In response (in part) to the Snowden Revelations having undone trust in U.S. companies’ ability to ensure data integrity, the European Court of Justice (ECJ) today invalidated a
15-year-old data privacy pact that allowed U.S. businesses to “legally” transfer
EU citizen data across the Atlantic,
The EU's Charter of Fundamental Rights guarantees the protection of personal data.
In that context, until today, under the so-called “Safe Harbor”
agreement, more than 4,000 U.S. companies “self-certified” that they met EU
privacy protection laws, thus qualifying them to handle EU data.
As of today, however, the ECJ rendered Safe Harbor invalid,
due to, among other things, America’s global approach to digital surveillance and
data collection, as well as the lack of adequate privacy protections in the
U.S.
Meanwhile, related, the two-year-old Department of
Justice (DOJ) case against Microsoft for refusing to surrender an individual’s data
stored on a server at a Microsoft center in Ireland continues to wind its way
through the U.S. legal system, with the Supreme Court the likely ultimate arbiter.
At issue: The personal emails of an individual suspected by
U.S. authorities in a narcotics case.
DOJ contends that emails should be treated as the business
records of the company hosting them and that a search warrant should compel access
to them no matter where they are stored.
Microsoft argues that the emails are the customers’ personal
documents and a U.S. warrant does not carry the authority needed in Ireland
- or any foreign jurisdiction - to compel the company to surrender the data.
The Irish government, for its part, maintains that data
should only be disclosed on request to the Irish government pursuant to the
long standing mutual legal assistance treaty between the U.S. and Ireland.
The case would seem to be a pretty clear no-win all around:
If Microsoft prevails, the global trend towards data
localization requirements will almost certainly be accelerated, at the very
least undermining the efficiencies of the Cloud, at the very worst Balkanizing
the Internet altogether – neither outcome being in anyone’s best interests.
If DOJ carries the day, what little trust
may linger in U.S. information service providers will vanish, severely impacting their overseas business prospects and, at the same time, hindering U.S.
authorities engaged in legitimate surveillance
and data gathering, all the while further setting the precedent for governments worldwide to
demand access to data stored in the U.S.
But it’s worse than that.
However the case may ultimately be resolved, uncertainty
will reign, piled on top of the chaos echoing in the wake of today’s ECJ Safe
Harbor decision, which has left thousands of companies scrambling to sustain
businesses and striving for “compliance” with any number of regimes.
Worse yet, governments will not pause their surveillance
and data collection. Indeed, two years
of Snowden Revelations might suggest (to some) that the U.S. never really gave a fig about
privacy anyway (other governments have yet to be as effectively outed, but are equally suspect).
In that context, whichever way the Microsoft case goes, the U.S. authorities
who brought the case will be yet more hindered in the future in terms of “legal”
access to the information they desire. So,
they will do what they have already been doing: They will access the data they want in whatever manner they deem necessary.
Meanwhile, in the law enforcement realm, such illicit gathering of information may lead to the institutionalization of the
process of “parallel construction,” a method by which the U.S. “exclusionary rule” which protects those accused can
be circumvented to allow illegally gathered evidence to be admissible in court, severely
undermining the rule of law.
(Parallel construction is already – reportedly - a popular DEA strategy: link)
At the same time, business and criminal enterprises alike may
find themselves considering “Pirate Radio”-like data center services, with server banks housed “offshore”
(literally or figuratively) in terms of being subject to no-one’s law enforcement
or other jurisdiction, potentially
threatening the rule of law (but also possibly fostering unique new business opportunities).
Clearly, while concerns related to the confluent conundrums of the Microsoft case and the Safe Harbor collapse are beyond multi-fold, the complexity of the matters involved dictate that there will also be no easy solutions.
So, what next?
Fitful and frustrating global conversations about very
complex concepts - ranging from the definition of jurisdiction in a
transnational world, to the harmonization of data protection and data
compulsion policies, to balancing personal privacy and national security, and beyond.
The goal?
De-conflicting inconsistent data-related (and other) laws and rules across the globe to
allow for fair and open and trusted market access to facilitate continued global
growth and prosperity in what is an increasingly-digital and borderless world.
How hard can that be?