Microsoft has been fighting with the U.S. Department of Justice since 2013 when the DoJ tried to get Microsoft to get them to hand over data belonging to a user, stored exclusively in Ireland. This case has gone back and forth in the courts since then.
The bottom line issue is whether a U.S. Court can force a U.S. based company to break foreign law because the U.S. Court says so.
In this case, the emails in question are stored in Ireland and Irish privacy law is pretty strict. Microsoft says that they are absolutely willing to hand over the emails if the DoJ convinces an Irish court to issue a subpoena to the Microsoft Ireland subsidiary. The DoJ, for whatever reason, doesn’t want to do that. I suspect that they would like to create a precedent that U.S. law trumps Irish law in U.S. Courts.
Microsoft, pretending to be a friend of privacy when it suits them, is saying that they want to protect their user. They may be more concerned about breaking Irish law and the penalties that come from that.
The EU General Data Protection Regulation, which goes into full effect in 2018, allows a country to fine a business up to 4% of their gross annual revenue for privacy violations. That doesn’t mean that they have to or will, but they can. For Microsoft, based on 2015 revenue of $93 billion, that means a POTENTIAL MAXIMUM fine of almost $4 billion.
A short summary of the 180+ page GDGR law is available at Deloitte’s web site, here. Note that this appears to be a Dutch version of the site, so the notices about privacy and cookies are in Dutch, but the summary text is all in English.
Since 2013, this case has bounced around the courts. Most recently, this month, the DoJ told the Second Circuit Court of Appeals that the Justice Department has the right to demand the emails of anyone, anywhere in the world from an email provider headquartered in the United States.
By logical extension, that means that China could demand emails of U.S. citizens from Google because their court said so. I don’t think that U.S. courts would be thrilled about that quid pro quo.
The DoJ says that YOUR email is a business record OWNED by Microsoft, not you, hence they should be able to demand that Microsoft give them copies of their business records. That is a pretty scary concept. Two lower courts have ruled in favor of the DoJ.
What if those emails were letters and those letters were stored in an office in Ireland. Would the U.S. DoJ be able to send a Marshal to Ireland, hand them the U.S. search warrant and expect to get those letters?
What if North Korea presented a search warrant to a U.S. company asking for some information on a customer.
As you can see, this gets messy quickly.
Microsoft wanted to make a ‘federal case’ over this and so they told the lower court to hold them in contempt for failing to turn over the emails.
It is important to understand here is that this is different than say the WhatsApp case in Brazil where a Brazilian court put a freeze on $6 million of Facebook’s money because WhatsApp doesn’t have the decryption keys and therefore can’t give them the messages unencrypted. Since WhatsApp doesn’t have any offices or presence in Brazil, they went after Facebook instead (Facebook owns WhatsApp). In this case, Microsoft could, technically, turn over those emails in readable format.
But, if Microsoft chose to comply with this warrant, their business model would shrivel up and die.
What foreign company would do business with an American company if they knew that the U.S. government could demand that that U.S. business turn over the foreign company’s records, stored in that foreign country, totally bypassing the legal system in that country.
Currently, companies like Google and Microsoft deal with that by setting up subsidiaries in different countries and have users be customers of that local country subsidiary.
While I don’t even pretend to be a lawyer, even on the Internet, the concept here is called extraterritoriality, meaning that a government declares that their law applies in another country. While a country can do that, absent the other country agreeing to that statement, the likelihood of the other country enforcing that law is very low.
Microsoft says that if the U.S. wants to go after data stored in foreign countries, that is fine. What they need to do is pass a law that says that they claim that right and then negotiate treaties with each other country that they want to enforce it. There are many examples of this today, but it is a complicated process.
For one thing, each other country will likely demand reciprocal rights and those countries will likely demand that those laws can only be enforced if they provide similar rights that the citizen in question has in their country.
In the Microsoft case, that means that, if there was a treaty in place, and if U.S. provided the same protections as Irish law, then Ireland would honor the U.S. law.
Great Britain is trying this same gig with the proposed Snooper’s Charter bill currently in their parliament and while Britain might pass such a law, the likelihood of it being enforced in at least some other countries is basically zero.
For those of you who read this tome hoping I would tell you how it turned out – the appeals court ruled in Microsoft’s favor.
Whether the DoJ chooses to appeal this to the Supreme Court or wait until after the November elections and hope that Trump gets elected and stacks the court the way they would like, is unclear. If Clinton gets elected it is unlikely that the DoJ would get the judge that they want. In fact, whoever gets elected will likely control the slant of the court for decades to come and that is probably the most important issue related to the U.S. Presidential elections, bar none.