A future United States Supreme Court decision could drastically change the future of cloud computing. Companies based in the US could be required to hand over to law enforcement certain data that is stored on foreign servers. Under these circumstances, U.S. based organizations might not be able to provide many cloud computing services to foreign countries.
The Congress of the United States has had hearings on changing the law that would be under review. Nonetheless, the law remains unchanged. If the Supreme Court rules that the data could be handed over, uncertainty would exist over if and when the law would change, and what the actual content of a new law might be. Of course, the new law would be still subject to more interpretation and litigation.
The Legal Situation
In 2013 Microsoft was issued a warrant, as part of a United States federal drug trafficking case, to turn over email stored in Ireland. Federal prosecutors said they had the right to the emails because Microsoft is based in the United States. Microsoft argued that it was not compelled to produce data stored in servers outside of the United States. They also argued that it would be a violation of the laws in the foreign country to hand over those emails.
The law underlying the dispute is the Stored Communications Act of 1986 which predates the modern Internet. The particular section under dispute is Section 2703 which defines "electronic communication service" and "remote computing service" for the purposes of compelling an ISP to disclose the information of a customer or subscriber.
Microsoft challenged the warrant and lost in the federal district court for the Southern District of New York. Microsoft appealed the decision to the Second Circuit Court of Appeals and the court invalidated the warrant. In a divided opinion the full Appeals Court refused to rehear the case. The opinion that wanted a re-hearing decried the restriction on an investigative tool without any "serious, legitimate, or substantial privacy interest." This opinion argued that it was a business decision of Microsoft to store data abroad, but that has no bearing on their obligations under U.S. law.
The Department of Justice appealed to the Supreme Court. They agreed to take the case in October 2017.
The dissenting opinion of the four appeals court justices is not the only opinion that sees nothing wrong with the current law. On Feb 3, 2017 a federal magistrate issued an opinion to require Google to hand over emails stored in a foreign country. The magistrate explicitly disagreed with the reasoning of the original Second Circuit decision.
The U.S. Congress
Since the Stored Communications Act of 1986 is legislation created by the United States Congress, it has the power to revise or replace the law. Last year, both branches of Congress, the House and Senate, held hearings on revising the Stored Communications Act of 1986, but no legislation has been passed.
Support for Microsoft
In May of this year, the European Union General Data Protection Regulation goes into effect. Both Microsoft and Google could be in the position of being caught between conflicting demands for privacy and criminal investigation subject to different rules in different legal domains. Large penalties could result for failure to comply.
Over twenty three amicus briefs have been filed in support of Microsoft, including ones submitted by European Union legislators and legal experts, as well as members of the US Congress. The signatories to the briefs include US and European lawmakers, technology companies (including Google, Apple, Facebook, and Amazon), trade groups, advocacy groups, media organizations, academics, scientists and, lawyers.
To give you an idea of how diverse this group is, both Fox News and the American Civil Liberties Union are on the list. The presence of many non-U.S. groups indicates the international ramifications.
The European Commission said that it would submit an amicus brief so that the EU data protection rules are understood by the U.S. Supreme Court. It indicated that the brief would not be in support of either party.
The Problem for the Supreme Court
The court here has to apply a law based on the state of technology over 30 years ago to modern technology. Either they can apply the law as it was originally written, or adapt the principles of the existing law to the new situation. The problem with the former approach is that the new issues that have arisen are ignored. Examples of such issues are the applicability of extraterritoriality to non-physical objects such as data, or does it even make sense to talk about cloud data being located anywhere. Under the current Second Court of Appeals ruling in the Microsoft case, it would require a Mutual Legal Assistance Treaty between a nation and the United States in order to obtain data stored by a U.S. corporation in that country, even if both the victim and the defendant are citizens of the United States, and the crime occurred in the United States. Some countries could set up data havens similar to currently existing financial and tax havens.
Legal scholars have debated these issues, but so far the courts have not addressed them. A historical parallel to the current situation is wiretaps. It took 40 years for the Supreme Court to apply the Fourth Amendment of the United States to non-physical trespass, and declare warrantless wiretaps an unreasonable search. The pace of technological change is far greater today than in 1928.
The Microsoft case is a reminder that the world of software does not exist in a social vacuum.