In a recent proceeding before the US Court, Microsoft was ordered to turn-over email belonging to a user of its hosted mail service. That email belonged to a user outside the US. The email itself was located on a server in a data center in Ireland—outside the US, which should be out of the reach of US authorities and subject to the requirements of the EU privacy laws. Microsoft challenged the order and lost. They argued that the court lacked jurisdiction over this particular data as it was stored outside the US, and therefore it was not subject to disclosure. They were wrong.
On April 25, 2014, Magistrate Judge James C. Francis of the Southern District of New York issued a memorandum and order upholding a subpoena ordering Microsoft to turn-over information held on a server in a datacenter in Ireland. Microsoft had contested the subpoena and argued that courts in the United States do not have jurisdiction and therefore are not authorized to issue a warrant for an "extraterritorial search and seizure." Relying upon the Stored Communications Act (the "SCA"), passed as part of the Electronic Communications Privacy Act of 1986 (the "ECPA") and codified at 18 U.S.C. § 2701-2712, the judge found that, even when applied to information that is stored in servers abroad, an SCA warrant does not violate the presumption against extraterritorial application of American law and therefore denied Microsoft's motion to quash the subpoena.
Though the judge relied upon the SCA in making his determination, he also cited the Patriot Act as evidence of legislative intent to not limit jurisdiction, which is the crux of the issue. He recognizes and relied upon the fact that Microsoft is a US business—and, more so, that it has a US presence from which it has access to the data on the servers in Ireland (regardless of where that data itself is stored, which is where he relies on a provision of the Patriot Act for clarification). As a US business, Microsoft is subject to US jurisdiction and laws. Arguably, Microsoft might not have to have been a US business for the court to have reached the same conclusion.
Whereas the facts of this ruling do not lend themselves to suggesting that the US government would have unlimited jurisdiction over electronic information, in theory, the court's finding does suggest that any business operating in the US could be subject to the same warrant/subpoena power regardless of where its data resides. Thus, it could very readily extend to any hosted/service provider with a US presence, regardless of where their data centers are sited and regardless of where their customer data is stored. In essence, a company providing a hosted service (be it email, finance, document management, whatever) anywhere in the US could be subject to the same demand to turn-over customer data of an EU customer, regardless of whether that data is held solely on document servers located within the EU. Therein lies the challenge such a ruling now presents to EU and other jurisdictions' data protection laws.
In a blog post on his website, a colleague of mine commented on this case in regards to its Safe Harbor implications. Interestingly enough, I would suggest that it doesn't actually violate the Safe Harbor privacy
principles. While my colleague correctly states that the purpose of the Safe Harbor provisions is in fact to facilitate commerce between the US and EU, what is missed is the actual requirement (or lack thereof) of that agreement. First and foremost, participation is voluntary. Second, and perhaps more important, is that, its goal is protection of personal data from unreasonable disclosure. In regards to the Federal Court ordering Microsoft to turn-over data, it was to be turned-over to the US government. Regardless of whether that disclosure meets the various criteria (including notice, choice, security, etc.), it's arguable that, as the receiving party is the US government, the disclosure would not violate the agreement. Regardless, even if it did violate that agreement, there has been ongoing debate about the efficacy and legitimacy surrounding the Safe Harbor agreement that was raised shortly after it was first established; the conclusion that was reached in that other blog commentary—that the Safe Harbor provisions never really meant much—probably is correct and further validates that exact debate. This holds true at least with regard to the extent of protection afforded individuals relying upon their data remaining strictly within the EU and not being subject to disclosure beyond its borders. The Safe Harbor provisions exist explicitly to accommodate that transfer of data.
This takes us back to the obvious question—that, in a modern world, where the internet connects everyone and everything, well beyond borders, is it really reasonable to expect that data in one jurisdiction will only remain in that jurisdiction and not be accessible or discoverable outside that jurisdiction? In reality and in light of what we know today of various governmental entities and their international surveillance programs—not to mention hacking (be it state-sponsored or otherwise), the answer is probably "no." So, what are the implications of that?
The UK Law Society and the SRA [PDF] have issued guidance on the use of "cloud" technologies. While they are not completely proscriptive, they do provide advice and guidelines that, presumably, create certain expectations.
In essence, the Law Society states that any cloud solution must comply with the Data Protection Act of 1998 ("DPA"). The considerations of this law on the adoption of cloud technologies are summarized by the information commissioner's office on their site and include a variety of recommendations. Some of the key elements of this act addressed by the ICO include: the use of encryption of data in transit and at rest; prevention of unauthorized access to client data by the cloud providers' personnel; and, access to data by intelligence agencies. The document on their site gives general guidance and recommends a variety of measures to be employed to safeguard data placed into the cloud. The ICO specifically notes that the DPA requires that personal data "shall not be transferred to any country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data." Arguably, as the US and EU created the Safe Harbor agreement, this statement could readily be interpreted to mean that it is assumed that the US meets those specific criteria such that a mandated disclosure of personal data to the US government is not in violation of those laws.
Further, all of the various provisions make reference to guidelines in contractual agreements. There are few steadfast rules with regard to how data is treated and communicated that mandate specific contractual obligations. Companies can meet the requirements of the DPA and various other regulations as may be called for by the Law Society or SRA and still have contractual language that could very likely contradict or otherwise limit the protections intended. Though, in essence, vendors do have to provide some very precise protections, the regulations and guidance are not so strict as to prohibit or preclude the type of data transfer and disclosure that was ordered in the instant scenario.
So, what does all this mean? At the very least, I'd suggest it means that, a firm that is truly 'worried' about their data not leaving the EU (and many seem to be) perhaps will think twice about where that data is and where it may end-up. Taken to the extreme, I think firms outside the US (especially those within the EU) who are worried about their data being accessed by the US will probably want to avoid using ISP's or hosting providers (software as a service providers or otherwise) with ANY presence within the US. While that may seem a bit excessive, given the instant facts and the relevant guidance, it's completely plausible to expect that data held and hosted by a company with presence in both the US and EU will certainly be subject to the same disclosure: if the hosting company has access to it from the US, it could be subject to the same requirement to disclose for the same reason. That won't stop these firms from building infrastructure to accomplish the same purpose (mobility, accessibility, etc.) or adopting technologies (such as a private cloud) that will prepare them for the eventual move to a hosted/cloud environment. Regardless, as the decision isn't about technology, but, more so the overall business need and value (what is gained and at what price, especially considering factors such as the total cost of ownership), firms will add this to their list of considerations when choosing whichever technology posture they feel is most appropriate.
Whether or not this potential for disclosure will have the effect of dissuading firms from adopting various technologies and platforms today or in the near or distant future remains to be seen. For those firms who want to adhere to a more strict interpretation, they may choose to avoid various cloud providers with regard to placing client data into their data centers. Those firms will not necessarily be limited with regard to the functionality they provide their end-users as the concept of cloud computing, in and of itself, offers no functional advantage over on premises solutions (accessibility of data/programs, disaster recovery, business continuity, etc.)—it merely offers a different financial model and a shifting of the management from an internal to an external resource (which, again, in that regard, an owned yet externally managed service also accomplishes if that is a preferred option).
Policies change—and regulations evolve. As such, this concern over where data resides and whether or how it is discoverable will change. It remains to be seen how firms—and providers—will react to this most recent development.
Ben Weinberger is Chief Strategy Officer for Phoenix, a global software and consultancy business. A lawyer and former CIO, Ben has more than 20 years of experience directing IT and operations in a variety of public and private organizations. He is a regular speaker on such topics as Emerging Technologies, Transformational Trends in Legal Technology and Business Continuity Planning. He received his Bachelor's degree in Economics from the University of Michigan and his Juris Doctorate from the University of Wisconsin.
Suggested citation: Ben Weinberger, Conflict of Laws: Data Protection in the Cloud, JURIST-Hotline, August 15, 2014, http://jurist.org/hotline/2014/08/ben-weinberger-cloud-data-protection.php.
This article was prepared for publication by Jason Kellam, a Section Editor with JURIST's Commentary services. Please direct any questions or comments to him at email@example.com