In the latest chapter of the ongoing struggle between American courts and the EU’s privacy directives, Microsoft agreed to be held in contempt of court to stage an appeals court showdown over whether to extend the power of a US-issued warrant to produce data held “in the cloud,” which actually resides on servers located in the UK, over the objection of Microsoft, which claims the subpoena forces it to violate EU law.
In this case, Federal Magistrate Judge James Francis approved the Department of Justice (“DOJ”) warrant seeking disclosure of data within Microsoft’s control pertaining to a specific Hotmail.com email account. Microsoft moved to vacate the warrant on the basis that the data sought was held on a server in Dublin, Ireland. Magistrate Francis denied Microsoft’s motion to vacate on the basis that, despite the existence of the data on a geographically remote machine, Microsoft remained in “control” of the data. Federal Judge Preska, sitting in the United States District Court for the Southern District of New York, recently held Microsoft in contempt for its failure to comply with the court’s order, which sets the stage to have the parties’ dispute reviewed by the Second Circuit Court of Appeals.
To date, the DOJ has taken the position that companies operating in the US are required to comply with warrants and subpoenas for electronic records, even if the computers which physically hold the data sought by the warrant or subpoena are located outside of the United States’ jurisdiction. Microsoft, like many others in the past, has resisted this approach, citing to EU Data Protection Directive (“EU Directive”), which make such production a violation of EU law.
Microsoft has consistently taken the position that it should not be compelled to produce the information at issue in this matter because it is outside of the United States and within the jurisdiction of the UK, which is subject to the EU data protection and blocking statutes. Each European Economic Area member country has implemented the EU Directive in its own way, increasing the complexity of privacy litigation. Further, the EU foreign discovery “blocking statutes,” intentionally impede the transfer of data from Europe to the United States. The effect of the EU blocking statues is to box Microsoft into a situation where it cannot comply with one country’s law without violating the law of another. If Microsoft produced the data sought by the Department of Justice, it would violate the EU Privacy Directive, and if Microsoft complied with the EU Privacy Directive, it could not comply with the warrant.
Magistrate Francis’ ruling approving the warrant focused on Microsoft’s control of the data at issue, regardless of its physical location. The court stated succinctly: “It is a question of control, not a question of the location of that information.” Microsoft, of course, disagreed and claims that the rule suggested by the DOJ and the court would further damage consumer confidence and “will ultimately erode the leadership of US technologies in the global market.” Other tech dynamos such as Verizon, Apple and Cisco have weighed in, encouraging dialog, and even suggesting that a treaty between the US and foreign jurisdictions is needed to resolve the conflicts in laws.
The DOJ said that extending jurisdiction globally is necessary where “electronic communications are used extensively by criminals of all types in the United States and abroad, from fraudsters to hackers to drug dealers, in furtherance of violations of US law.”
Generally, American courts lack the power to reach outside of America’s jurisdictional boundaries and act on assets outside of the US. However, the Internet and cloud computing have challenged traditional conventions, and created a situation where data can be moved instantaneously across the world with the flick of a switch. Thus, an American citizen or business entity can have control (and some may argue possession) of data located around the world without leaving the territorial boundaries of the United States. Although the EU’s personal-rights centric privacy model may be admirable, and even preferred by some Americans, United States’ courts have uniformly rejected arguments against production based upon the conflict between warrants and subpoenas issued in the United States and the EU’s blocking statutes. The answer, as some have suggested, may come in the form of a treaty. Until then, the conflict between American courts’ jurisdiction to seize information that is physically held outside of the US but within the control of an American company and foreign blocking statues continues to be an undecided and contentious issue.