Tuesday 22 October 2019

Court ruling shows our data is in danger and the US holds our laws in contempt

Microsoft Office still dominates
Microsoft Office still dominates

TJ McIntyre

The appointment of Helen Dixon as the new Data Protection Commissioner has attracted worldwide attention, due to the number of US multi-nationals which have set up headquarters in Ireland.

It was one of two recent developments which have major significance for privacy in Ireland and elsewhere in the years ahead.

Ms Dixon's appointment makes her responsible for the personal data of hundreds of millions of European users of companies such as Facebook, LinkedIn and Microsoft.

The presence of these firms in Ireland creates challenges for Ms Dixon. She will be overseeing some of the largest companies in the world - and doing so with only 31 staff and limited enforcement powers compared to other regulators.

These challenges were highlighted by the second development - the finding by a New York court that Microsoft was in contempt of court by refusing to hand over user emails and other information stored in its Dublin data centre. Microsoft had argued that the US court could not make an extraterritorial order - that it could no more order a search of emails in Dublin than it could order the search of a building in Dublin. The court disagreed, holding that because Microsoft is subject to US jurisdiction it can be required to disclose any information it controls, regardless of where the information is stored.

The decision creates a straight conflict between US law and the law in Ireland, where Microsoft could be in breach of the Data Protection Act and face criminal liability by following the US decision, rather than insisting on an Irish court order. Rather than comply, Microsoft took the unusual step of accepting a contempt of court finding so that it could file an appeal.

That Microsoft felt compelled to do so highlights the importance of the case and the way in which it leaves Microsoft and other firms trapped between US and European privacy laws. US firms have, for some time, been losing business in Europe due to distrust of US surveillance, especially following the Snowden revelations.

To counter this, Microsoft and others have offered guarantees that European data will only be stored in European data centres - on the assumption that this will keep it beyond the reach of the US authorities.

The ruling against Microsoft, however, means that the physical location of data is no safeguard against US government intrusion. Instead, personal information stored with any US firm is at risk.

The result is a fundamental threat to the ability of many of these firms to do business in Europe. For example, numerous public bodies - such as Irish universities and even the UK Houses of Parliament - have moved their email, cloud storage and other services to US firms. In light of this ruling they will have to reconsider those choices and ask whether US services can guarantee the confidentiality of the sensitive information they hold.

However, the issues involved go well beyond the commercial interests of US firms (or even the impact on their Irish operations and jobs). Perhaps most importantly, the case highlights how dependent internet users worldwide are on US providers - and therefore how exposed they are to US surveillance.

The services which we use, from email to instant messaging to social networks to photo hosting, are dominated by a small number of companies headquartered on the west coast of the US. There is no equivalent European industry yet. As a result we all have a legitimate interest in knowing whether US law provides adequate protection for our privacy.

The approach taken by the US court - which simply disregards the requirements of European privacy laws - is unsustainable. One might ask how the US would respond if foreign states ordered, in a way which violated US privacy laws, the handover of data stored in the US.

How should Ireland respond to the Microsoft decision? The government, through the recently-appointed Minister for EU Affairs and Data Protection Dara Murphy, has already expressed concern to the US and raised the matter with the Data Protection Commissioner, who will have to consider what steps to take against Microsoft to ensure compliance with Irish law.

However, it would be desirable to go further. Two concrete steps should be taken at this stage. First, the government should consider filing an argument in the Microsoft appeal. By lodging an amicus curiae ("friend of the court") brief it could set out the ways in which US prosecutors could get the information they want in a manner consistent with Irish law.

Second, the government should publicly review the operation of Ireland's Mutual Legal Assistance Treaty (MLAT) with the United States.

The emails held in Dublin could have been legitimately accessed under that treaty - but US prosecutors argued that they should not have to follow that approach on the basis that it was too slow and cumbersome.

If this is true then the MLAT system should be reformed - if not, then the US courts should know that they have been misinformed.

Dr TJ McIntyre is a lecturer in the UCD Sutherland School of Law and chair of Digital Rights Ireland

Irish Independent

Today's news headlines, directly to your inbox every morning.

Don't Miss

Editor's Choice