Until the likely Supreme Court challenge by the United States government, the 2nd U.S. Circuit Court of Appeals' decision in Microsoft v. USA is a striking, resounding victory for information privacy over the constant threat of government access and overreach. At the end of the day, however, the results could be mixed both for privacy and for the protracted battle between, on the one hand, national security and law enforcement agencies and, on the other hand, industry and civil society.
The court’s decision, denying U.S. law enforcement access to data controlled by a company based in Redmond, Washington, in an investigation of crimes committed on U.S. soil, because the data is stored on servers in Ireland, reasserts the significance of national borders in cyberspace, even in an age of seamless, instant and costless data transfers to the cloud. The court’s stance, respecting the sovereignty of foreign governments and the geographical limits of law in a globalized economy, stands in stark contrast to the European data protection framework, which attempts to export fundamental rights across borders and oceans to jurisdictions with entirely different legal traditions and cultural norms around privacy, among other things. When compared to the deferential approach of the 2nd Circuit Court, the European adequacy regime, which cost its proponents two years in negotiating a tenuous accord with the U.S. only to face the specter of having to reach another one with a post-Brexit U.K., not to mention “inadequate” but huge trading partners such as China, India, Brazil, and Japan, appears vain.
The court’s stance, respecting the sovereignty of foreign governments and the geographical limits of law in a globalized economy, stands in stark contrast to the European data protection framework, which attempts to export fundamental rights across borders and oceans to jurisdictions with entirely different legal traditions and cultural norms around privacy, among other things.
At the same time, the court’s strong presumption against extraterritorial application of law reinforces the European adage that by keeping data in Europe, companies and consumers are keeping it safe, at the very least from the reach of U.S. law enforcement officials. The court holds that “the invasion of the customer’s privacy takes place under the SCA where the customer’s protected content is accessed — here, where it is seized by Microsoft, acting as an agent of the government.” (Emphasis added). By focusing on the location of servers and data centers, as opposed to the location of service providers or suspects, the court fuels the drive towards data localization, which has seen Europe attaching strings to European sourced data while countries such as Russia, Turkey, Brazil, and China impose even tighter restrictions. Unfortunately, far from reinforcing privacy and fundamental rights, certain governments employ data localization cynically to subject their own citizenry to surveillance, censorship and mind control.
Importantly, the court recognizes the constant renegotiation of privacy in an age marked by dizzying technological change.
“Three decades ago,” Judge Susan Carney holds, “international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users’ 21st–century demands for access and speed and their related, evolving expectations of privacy.” Clearly, these changes require businesses to routinely revise best practices and policymakers to proactively adapt and amend existing legislation, not least the Stored Communications Act and Electronic Communications Privacy Act, with their arcane, byzantine, obsolete legal categories and technological distinctions. This need is urgent, asserts the concurring opinion of Judge Gerard Lynch, who wrote separately “to explain why I believe that the government’s arguments are stronger than the Court’s opinion acknowledges; and to emphasize the need for congressional action to revise a badly outdated statute.”
The Microsoft case brought into focus the increasingly sharp fault line in the techno-social landscape between government interests - such as law enforcement and national security - and everyone else. The broad coalition of interests that joined Microsoft’s side as amici included strange bedfellows - civil liberties advocates, such as the ACLU and EFF, alongside industry behemoths, such as Apple and AT&T; a capitalist bastion, such as the Chamber of Commerce, alongside a green party activist, such as Jan Philipp Albrecht. Together, they tried to reinforce a bulwark against government surveillance, much like Apple did a few months ago in its spat with the FBI.
Regardless of whether or not the government appeals and the Supreme Court hears the case, this epic tug of war between government and civil society is far from over.
photo credit: Press vs audience tug-of-war via photopin (license)