Data privacy and the governance of personal or business data is challenging to manage in today’s global landscape. Users generally entrust their data to third parties (i.e. Internet Service Providers). The level of privacy to be expected has caused much debate. Further complicating data sovereignty concerns, are world governments using their own interpretation of privacy laws. As a result there is often confusion and overreach during investigations where data is stored on other countries’ servers.
In what has been referred to as a landmark decision, an appellate court ruled this July that the US government could not obtain personal data held overseas by issuing a domestic warrant.
Case Overview
Back in 2014, a US judge ruled that Microsoft hand over to the US government messages of a suspected drug trafficker. This was a decision that upset many. The e-mails in questions were stored on a Microsoft server in an Ireland data center. Many were under the impression that the e-mails would have been protected by European privacy regulations.
Several technology companies like AT&T, Apple, Cisco and Verizon all submitted court briefs in support of Microsoft, as Microsoft appealed the 2014 ruling. This July, Microsoft won their appeal. The decision made was that the US government could not obtain personal data held overseas by issuing a domestic warrant.
Microsoft’s Position
Microsoft has argued that giving the U.S. government access to data stored overseas could have alarming consequences on the rapidly growing cloud technology sector. The concern was raised that this may push international clients to avoid US cloud providers. Government and highly regulated industries have and will likely continue to avoid the cloud. They could potentially lose billions of dollars in revenue to foreign competitors if customers fear their data is subject to seizure.
Microsoft was of course pleased with the overturning of the 2014 decision. “This decision provides a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments”. It’s important to note they weren’t the only happy ones. Microsoft had the support of 28 technology and media companies, 23 trade associations and advocacy groups, 35 of the nations leading computer scientists. Of course they also have the support from the government of Ireland itself.
Microsoft with several others do support a proposed bipartisan solution called the International Communications Privacy Act (ICPA). Which would address the modern reality of cloud computing while safeguarding both privacy and public safety. It suggests that in this increasingly connected digital age, your information should be protected by the laws of the country you are exclusively operating in. It hopes that if the ICPA is enforced data would be protected in the following ways:
- Privacy rules would be followed according to the country where a user resides or has citizenship
- Legal protections of the physical world would apply similarly in the digital domain
- Better solutions would be available to address privacy and law enforcement needs
Things to Consider
This is very likely not the end, but just the beginning of data privacy negotiations. Since there is such a fine line between data privacy and national security, we are sure to see the government appeal this decision. It’s also likely a call to Congress will be made to update and clearly define data privacy laws.
As it currently stands, data knows no borders and the lack of official regulation has caused this imbalance of national security vs. data privacy. Modernized laws will be required to navigate this complicated landscape.
In the meantime, the U.S. and Britain are already negotiating a communication agreement. The proposed agreement would allow both partners to directly serve companies with wiretap orders and warrants. Both parties are looking to intercept real-time communications and collect stored communications. But neither country has announced a formal agreement yet.
IT companies in response, have turned to data localization policies as a form of risk management. Data localization is the process of storing user data in a data-center that is physically situated in the same country where the data originated. Local or private cloud solutions may also help appease business concerns, but will come with an increased cost to businesses. If strict localization laws are implemented they could potentially affect any business that uses the Internet (including social media and mobile communications).
Navigating the complex consequences of such regulations, strategies, and laws will likely make headlines for years to come. Business owners should always remain proactive in protecting their data. Internet consumption results in constant data transfers, cloud migrations, and connectivity through IoT (Internet-of-Things). The protection and integrity of privacy should be every user and business owner’s concern.