUD Act may result in “some backlash in the international arena.”^[26] Rich also noted that “communications that take place outside of the U.S., if relevant to an investigation, could be subject to disclosure, which may anger citizens in foreign countries with stricter privacy laws. This backlash could translate to users turning away from U.S. email providers.”^[27]

While the CLOUD Act is a step forward in terms of closing the Microsoft case, a lot of questions still remain. It will be interesting to see how the Microsoft warrant will be treated in light of the CLOUD Act, and more importantly, how the new law will impact the government’s power to obtain data from overseas considering the growing number of privacy regulations.