Is Information Held on an Irish Cloud in the U.S. Jurisdiction?

9/7 Microsoft Case Ireland Department of Justice
An advertisement for Windows 10 is seen in London's Canary Wharf financial district July 29. A U.S. court on September 9 will test whether Microsoft was right to resist handing over emails, the author writes. Russell Boyce/Reuters

Could one court case, one decision by a judge in a U.S. district court, open U.S. manufacturers and companies to global discrimination, lost sales and threaten Americans' rights? Yes, and that case is Microsoft v. United States.

In short, the U.S. government is attempting a substantial overreach by accessing private customer data, stored outside the United States, without following proper procedure.

This case, to be heard September 9 at the U.S. Court of Appeals for the Second Circuit, is not just about manufacturing and business, it's also about protecting Congressional limits on government authority and privacy rights.

Should the Department of Justice prevail, foreign countries would be empowered in their attempts to seize Americans' personal data held here in the United States. This exposes all Americans to a potential unwarranted invasion of their private information.

Newsweek subscription offers >

This overreach by the Department of Justice has led to a level of mistrust of U.S. companies by foreign customers and opened U.S. companies up to retaliation. In response, some foreign governments have initiated data localization requirements and other countries are moving toward limiting U.S. companies from providing services to their citizens.

The effect is to shut American businesses out from the marketplace. In addition, foreign customers are often simply choosing not to do business with U.S. companies due to the perception that any information shared with U.S. companies will be shared with the U.S. government. If this perception is not changed, it has the potential to impact U.S. companies' future overseas growth opportunities dramatically.

This all comes at a time when many foreign companies are already concerned that contracting with U.S. companies will leave them more vulnerable to National Security Agency information gathering. This is unacceptable. The Manufacturers' Center for Legal Action (MCLA) filed an amicus brief in the 2nd Circuit, urging that the lower court's ruling be overturned.

This case began when U.S. law enforcement, while conducting a narcotics investigation, sent a search warrant ordering Microsoft to turn over customer e-mails of a non-U.S. citizen stored in a data center located in Ireland.

Newsweek subscription offers >

Microsoft challenged the warrant at the trial level arguing that the Electronic Communications Privacy Act (ECPA) does not expressly authorize such an extraterritorial action. The district court ruled in favor of the government despite legal precedent which states that statutes do not apply abroad unless expressly stated otherwise.

The district court held that Microsoft should provide the government with the data because the "Fourth Amendment moment" doesn't actually occur until the record is "handed over" to the government, which they believe will happen within the United States. Said another way, the court's argument is that there is no search and seizure occurring when the information is retrieved, and thus no law enforcement activity abroad.

Since there is no law enforcement authority abroad, then no extraterritorial act occurred which would infringe on Irish sovereignty and violate the legal precedent that statutes do not apply abroad unless expressly stated otherwise.

Furthermore, warrants to search private records are a function of the U.S. legal system, but have no application in foreign countries. Instead, the government must go through the mutual legal assistance treaty and collaborate with foreign governments to access private information stored abroad. Here, the government has tried to bypass these procedural steps by claiming that e-mails stored in the cloud are no longer private, but become business records of the company that owns the cloud server.

The government has adopted this strategy because business records have less legal protection than private records. The records in question are private e-mails in a password-protected account.

Despite the change in technology, the same high level of legal protection should apply to private digital records as it does to paper records. The Supreme Court recently reiterated in Riley v. California that any data on a cell phone requires a warrant for police to access, regardless of whether that data is saved in the cloud, in online servers managed by a hosting company, or on the phone's internal hard drive.

We all understand the need for digital cooperation and data sharing with law enforcement to make Americans safer. However, the government has an obligation to respect borders and treaties, and follow established procedure without seeking to stretch its statutory authority in a way Congress never intended and certainly did not authorize by statute.

The MCLA will continue to fight to uphold the proper application of the law and to promote balanced and reasonable resolution through the courts.

Patrick Forrest is the vice president and deputy general counsel for the National Association of Manufacturers (NAM). As part of the Manufacturers' Center for Legal Action, Forrest works to strengthen the NAM's ability to promote manufacturing policy objectives through litigation.

Is Information Held on an Irish Cloud in the U.S. Jurisdiction? | Opinion