U.S. v. Microsoft: Not Doomsday
DMA Files Brief in Supreme Court Case vs. Colorado
As we noted yesterday, the U.S. Supreme Court is all set to hear argument in the United States versus Microsoft, a case which some commentators have suggested could do enormous harm to the cloud computing business, especially when it comes to U.S. providers.
This would be of great concern to brand marketers and those who service them — heavily reliant as all are on the cloud and the data which floats in it — were it not an exaggeration of the case's implications.
The case at hand
Here are the facts in brief: Law enforcement served on Microsoft a warrant under the Stored Communications Act, requiring the production of emails from a specific Microsoft email account. Where the owner of the account lives, and even whether he or she is a foreign national, is not what's at stake here. The issue is that the content of the emails within the scope of the warrant sits on a server in the Republic of Ireland.
Microsoft argued that the U.S. government would have to seek production of the emails via Irish authorities (procedures such as service under the Hague Convention are in place). In response, the U.S. government observes that Microsoft could comply with the request through a few simple clicks, right here in the land of the free and home of the brave.
The significance of the case lies not in the importance of the emails, or in the likelihood that the government could obtain them through existing legal channels. It lies in whether any foreign government can reach across borders and dip its hands into data pools in another country. Imagine, says Andrew Pincus, an attorney contributing to the SCOTUS blog, if it was Russia seeking emails housed on servers here in the States.
Setting aside the possibility that Russia could just hack the servers anyway, the problem with that argument is that the case currently at stake doesn't create any new opportunities for hostile governments to seek production of data.The power of sanctions
I am not a lawyer, but I did work some years in the broad sphere of litigation, and I well recall attempts by plaintiffs to compel production of documents (it was documents rather than those data) housed overseas. The governing mantra was "possession, custody, and control." A business headquartered in the U.S. couldn't resist production of files in its London office; the Court would easily be persuaded that it could pick up a phone and ask for those files in the normal course of business. Resisting such a production request could result in a finding of contempt, and heavy sanctions: Daily fines, for example, until the party in question complied.
Now look at Pincus' example:
That's an interesting theoretical question. In practice, albeit hypothetically, a finding contempt by the Russian Court could result in heavy sanctions, and ultimately seizure of Microsoft's Russia-based assets.
My simple point is that there's nothing new here. The only way, ultimately, for a brand to protect itself from Russian (or Chinese, or North Korean) sanctions is to have no assets — really, to do no business — in that territory. And to be fair, the same is true when it comes to the U.S., although brands might have more faith in judicial restraint here.
All that a Supreme Court ruling in favor of the government in the case at hand might achieve is making it less embarrassing for a foreign jurisdiction to impose sanctions in similar circumstances. What legal implications there are, in this respect, elude me. (Although again, I am not a lawyer.)
The clash of systems
Where trouble does seem to threaten is in the potential clash of regulatory systems. Say the Supreme Court does find in favor of the government, setting a precedent which compels U.S. brands to give up data housed in Europe in response to a U.S. law enforcement search warrant.
Under GDPR, which famously comes into effect on May 25 this year, the personal data of European data subjects can be collected and processed only under very strict constraints (learn more about that here). These include rules for the international transfer of data. Whether a warrant issued in criminal proceedings trumps (if I may) these rules is a question I certainly can't answer in any simple way. But it is a question on which the E.U. will want to weigh in.
That's the real thread to follow from the ruling which will, eventually, follow today's hearing; not scary monsters like hypothetical Russian sanctions or the end of cloud computing as we know it.