TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | European Commission weighs in on Microsoft Ireland case Related reading: Supreme Court agrees to hear Microsoft v. US case

rss_feed
DPC18_Web_300x250-COPY
PrivacyTraining_ad300x250.Promo1-01
GDPR-Ready_300x250-Ad

The European Commission has filed an amicus curiae brief on behalf of the European Union in the ongoing legal dispute between Microsoft Inc. and the United States. The case, which has been widely covered following Microsoft’s victory in the Second Circuit, concerns whether the United States can compel Microsoft to turn over information stored on a server owned by one of Microsoft’s EU subsidiaries and physically located in Ireland, via a warrant procured under the Stored Communications Act.

The Commission’s brief on behalf of the EU, which it said in a December 7 statement “[would] not be in support of either one of the parties” was filed to “make sure that EU data protection rules on international transfers are correctly understood and taken into account by the US Supreme Court.” The Commission’s intervention follows a similar brief filed by the Irish government with the Second Circuit, the EU member state where the Microsoft server at issue is located. In contrast to the Irish brief, which focused on Ireland’s objection to the originally granted warrant, the Commission makes it repeatedly clear that it “takes no position on the ultimate question of the SCA’s proper construction under U.S. law.”

According to the Commission’s brief, the EU has two main interests in the litigation between Microsoft and the United States:

  • Ensuring the Supreme Court proceeds with the case based on a correct interpretation of EU law.
  • To “reaffirm” the EU’s commitment to international law enforcement cooperation between it and the United States.

On the second point, the Commission states that it “has an interest in ensuring that … law enforcement cooperation continues to take place within a legal framework that avoids conflicts of law, and is based on ongoing dialogue, voluntary cooperation, and respect for each others’ fundamental interests in both privacy and law enforcement.”

In the Commission’s view, a major legal question is whether a warrant issued by a U.S. court requiring a company to disclose data held on an EU server violates obligations imposed on the EU data controller by the General Data Protection Regulation. In particular, the Commission attempts to address the question of Article 48, as both Microsoft and the United States advanced arguments concerning the application of the GDPR at the certiorari stage. Article 48 of the GDPR limits the enforcement of third country court decisions within the EU when they attempt to compel a data transfer not otherwise authorized by EU law. Under Article 48 and the accompanying Recital 115, such decisions are only enforceable when “based on an international agreement, such as a mutual legal assistance treaty.”

The Commission explicitly avoids making any argument as to how the Stored Communications Act should ultimately be construed under U.S. law, but argues that the “interests and laws of [a] foreign jurisdiction must be taken into account” when a court orders a company within the court’s jurisdiction to produce data stored in the foreign jurisdiction. The Commission’s brief presents two major theories of U.S. law for the Court’s consideration: (1) the presumption against extraterritoriality and (2) the Charming Betsy canon. Collectively, these theories are designed to help the U.S. act to mitigate the risk of conflict with foreign law and act to “advance international comity.”

The first theory is straightforward: When interpreting a law that may have an extraterritorial application, courts should presume against such application absent explicit wording, to avoid “international discord” arising from applying U.S. law to foreign countries. The second—the Charming Betsy canon—is a related maxim that statutes “ought never to be construed to violate the law of nations if any possible construction remains.” Essentially, both theories emphasize an interest in avoiding entanglements between U.S. law and other countries’ legal systems.

Much of the Commission’s brief traces the obligations imposed on Microsoft by the GDPR. The Commission makes clear that a foreign court order by itself is insufficient to render a data transfer lawful under the GDPR and any transfer of data by Microsoft to the United States would qualify as “processing,” bringing it under the aegis of the GDPR. The core obligations that attach to the processing of data are set out in Article 5 of the Regulation, and must be pursuant to one of the lawful bases set forth under Article 6. Additional rules are supplied for the transfer of data to non-EU countries in Chapter 5 of the GDPR. Article 48, discussed above, specifically contemplates transfers that are not otherwise authorized by EU law. The Commission notes that the GDPR “thus makes mutual legal assistance treaties, or MLATs, the preferred option” (internal quotation marks omitted) for such transfers. 

Article 49 permits a number of transfers even without an adequacy decision per Article 45 or safeguards that comply with Article 46, two of which the Commission identifies as applicable to the Microsoft case: (1) transfers for “important reasons of public interest,” which the Commission allows includes international cooperation to thwart serious crime and (2) “necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights or freedoms of the data subject.”

Overall, the Commission’s tone echoes Ireland’s earlier brief to the Second Circuit arguing that the Irish government’s willingness to apply the Mutual Legal Assistance Treaty (MLAT) process to the warrant made the United States’ position an unreasonable overreach. The EU appears to be focused on urging the Supreme Court to force U.S. law enforcement to make use of the existing MLAT system, rather than attempt to circumvent it by applying U.S. domestic law.

Photo credit: Eoghan OLionnain Berlaymont via photopin (license)

1 Comment

If you want to comment on this post, you need to login.

  • comment John Kropf • Dec 20, 2017
    Great article that highlights whether data protection authorities in the EU fully recognize international law.  The adequacy concept has long created a tension with fundamental concepts of international law such as comity and what is called in the U.S. the Act of State Doctrine (one state will not sit in judgement of another government's acts done within it's own territory.
    
    An interesting contrast to the EU and Irish amicus briefs is the New Zealand brief.  While the Irish and EU briefs were submitted in the name of their governments, the New Zealand brief was submitted in the name of the NZ Privacy Commissioner (not part of the government but independent).  The NZ brief says little about data protection law and instead focuses on the importance of international law recognizing the significance of comity, the presumption against extraterritoriality, and the respect of countries to govern within their own territory.  The New Zealand Privacy Commissioner recognizes that data protection must operate within the larger law of nations.