Safe Harbour ruling could have bearing on Microsoft e-mail dispute
8 October 2015 | 0
Microsoft has cited a ruling by an European Court on transatlantic transfers of personal data as having a bearing on its litigation over turning over e-mail held in Ireland to US law enforcement.
The ruling by the Court of Justice of the European Union declared invalid a “safe harbour” agreement that governs data transfers between the US and the European Union as US law and the actions of the country’s government “inadequately respect European ‘fundamental rights’ of personal data privacy,” Microsoft’s lawyer E. Joshua Rosenkranz brought to the notice of the US Court of Appeals for the Second Circuit.
“This opinion could subject US companies to charges of violating European law any time they transfer personal data to the US, especially when US law-enforcement agencies instigate the transfer,” the Microsoft counsel wrote in a letter to the court clerk.
A dispute between Microsoft and the US government over turning over emails stored in a data centre in Dublin came up for oral arguments last month in the appeals court in New York.
The government has a warrant for access to emails held by Microsoft of a person involved in an investigation, but the company holds that nowhere did the US Congress say that the Electronics Communications Privacy Act “should reach private emails stored on provider’s computers in foreign countries.” In response to the search warrant, Microsoft provided non-content information held on its US servers but tried to quash the warrant when it concluded that the account was hosted in Dublin and the content was also stored there.
Lower courts have disagreed with Microsoft’s point of view, hence the appeal to the Second Circuit. US Magistrate Judge James C Francis IV of the US District Court for the Southern District of New York held that warrant under the Stored Communications Act, a part of the ECPA, was “a hybrid: part search warrant and part subpoena,” as it is executed like a subpoena in that it is served on the Internet service provider, who is required to provide the information from its servers wherever located, but does not involve government officials entering the premises.
Microsoft has favoured an inter-governmental resolution to the US demand for access to the e-mails in Dublin, through the use of “mutual legal assistance” treaties the US has with other countries including Ireland. The US has held that the procedure takes time, even though Ireland volunteered to consider a request under the treaty. The company has also asked for Congress to take a decision on whether warrants under the ECPA can be executed abroad.
The European Court’s decision “underscores that the subject of cross-border data transfers is fraught and easily gives rise to international discord,” according to the filing. “Accordingly, Congress must be permitted to decide whether the benefits to US federal, state, and local law enforcement of extending ECPA abroad outweighs the risks to US industry and US-EU relations,” it added.
The filing also brings to the notice of the court that Congress is considering those costs and benefits. At a Senate Judiciary Committee hearing on 16 September on “Reforming the Electronic Communications Privacy Act,” senators questioned government officials on the risks involved in seizing communications from servers overseas, according to the filing.
John Ribeiro, IDG News Service