Cyber Security and Emerging Threats Eimi Harris

Microsoft v. USA Part II: The Security Value of Cross-Border Data Transfers

In Part I of this article, I discussed the most recent ruling in the Microsoft v. USA case.


The Microsoft v. US ruling, at first glance, is self-contained: the Court of Appeals said the US government cannot force tech companies to hand over data stored in foreign data centres (even when handed a warrant under the Stored Communications Act); this is good for privacy and tech enthusiasts, but not so great for US law enforcement. But there is an underlying international current that merits attention.

One of the more interesting aspects of the initial Microsoft v. US case, was that the US government so strongly pursued unilateral action to get Microsoft’s Dublin-stored data. That data was held in a data server in a country that would have likely approved the US government’s request for that data had it been asked.

In a document submitted in the Microsoft v. USA case, Michael McDowell, the former Attorney General of Ireland, cited the 2001 US-Ireland Mutual Legal Assistance Treaty (MLAT). As McDowell wrote to the court, under the existing treaties, “refusal by Ireland to execute a proper request duly made for assistance from U.S. authorities is very uncommon.” So when Microsoft challenged the US warrant, why didn’t US law enforcement agencies, who had sufficient probable cause to request the data in question, go to Ireland directly?

Mutual legal assistance (MLA) requests, usually based on bilateral agreements, can be used to “gain lawful access to data that is subject to another state’s jurisdiction.” States make agreements with each other directly and engage with each other directly to request data relevant to law enforcement agencies outside their jurisdiction. Right now, MLAs are the predominant system for cross-border data transfers for law enforcement purposes, and that is a good thing. These engagements demonstrate digital respect for jurisdiction and foreign privacy (which is particularly important after the Snowden revelations in 2013).

Despite their best legal intentions, MLAs are currently not working. Transfers are not being fulfilled quickly enough under an inefficient system burdened by a growing number of MLA requests. That is not to say that transfers are not happening when absolutely necessary for national security matters. Microsoft’s general counsel Brad Smith pointed out that after the Charlie Hebdo attack, the French government’s request to Microsoft for email data stored in the US was processed through the US government and fulfilled within 45 minutes, but the number of requests made by governments overall are growing almost uncontrollably in states’ efforts to secure national security.

On July 19, 2016, Google reported receiving 12,523 US requests, 7,491 German requests, and 4,174 French requests within a six month period alone. The number of requests by the US over the past six months has already exceeded global requests made in 2009 (while not all of those may have required MLAs, this does speak to an overall increase in data requests). Belgium, in particular, has felt the effects of this request overload, citing the current legal system for data sharing as making it “difficult to detect and prevent plots such as the bombing of the Brussels airport earlier this year.”

MLA reform should be a priority (a good overview of suggested reforms can be found here), but if reform does not come quickly enough, governments trying to access data housed abroad for law enforcement and national security purposes may resort to behaviours that fragment internet governance efforts.

One such behaviour is a tendency to seek unilateral action through domestic recourse – much like the US acted within the Microsoft case. When confronting Microsoft with the warrant, the US government argued that its access to data should be determined by the nationality of the person whose information has been requested rather than the location of where the data is stored. Had the US successfully forced Microsoft to hand the data over, the data transfer would not have been proper or diplomatic. As the Appeals Court determined, the government’s interpretation would have gone beyond the intent of the US Stored Communication Act. Diplomatically, the transfer of data from Dublin to US law enforcement would have been viewed as a violation of foreign jurisdiction and, as many EU officials voiced, possibly EU law.

While the US government was overruled this time, there is no doubt that other countries, frustrated with the MLA process right now, may pursue similar paths in trying to access data stored in foreign locations. Add this to inclinations to introduce more data localization requirements for tech firms operating abroad (as mentioned in Part I), and we could see a fragmentation in international cyber-relations. Under the perception that data access for national security and law enforcement purposes would be easier if data were stored locally or were grabbed from other states through extraterritorial means, states will view data as a ‘grab-all,’ and cyber-relations could deteriorate as a result.

It is clear that, while the international MLA system is in flux, other agreements for data transfers must be made in the interim. The US-EU Privacy Shield, which the EU approved on July 8, is one step towards protecting consumer privacy among consumers’ data movement, but, as demonstrated by the Microsoft v. USA case, similar steps must be made in data movement for national security and law enforcement purposes.

A new proposal that addresses these concerns has recently been released. The US and UK have been discussing a bilateral agreement that would “remove barriers” for foreign governments trying to access information from US technology firms about their own citizens for the purpose of criminal investigations. The agreement highlights a number of safeguarding criteria to limit abuse of this access, including US challenge and veto rights. The US-UK cross-border data request proposal is still in the works and will depend on the US passing its own domestic legislation, but it could serve as a new model for other countries to follow with the US in its own data requests.

The US-UK proposal is not perfect, but it does seek to mend some of the inefficiencies of the MLA system today. Where data and national security intersect, it is of the utmost interest of states to work together to find a system that allows states to transfer data quickly and legally. If the imperative for data transfer is ignored, both internet governance and overall international security will be damaged in the long run by data localization and unilateral data grabs.


Photo: By Clockready via Wikimedia Commons. Licensed under CC BY 3.0

Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.

Eimi Harris
Eimi Harris is a student working towards her undergraduate degree in International Relations and Economics at the University of Toronto. Her main focus in international affairs is cybersecurity, particularly diplomatic relations and normative development in the cybersphere. On the side, she enjoys watching films and is also working towards her Cinema Studies degree.