Here we go again! In developments which will cause more scrutiny of US legal powers, a US judge has ordered Microsoft to hand over emails held in Dublin. This is not the first time I’ve blogged on data security issues. This time it’s the Stored Communications Act that is providing the power.
Brad Smith, general counsel of Microsoft had previously told the FT it would store data outside the US to allow its customers to make an informed decision about where their data is held and which laws apply to it. This ruling seemingly leaves that policy in tatters and, not surprisingly, Microsoft resisted handing over the data in this case and is planning to appeal.
An EU spokeswoman was quoted by the BBC as saying the data should not be handed over. The EU Commission has long been trying to export data protection standards across the globe. The Safe Harbour agreement is part of that and so are the promises to bolster it after the Snowden revelations. So too its attempt to increase the standard of data protection through the new Data Protection Regulation (although Trend Micro’s research indicates it might need to do more to raise awareness since less than 50% of UK businesses are aware of the planned changes).
Let’s just go back to 2011 for a minute. At the launch of Office 365, Microsoft UK’s managing director Gordon Frazer controversially indicated Microsoft UK would hand over EU-based data to the US authorities under the USA Patriot Act since it was US owned. This caused a stir in the cloud sector at the time with some saying they were shocked — and with others saying Microsoft UK had simply voiced what they already knew (or at least suspected).
Of course, Snowden revealed in 2013 that the NSA was snooping on data all along anyway. The crucial distinction though was that those powers were being exercised broadly with bulk collection of data under general warrants.
At this stage of the case it is not clear which US government agency has applied for the data or whether the emails are stored by Microsoft Ireland as opposed to Microsoft US but the judge was clear that if US agencies had to coordinate efforts with foreign governments to secure such information under the international treaties “the burden on the government would be substantial, and law enforcement efforts would be seriously impeded.”
We await further developments.
UPDATE 24/06/14: I’ve now read the judgment so go visit my update post:
Microsoft data ruling avoids dealing with foreign governments
Image courtesy of renjith krishnan “Data Security” / FreeDigitalPhotos.net