The European Commission has announced that it intends to submit an amicus brief to the US Supreme Court in its hearing of the Microsoft Warrant Case and the Article 29 Working Party recently published its views on the conflict of laws issues that arise in these landmark proceedings. Given that they are of particular relevance to Ireland and multinational technology companies with data centres in Ireland, there will be considerable interest on both sides of the Atlantic as to what submissions the Irish Government will make to the US Supreme Court.
The case relates to a warrant originally issued in December 2013 pursuant to the US Stored Communications Act 1986 that required the search and seizure of information associated with an email account stored on servers in Ireland that are owned and operated by an Irish Microsoft entity. Microsoft sought to quash the warrant on the basis that courts in the US are not authorised to issue warrants for extraterritorial search and seizure. In July 2016 the US Court of Appeals for the 2nd Circuit upheld Microsoft’s challenge, ruling that the Stored Communications Act was not intended to authorise warrants having extra-territorial effect. In October 2017 the US Supreme Court confirmed that it will hear an appeal by the US Department of Justice against this decision (Case No. 17-2, United States v Microsoft Corporation).
The case raises fundamental issues regarding the jurisdiction of US law enforcement authorities to obtain access to electronic information held outside the United States, without availing the ‘Mutual Legal Assistance Treaty’ framework. Microsoft and other technology companies are concerned that if US authorities can compel them to provide information held on servers in Ireland, without going through local legal channels, then this will cause those companies to breach their obligations under EU and Irish laws. It may also undermine trust in cloud computing.
The European Commission announced on 7 December 2017 that it has decided to submit, on behalf of the European Union, an amicus brief to the US Supreme Court. It stated that since the transfer of personal data by Microsoft from the EU to the US would fall under EU data protection rules, it is in the interest of the EU to make sure that EU data protection rules on international transfers are correctly understood and taken into account by the US Supreme Court. The Commission indicated that its amicus brief will not be in support of either of the parties in this case.
In a more loaded statement regarding cross-border access to electronic evidence published on 29 November 2017, the Article 29 Working Party referred specifically to the Microsoft Warrant case and asserted that “EU data protection law provides that existing international agreements such as a mutual assistance treaty (MLAT), must – as a general rule - be obeyed when law enforcement authorities in third countries request access or disclosure from EU data controllers. The circumvention of existing MLATs or other applicable legal basis under EU law by a third country’s law enforcement authority is therefore an interference with the territorial sovereignty of an EU member state. Vice versa, EU law enforcement authorities should also - as a general rule - be required to respect existing international agreements such as MLATs or any other applicable legal basis under EU law when requesting access or disclosure from data controllers in third countries.”
The Irish Government was one of many parties that submitted an amicus brief to the US Court of Appeals for the 2nd Circuit in this case. Since the decision of the US Supreme Court could have very significant implications for Ireland and technology companies that operate in Ireland, the Irish Government is expected to submit a brief to the US Supreme Court. If it does many onlookers, particularly within Europe, will be curious to see what comments the Irish Government makes regarding the impact a US warrant purportedly having extra-territorial would have on Ireland’s sovereignty and obligations as a Member State to implement EU data protection law. At a time when businesses operating in Europe are preparing for the application of the General Data Protection Regulation, under which the Irish Data Protection Commissioner will be the lead supervisory authority for many leading multinational technology companies, the Irish Government will need to be conscious of the spotlight on Ireland’s approach to the application and enforcement of European data protection law.