The U.S. Supreme Court on April 17 dismissed a Justice Department suit to compel Microsoft Corp. to turn over email information held at an Irish datacenter, effectively sidestepping the issue of how U.S. laws on electronic communications apply to offshore data. The decision was the result of a new law enacted last month.
But the larger issue of what happens when a company is ordered to violate the laws or regulations of another country remains to be answered. In an increasingly global, information-based economy, this is an issue that eventually must be addressed. Standards for data privacy and for the protection of personal data are much higher in Europe than in the United States, and court orders could put companies doing business in Europe at risk under the General Data Protection Regulation (GDPR) that does into effect in the European Union next month.
At issue in United States v. Microsoft was an email account believed to have been used in drug trafficking. A warrant was issued under the U.S. Stored Communications Act, but a federal appeals court agreed with Microsoft that the law did not apply to overseas data. The Supreme Court agreed to decide whether “a U. S. provider of e-mail services must disclose to the Government electronic communications within its control even if the provider stores the communications abroad.”
Congress rendered the case moot by passing the Clarifying Lawful Overseas Use of Data Act as part of the appropriations bill passed in March. This law specifies that demands for information apply even with it is held outside the United States. A new warrant was issued under the new law and the old warrant—along with the legal dispute—was dismissed.
The Supreme Court avoids ruling on issues whenever it can and crafts its decisions as narrowly as possible, and rightly so. As the court of last resort, the less it does the less chance there is of far-reaching unintended consequences. But some questions return to be answered, and unless Congress deals with the issue of foreign data privacy laws and regulations, the question of how to deal with international data will have to be answered by the courts.
For many American organizations the GDPR is the most significant foreign privacy law they will have to deal with. The European Commission weighed in on the Microsoft case last year in a friend-of-the-court brief advising the U.S. Supreme Court that it should consider restrictions of international law when deciding the case.
“In the European Union, the protection of personal data is a fundamental right,” the commission wrote in its brief. It affirmed the EU’s “commitment to international law enforcement cooperation between it and the United States.” But the GDPR provides that orders to remove data to a third country such as the U.S. “may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.”
A company such as Microsoft that turns over data under a court order still is responsible to the EU for how the data is handled. Without domestic laws or an agreement that adequately addresses GDPR requirements, companies doing business in both the United States and the EU could find themselves subject to conflicting legal requirements. This is not an insignificant consideration, given that serious violations of the GDPR are subject to fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher.
This is just one more reason why Congress should get serious about the protection of privacy and personal data. It has been reluctant to do so in the belief that Internet companies cannot or should not be regulated. But they already are being regulated overseas, and this is a chance for the United States to protect both U.S. companies and citizens by getting in step with Europe and the rest of the world.