Microsoft v US Department of Justice: an important result for privacy

By Guy Cohen - July 21, 2016

Microsoft has won its appeal against the Department of justice in the 2nd US Circuit Court of Appeals in New York on July 14th, 2016. The following post explains what the case is about, discusses the implications and offers a view about achieving utility from data without sacrificing privacy.

What’s this about?

In this specific situation, the US Department of Justice (DOJ) wanted access to data for a drug trafficking investigation which was in Microsoft’s data warehouse in Ireland. The DOJ claimed that because Microsoft had control of the data they had to comply with a warrant for the data, and initially a New York court agreed, basing the decision on a US law which pre-dated the World Wide Web.

Microsoft argued that warrants are only valid in the country that issues them, and so didn’t apply to the data in Ireland, and a warrant from the Irish authorities would be needed. To be clear, that was, and remains, an option for the DOJ. If they were to make a request to the Irish authorities, through what is known as the Mutual Legal Assistance Treaty (MLAT), then the Irish authorities would issue a warrant (although they don’t always have to, for instance, if the offence being investigated isn’t a crime in both countries). However, the US finds this process too slow.

Microsoft argue that the principle is important; would the US want Microsoft to allow China to request any data they wanted and Microsoft held on US citizens without asking the US Government?

But the implications for their EU operations are likely to have also been on Microsoft’s mind. 

What are the implications?

This is one of many ongoing battles in the war between the EU and the US over data protection, with technology companies caught in the middle. In the most simplistic terms possible, US law enforcement wants more powers to look at EU citizen’s data than the EU is comfortable to grant.

What exactly it means for the Privacy Shield negotiations is hard to say. Had the DOJ won, it would have made the Privacy Shield programme pointless. If Safe Harbour was struck down because it didn’t prevent the NSA from snooping on EU citizen’s data indiscriminately when the data was transferred to the EU, then what would be the point of having the law at all if the US government (or indeed any government) could snoop on the data when it was ‘safe’ in the EU?

[Author's note: It should be noted that there's a bit of hand waving here, a warrant from the FBI or another investigatory agency is not the same as bulk electronic interference as carried out by intelligence agencies. One is directed based on reasonable suspicion, which the EU allows, while the other is not. However, it could have led to technology companies having to choose whose law they wanted to break.]

Another effect is that the ruling may encourage US companies to keep EU data in the EU and avoid transatlantic data transfers altogether, meaning the need for Privacy Shield decreases somewhat.

Amazon announced late last year it would be building a data centre in the UK, having opened one in Frankfurt in 2014. Microsoft similarly is currently building two data centres in the UK. Finally, Facebook also announced they would be building a second data centre in Ireland earlier this year. This is partially about marginally faster speeds, but data privacy and hedging bets around the DOJ v. Microsoft case and Privacy Shield will certainly be a factor.

These projects would have been harmed had the DOJ won their case, but Microsoft’s victory may now encourage other companies to follow the tech giants example. Although building data centres is an expensive past-time, and many smaller companies may not have the scale to make this an option, so this certainly doesn’t mean Privacy Shield is irrelevant. In addition to which, this isn’t the end of the process.

What happens next?

For the DOJ v. Microsoft case the next step is waiting to see if the DOJ want to appeal the decision, if so the case will likely be taken up by the Supreme Court. In the long run though both Microsoft and the DOJ agree there’s a need for legislative direction. The laws being discussed are outdated and unfit for the internet age where international data transfers are critical to the modern economy.

Taking data out of scope of regulation

Whether it be Privacy Shield, the GDPR or the DOJ v. Microsoft, the focus is on how personal data should be protected and what can be done with it. Data centres are built, regulations are drafted and lengthy court cases expensively pursued to flesh out how our personal data is controlled and processed. The debates are about law and principle and the process are important and absolutely necessary.

However, a different way of viewing the problem is not to say what laws do we need to move this data, but instead, what utility is there from the data we need to move? Often the value of data can be de-coupled from the elements which make it identifiable, so that the bits of data with utility can be safely moved and used without entering into the world of data protection.

This isn’t always possible; sometimes operational systems require identifiable data. However, we see plenty of examples where using our privacy enhancing technology we’re able to reveal the utility in the data in a way that shields the identifying attributes, effectively taking it out of scope of data protection regulation. 

Guy Cohen
In addition to his work at Privitar developing research, policy and strategy, he is also a fellow at the University of Cambridge Centre for Science and Policy. Before joining Privitar, Guy worked in various roles in the Civil Service, in Cabinet Office, the Department of Health and HMRC.