This week, the United States government will be faced with the choice of whether or not it will violate European data protection laws. In order to ensure the protection of personal data at home, European policymakers must shape rules and practices abroad, writes Christine Galvagna.
Christine Galvagna is the German Chancellor Fellow at the Global Public Policy Institute (GPPi) in Berlin. In this capacity, she researches international human rights issues in relation to technology policy.
The United States government will soon decide whether to permit itself to violate European data protection laws, potentially undermining both the fundamental rights of European Union citizens and international law. At issue is whether a US court can compel the production of electronic communications stored in the EU, when the disclosure of that information would violate the data protection laws of the EU or one of its member states.
To ensure the protection of personal data within the EU, policymakers must shape foreign and international rules governing cross-border access to data.
Portentous developments in the US
This week, the US Supreme Court will hear oral arguments in United States v. Microsoft Corporation. The case arose from Microsoft’s noncompliance with a US warrant for a US citizen’s emails that were stored on a server in Ireland. It turns on the interpretation of a US statute called the Electronic Communications Privacy Act (ECPA); namely, whether a warrant issued pursuant to ECPA entitles US law enforcement to access data physically stored in another state’s (Ireland’s) jurisdiction.
A secondary question is, assuming the warrant has such an extraterritorial reach, to what extent should the exercise of jurisdiction be curtailed to prevent conflicts of law with other countries and violations of international law concerning state sovereignty?
A decision in the Department of Justice’s favour could force Microsoft – and in the future other companies – to violate European data protection laws in order to comply with US law enforcement demands for digital evidence.
Signaling the case’s importance, the European Commission submitted an amicus brief (i.e., a third party intervention) in which it described potential conflicts with the EU’s General Data Protection Regulation (GDPR).
The GDPR will generally prohibit a company that processes EU citizen data from sharing personal data with third state (e.g., US) law enforcement agencies, except through a process created by a mutual legal assistance treaty (MLAT). Although the GDPR has not yet gone into effect, similar existing Irish data protection rules prohibit circumvention of the Irish MLAT process.
Another concern is that the extraterritorial execution of a US warrant for stored data could violate Ireland’s state sovereignty. Microsoft argues that it would be “the same as if U.S. agents bearing a warrant directed Hilton to send a housekeeper into a hotel room in Dublin, photograph a guest’s papers, and email the copies to Washington.”
A state’s jurisdiction normally ends at its territorial boundaries. Absent a legal basis, the exercise of jurisdiction beyond those boundaries undermines another state’s sovereignty. This is a cornerstone of international law.
Fearing a decision against the government, Congress – which in its own amicus brief stated that it “is not bound by international law” – recently proposed the Clarifying Overseas Use of Data Act, or CLOUD Act.
If passed, the legislation would amend ECPA such that a warrant would require a company to disclose electronic communications regardless of their physical location. In other words, it would codify the Department of Justice’s position.
While the CLOUD Act would also allow companies to file a motion to modify or quash a warrant if disclosure would create a conflict of law, this option would be unavailable in a case similar to Microsoft Ireland, because it is inapplicable where the suspect is a US citizen or resident.
So how will the court decide? How will Congress vote? At first glance, the answer seems simple: Microsoft’s position is supported by both law and policy considerations. Accordingly, most legal experts, privacy advocates, and tech companies favour Microsoft’s position to some degree.
However, a decision in Microsoft’s favour, or legislation that reflects the company’s rationales, could lead to undesirable consequences. Most notably, it could encourage data localisation.
Data localisation laws require tech companies to store the personal data of a state’s nationals on servers within that state. Some governments use these policies to ensure that data protection laws are enforced properly. Others merely use data protection as a pretext to facilitate domestic surveillance.
Regardless of the motivation, data localisation is problematic because it undermines the technical efficiency and security of the internet generally. Yet, if US law signals to other countries that data localisation is necessary to protect personal data and state sovereignty, then more governments may adopt data localisation policies.
How should European policymakers respond to this dilemma? A solution already exists: The modernization of MLATs. These treaties allow one country to lawfully obtain evidence for criminal investigations and other legal proceedings from another country.
Existing MLAT processes, which are years, if not decades, old, are too slow and inefficient to meet current demands for electronic evidence. Problems include lengthy and complex US judicial proceedings and a relatively high number of requests concentrated in the US court system.
The US government has made little effort to update or adequately resource these processes, with the exception of a problematic proposed treaty with the United Kingdom that has languished for more than a year.
European policymakers should encourage and influence the drafting of a new protocol to the Council of Europe’s Convention on Cybercrime. This treaty was designed to facilitate international cooperation in the prevention and investigation of cybercrime.
The protocol – an additional agreement linked to the treaty – would facilitate cross-border access to cloud-based evidence. Two elements under consideration, international production orders and data protection requirements, would help to prevent the type of dispute that gave rise to the Microsoft Ireland case.
The US and other non-European countries are parties to the Cybercrime Convention, which would give this protocol worldwide impact.
Additionally, the EU could use its economic and political clout to press the US government for MLAT reform. After the GDPR goes into effect, Microsoft could be fined up to €20,000,000 or 4% of worldwide annual turnover for circumventing the MLAT process to comply with this US warrant.
Aggressive enforcement of these rules will encourage US tech companies – among the biggest funders of lobbyists in Washington – to pressure the US government for reform. Something similar happened two years ago, when the annulment of a legal instrument that allowed billions of dollars’ worth of data transfers to companies in the US prompted the US government to agree to stronger data protection standards in new instrument called Privacy Shield.
The global nature of the internet complicates data protection regulations. In order to ensure the protection of personal data at home, European policymakers must shape rules and practices abroad.