On December 13, 2017, the European Commission filed an amicus brief in the United States v. Microsoft Corp case set to go before the U.S. Supreme Court in the 2018 term. The case concerns the U.S. Justice Department’s access to an individual’s private emails stored at Microsoft’s Dublin data center. In December 2013, the DOJ served Microsoft a warrant compelling it to disclose the private communications of an individual the government had reason to believe was engaged in criminal drug activity. When Microsoft turned over the account information stored on its U.S. servers, but refused to disclose the information stored at its Dublin center, the legal battle ensued.
At Issue: The Extraterritorial Application of the Stored Communications Act’s Warrant Provisions
The Stored Communications Act (SCA) – which is part of the broader Electronic Communications Privacy Act (ECPA) of 1986 – allows the government to require that an electronic communications provider disclose information about a particular communication upon being served a probable-cause-based warrant. At issue in this case is whether the warrant provisions of the Stored Communications Act (SCA) apply extraterritorially, such that they compel Microsoft, an electronic service provider, to produce private electronic communications stored on servers in Ireland for the United States government.
The European Commission’s Brief
While the Commission stresses that the EU takes “no position on the ultimate question of the Stored Communication Act’s proper construction under U.S. law,” it nevertheless implores that the Supreme Court consider EU data protection laws, particularly the General Data Protection Regulation (GDPR) set to go into effect in May 2018, when making its decision. The Commission argues that the GDPR applies in this case because the actions Microsoft must take to fully comply with the Justice Department’s warrant constitutes data “processing” to and from the European Union.
Chapter 5 of the GDPR explicitly addresses the transfer of data from the EU to a non-member state. The GDPR specifies two main circumstances under which personal data may be transferred from the European Union to a non-member state:
- Article 47 allows transfers in cases in which the Commission has ruled that the third party’s data protection laws provide an “adequate level of protection.” In determining the adequacy of a particular data protection regime, the Commission examines the third party’s rule of law and the presence and functioning of relevant regulatory authorities, among other elements.
- In the absence of the provisions in Article 47 being satisfied, Article 48 allows transfers to a third party if the data controller or processor has ensured “appropriate safeguards,” which many include standard data protection clauses, binding enforcement authority, and legal recourse for data subjects, among other guarantees.
In cases that do not resemble either of the above circumstances, Article 49 outlines “derogations for specific situations.” In its brief, the Commission identifies two provisions that are most relevant to the case at hand:
- When a transfer is “necessary for important reasons of public interest;” and
- When a transfer is “necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interest or rights and freedoms of the data subject.”
With regards to the first provision, the Commission concedes that the Justice Department’s request for data generally would be seen as meant to further an “objective general interest:” the “fight against serious crime, a well as “criminal law enforcement and international cooperation in that respect.”
With regards to the second provision, however, the Commission is vaguer. It remains an open question whether the interests, however legitimate, underlying the Justice Department’s request for data override “the interests or rights and freedoms of the data subject.” Thus, while the Commission abstains from siding with either party explicitly, its implication is clear: should the Court rule in favor of the U.S. Justice Department, the U.S. may run afoul of the EU data protection regime, and face EU states’ national regulatory authorities’ ire.
The Commission’s brief: European Commission Amicus Brief in Support of Neither Party