Under the terms of a new deal, a Deutsche Telekom subsidiary will hold Microsoft customer data in “trust” in Germany, thus putting it out of reach of US government subpoenas
As the world eagerly awaits the ruling of a court in New York over a dispute involving data hosted on servers in Ireland,Microsoft seems to have pulled out a wild card and shifted the focus of the debate to Germany. In a shrewd manoeuvre announced on November 11, the US-based-software giant unveiled a bold new plan that will enable foreign customers to store their data at data centre facilities located in Germany and operated by T-Systems, which is a subsidiary of Deutsche Telekom.
In essence, T-Systems will be acting as a ‘trustee’ of the facilities with Microsoft employees not having access to the data stored there without the consent of the German company. This arrangement aims to put the data of Microsoft’s European customers outside the reach of the US government and its intelligence agencies.
The announcement comes at a critical juncture in the international discourse on data protection. In the aftermath of the Snowden revelations in 2013, there has been pressure exerted on tech groups and cloud-computing firms such as Microsoft, Apple and Google to shield the data stored in their facilities from the National Security Agency (NSA’s) extensive surveillance measures. For the past year, Microsoft has been locked in a legal battle with the United States government over the validity of a warrant compelling the company to disclose data stored on a Microsoft server in Ireland. Earlier this month, the European Court of Justice (ECJ) invalidated the ‘Safe Harbour Agreement’ between the European Union and the US, which allowed US-based companies to transfer data held on their European servers to servers located in the United States.
Ring-fencing the data
The ‘data trustee’ model is, therefore, yet another landmark in the evolution of the legal framework on cross-border data protection and could play a crucial role in determining its trajectory in the months to come.
An international legal framework governing the use of cyberspace needs to grapple with a staggering dichotomy. The Westphalian world order was founded – and continues to thrive – on a conception of physical borders between nations while the phenomenon of cyberspace is essentially borderless. While the advent of the Internet has posed challenges to traditional conceptions of sovereignty, dismantling the construct entirely and moving towards a world without borders will lead to utter chaos. Consequently, the most significant rights conferred on states by international law are that of territorial integrity and political independence. The state has an absolute right to enforce its jurisdiction within the confines of its territory. Beyond its territory, the state may only exercise jurisdiction if the act in question could potentially have impacts within its territory (the Effects Doctrine) or to regulate the behaviour of its nationals. However, extra-territorial jurisdiction may not be exercised if it subverts the laws of the state whose territory it is operating in.
In order to undertake trans-border criminal investigations that are compatible with the doctrines of international law, states sign Mutual Legal Assistance Treaties (MLATs), whereby governments seeking data request the assistance of the government of the country in which the data is located. However, MLATs have been considered inadequate in situations where a criminal investigation needs expeditious gathering of data as the acquisition of data is conditional on the government of the host country galvanizing its administrative machinery for the purpose. For instance, in the present case, despite an MLAT between the US and Germany the acquisition of data stored on T-System’s data centre facilities can only be done through the production of a German warrant.
The US has been trying to avoid the tedious process of an MLAT by seeking a positive ruling in the ongoing Microsoft (Ireland) case. In April 2014, a New York district court judge held that Microsoft, by virtue of being an entity incorporated in the US, was obliged to turn over the contents of e-mails stored in Hotmail servers in Ireland as per a warrant issued under the Stored Communications Act (SCA.) Microsoft challenged this ruling in the Court of Appeals in the Second Circuit. The court heard oral arguments in September but the verdict is still pending. Both sides have thus far conceded that the statute is silent on the question of extra-territorial application and argue that this vacuum should tilt the outcome in their favour.
Microsoft’s attorney, Joshua Rosenkranz is more accurate than his counterpart. The United States Supreme Court clearly stated in Morrisson v Australian National Bank that ‘ When a statute has no indication of an extra-territorial application, it has none.” In United States v Verdugo-Urquidez, Justice Stevens clearly stated that American magistrates have no power to authorise such searches and seizures of property outside the US. The SCA does not detail the procedure for issuing a warrant under the act but states that the procedure laid down in the Federal Rules of Criminal Procedure must be followed. Rule 41 of the said rules do not confer a right to seize property that is located outside the United States. As Rule 41(b) (5) expressly allows warrants for seizure of property inside the US, we can presume that the absence of extra-territorial authority signifies its intended exclusion.
The district court judge who upheld the warrant recognised these principles but offered two bizarre reasons for ignoring them. First, he argued that a warrant issued under the SCA (based on a hitherto uncovered reading of the statute) was a hybrid warrant – which was obtained like a search warrant but issued as a subpoena on the company located within the United States. Such a reading is a convenient diversion as the judge seeks to use all the powers of a search warrant such as appropriation of data without notice to target but excludes the geographic limitations of serving a warrant contained within the statute. Second, he claimed that the question of extra-territoriality does not arise because the search or seizure would take place only in the United States where the data is examined. Apart from being logically unsound as the data would be seized in Ireland, this view directly contradicts the ruling of the Second Circuit Court in United States v Ganias, which stated explicitly that the act of copying electronic files constitutes a seizure even before the copied files are examined.
Microsoft’s ‘data trustee model’ is a safeguard in case the Court of Appeals also chooses to endorse such views. As Microsoft itself does not have access to the data stored in these facilities, they cannot disclose it to the US government even if a subpoena is served on them. Obtaining this data without the consent of their German trustee would amount to a violation of German law.
Microsoft should also be commended for the astute timing of this move as it comes soon after the invalidation of the Safe-Harbour agreement by the European Court of Justice on grounds of it being incompatible with the EU’s existing Data Protection Directive. The Safe-Harbour agreement enabled the free flow of data between the EU and US as long as the organisation responsible for this transfer certified their compliance with the seven principles mentioned in it and essentially displayed an ability to provide the same data protection standards in the EU.
While rejecting this arrangement, the ECJ stressed on the fact that the US would necessarily disregard such principles in a situation where they came into conflict with national security. They also pointed out that this agreement provides for no judicial or administrative means of redress. The ongoing negotiations for a new Safe-Harbour agreement between the EU and the US will undergo a cataclysmic shift with Microsoft’s new move, particularly if other firms also start following this model.
Robust data framework
For this trustee model to work, the country in which the data is being hosted must have a robust data protection framework within its domestic law. Despite being in its nascent stages and hardly as elaborate as its EU counterpart, the Indian legal framework might be adequately able to facilitate such a model.
The constitutional roots of data protection lie in an individual’s right to privacy. In a catena of decisions, the Supreme Court has upheld an individual’s right to privacy as a fundamental right. While the concept of data protection was not recognised by the Information Technologies (IT) Act when it came into force in 2000, the 2008 Amendment penalised unauthorised access, downloading, copying and extracting of data stored on computer systems under Section 43. Section 69 lists broad grounds on which the government may intercept or monitor personal data. The IT Act applies to non-citizens who violate its provisions if the effects of their actions impact computer networks located in India.
Looking forward, India should evolve a more comprehensive data protection regime which classifies data into categories and lays down specific parameters for its collection and storage. With many foreign businesses looking to engage with India through outsourcing, the evolution of this regime along with the incorporation of a ‘data trustee’ model could be crucial for India’s economic and digital future.
History has been witness to many instances of nations seeking to impose their writ beyond the confines of their territory. Almost all these instances have led to disastrous consequences such as war or famine. The US is attempting to do much the same to retrieve data stored overseas, which makes it imperative for the international community to restrict such attempts. Microsoft’s data trustee model deals a crucial blow to the US government in the ongoing tussle. It almost renders the pending case in the Court of Appeals irrelevant. Undoubtedly, the US government will look to respond to this model by enacting legislation that mitigates its impact. The decision of the Second Circuit Court may also account for it in its ruling. Microsoft’s move may likely prompt the US government to negotiate the streamlining of the MLAT process with other countries.
Till such developments, however, Microsoft has scored a major victory for both international law and the right to privacy. If other tech firms follow suit, this manoeuvre could herald a new era for privacy rights and the Internet.
Arindrajit Basu is a researcher with ORF’s Cyber Initiative