In response (in part) to the Snowden Revelations having undone trust in U.S. companies’ ability to ensure data integrity, the European Court of Justice (ECJ) today invalidated a 15-year-old data privacy pact that allowed U.S. businesses to “legally” transfer EU citizen data across the Atlantic,
The EU's Charter of Fundamental Rights guarantees the protection of personal data. In that context, until today, under the so-called “Safe Harbor” agreement, more than 4,000 U.S. companies “self-certified” that they met EU privacy protection laws, thus qualifying them to handle EU data.
As of today, however, the ECJ rendered Safe Harbor invalid, due to, among other things, America’s global approach to digital surveillance and data collection, as well as the lack of adequate privacy protections in the U.S.
Meanwhile, related, the two-year-old Department of Justice (DOJ) case against Microsoft for refusing to surrender an individual’s data stored on a server at a Microsoft center in Ireland continues to wind its way through the U.S. legal system, with the Supreme Court the likely ultimate arbiter.
At issue: The personal emails of an individual suspected by U.S. authorities in a narcotics case.
DOJ contends that emails should be treated as the business records of the company hosting them and that a search warrant should compel access to them no matter where they are stored.
Microsoft argues that the emails are the customers’ personal documents and a U.S. warrant does not carry the authority needed in Ireland - or any foreign jurisdiction - to compel the company to surrender the data.
The Irish government, for its part, maintains that data should only be disclosed on request to the Irish government pursuant to the long standing mutual legal assistance treaty between the U.S. and Ireland.
The case would seem to be a pretty clear no-win all around:
If Microsoft prevails, the global trend towards data localization requirements will almost certainly be accelerated, at the very least undermining the efficiencies of the Cloud, at the very worst Balkanizing the Internet altogether – neither outcome being in anyone’s best interests.
If DOJ carries the day, what little trust may linger in U.S. information service providers will vanish, severely impacting their overseas business prospects and, at the same time, hindering U.S. authorities engaged in legitimate surveillance and data gathering, all the while further setting the precedent for governments worldwide to demand access to data stored in the U.S.
But it’s worse than that.
However the case may ultimately be resolved, uncertainty will reign, piled on top of the chaos echoing in the wake of today’s ECJ Safe Harbor decision, which has left thousands of companies scrambling to sustain businesses and striving for “compliance” with any number of regimes.
Worse yet, governments will not pause their surveillance and data collection. Indeed, two years of Snowden Revelations might suggest (to some) that the U.S. never really gave a fig about privacy anyway (other governments have yet to be as effectively outed, but are equally suspect).
In that context, whichever way the Microsoft case goes, the U.S. authorities who brought the case will be yet more hindered in the future in terms of “legal” access to the information they desire. So, they will do what they have already been doing: They will access the data they want in whatever manner they deem necessary.
Meanwhile, in the law enforcement realm, such illicit gathering of information may lead to the institutionalization of the process of “parallel construction,” a method by which the U.S. “exclusionary rule” which protects those accused can be circumvented to allow illegally gathered evidence to be admissible in court, severely undermining the rule of law.
(Parallel construction is already – reportedly - a popular DEA strategy: link)
At the same time, business and criminal enterprises alike may find themselves considering “Pirate Radio”-like data center services, with server banks housed “offshore” (literally or figuratively) in terms of being subject to no-one’s law enforcement or other jurisdiction, potentially threatening the rule of law (but also possibly fostering unique new business opportunities).
Clearly, while concerns related to the confluent conundrums of the Microsoft case and the Safe Harbor collapse are beyond multi-fold, the complexity of the matters involved dictate that there will also be no easy solutions.
So, what next?
Fitful and frustrating global conversations about very complex concepts - ranging from the definition of jurisdiction in a transnational world, to the harmonization of data protection and data compulsion policies, to balancing personal privacy and national security, and beyond.
De-conflicting inconsistent data-related (and other) laws and rules across the globe to allow for fair and open and trusted market access to facilitate continued global growth and prosperity in what is an increasingly-digital and borderless world.
How hard can that be?