The Supreme Court is poised to weigh in on a global battle between governments and privacy advocates over access to people’s digital data as they increasingly conduct their lives online.
The justices will hear oral arguments Tuesday on whether U.S. officials can force Microsoft to hand over emails, which are stored in a data center in Ireland, that law enforcement is seeking as part of a drug investigation. A final ruling is expected by the summer.
The case — more than five years in the making — pits the U.S. government’s demands for the right to obtain digital data held anywhere in the world against privacy campaigners’ push for limits on that access. It also comes as the U.S. and European Union remain at loggerheads over how to handle people’s sensitive digital information, everything from search queries to corporate payroll data.
Lawmakers on both sides of the Atlantic are pushing for new laws to determine when governments can gain access to such data — often stored remotely in data centers worldwide by the likes of Google, Amazon and Microsoft — while protecting the privacy of sensitive information.
“In today’s world of email and cloud computing, where data is stored across the globe, law enforcement and tech companies find themselves encumbered by conflicting data disclosure and privacy laws,” Senator Orrin Hatch (R-Utah) said this month, calling for a “commonsense framework” to deal with the issue.
This is a problem that cries out for a legislative solution, not a judicial one” — Faiza Patel, New York University Law School
The justices are wading into these murky digital waters at a time when people’s attitudes are changing about how governments and companies collect, store and manage their online data. Former National Security Agency contractor Edward Snowden helped propel this shift — his revelations in 2013 about surveillance by U.S. and international national security agencies raised awareness in individuals from San Francisco to Stockholm about how their data is used.
Nearly 60 percent of Americans, for instance, now say that it’s unacceptable for the government to monitor their communications, according to the Pew Research Center. Those figures are even higher in Europe, where people’s right to privacy is roughly held on par with other fundamental rights like freedom of speech.
“There are massive international, privacy and commercial implications to this case,” said Faiza Patel, co-director of the liberty & national security program at the Brennan Center at New York University Law School, in reference to Tuesday’s hearing. “This is a problem that cries out for a legislative solution, not a judicial one.”
But the U.S. government calls the case a straightforward matter of law enforcement needing data, and tech companies easily being able to produce it.
In 2013, the FBI obtained a search warrant ordering Microsoft to hand over email information connected to alleged criminal drug activity. The tech giant provided some details on the account, but it balked at handing over the electronic communications because they were stored in Ireland. The company said the U.S. warrant did not apply to digital information held overseas.
The battle soon entered the courts, and the 2nd U.S. Circuit Court of Appeals in New York eventually ruled against the Justice Department in 2016. The judges said U.S. law did not permit courts to enforce search warrants against American companies for emails located outside the country.
In its filings with the Supreme Court, the U.S. government argued that the 1986 Stored Communications Act allows domestic law enforcement to obtain the data because Microsoft, which is headquartered in Redmond, Wash., can access the information from within the United States.
The Justice Department warned that if Microsoft prevailed, other criminals would quickly move their online information outside of the country, making it increasingly difficult for law enforcement agencies to carry out investigations and thwart illegal activity.
“In a world where data moves around so quickly, the location of the data shouldn’t matter,” said Jennifer Daskal, a former counsel to the assistant attorney general for national security and a law professor at American University in Washington. “It’s important the court rules in favor of the government.”
In response, Microsoft warned that a U.S. victory would clear the way for other countries, notably authoritarian regimes like China and Russia, to seek access to data worldwide, including in the United States.
We need a new generation of laws to govern a new generation of tech” — Brad Smith, Microsoft president and chief legal officer
The software giant also argued that current U.S. laws do not grant law enforcement agencies the right to obtain data held overseas, and that Microsoft would run afoul of Europe’s strict privacy rules if it handed over the data held in Ireland without going through the appropriate diplomatic channels.
“The DOJ’s position has some tension with common sense,” Brad Smith, Microsoft’s president and chief legal officer, told POLITICO. “The case raises issues between law enforcement and privacy. We need a new generation of laws to govern a new generation of tech.”
Microsoft’s demands are gaining some traction in Congress.
Earlier this month, Hatch and other lawmakers introduced a bipartisan bill called the Clarifying Lawful Overseas Use of Data, or CLOUD, Act — S. 2383 (115) — partly in response to the Supreme Court case.
The legislative proposal would allow the U.S. to sign bilateral data-transfer agreements with other countries to quickly share information between jurisdictions — under strict privacy and data security requirements. As part of the bill, U.S. warrants served on American companies also would apply to data stored overseas.
The bill, which lawmakers say was written with DOJ’s help, has received widespread support from tech companies.
“Congress has agreed on a plan, a good plan, and it’s got to be decided in the Congress and not in the courts,” Representative Doug Collins (R-Ga.), who co-sponsored the CLOUD Act in the House, told POLITICO. “The precedent has been that Congress decides when there is extraterritorial reach, not the court.”
The future of democratic decision-making in the digital era is at stake” — Jan Albrecht, MEP
Paul Rosen, former chief of staff of the Homeland Security Department and a partner at the law firm Crowell & Moring, said the Microsoft case showed the pitfalls of the Supreme Court applying old statutes to issues involving new technology.
“The court is interpreting a statute from 1986, a time when email was far from a household name,” he said. “Given that this case is arising in context of the Stored Communications Act, it would not surprise me if the court put the burden back on Congress.”
European policymakers also haven’t stood still in the years since American authorities first demanded Microsoft hand over the data stored in Ireland.
In 2015, the EU’s highest court invalidated a transatlantic data agreement after judges ruled that American authorities did not provide sufficient protection to European citizens when their data was shipped to the U.S.
A subsequent data-transfer deal, known as the EU-U.S. Privacy Shield, forced American officials to guarantee certain rights for Europeans, though EU privacy campaigners still filed lawsuits to overturn the agreement. Hearings in those cases are expected later this year.
And a major overhaul of Europe’s data protection standards that comes into force in late May includes fines of up to 4 percent of companies’ global revenues if they mishandle people’s data, including potentially sharing it with government agencies without permission.
“The key question at the moment is who has jurisdiction over the internet,” said Jan Albrecht, a German politician who filed a legal brief to the Supreme Court in support of Microsoft. “The future of democratic decision-making in the digital era is at stake.”