Regulation of (Borderless) Data

The implications for the impending decision by the US Supreme Court in Microsoft v. US Justice Department

On 27 February 2018, the much-anticipated case between Microsoft and the US Justice Department about accessing customer data stored offshore reached the US Supreme Court. In what will test the applicability of privacy and data laws across borders, the Microsoft case is being closely watched because of its implications for privacy and surveillance in the digital age.

Much like commerce and trade, data – for the most part – exists and operates without reference to state borders.  This is not a controversial statement, but a reflection of the nature of digital economies in a highly globalised world.  But unlike commerce, trade or data – laws and regulations (for most part) exist with reference to clearly defined state borders. This sovereignty – or ability for states or countries to govern themselves – is a notion that is fiercely protected by all states.

How laws or regulations with their inherent rigidity and limitation to clearly defined borders effectively govern, what are essentially, borderless issues is becoming increasingly complex.  This complexity is exacerbated by the inability for laws to keep pace with rapid technological changes, such as the emergence of cloud computing (and storage), artificial intelligence, big data and tracking, and data analytics.  This fact was not lost on U.S. Supreme Court Justice Ruth Bader Ginsburg, who remarked during the hearing of the Microsoft case; “in, what was it, 1986, no one ever heard of clouds. This kind of storage didn’t exist.”

Companies that collect customer data rarely operate within one clearly defined border and must navigate an increasingly complex web of laws or regulations with which to comply with at any particular point in time. Case in point – the European Union’s General Data Protection Regulation (GDPR) – will apply to the processing of personal data of EU citizens regardless of whether the processing of the data takes place in the EU or not.  This raises some interesting challenges for the ‘self-determination’ of each state or country with respect to how companies within their borders are to manage customer data and privacy issues.

From a practical perspective, most companies that process the data of EU Citizens will likely aim to comply with the GDPR standards, irrespective of whether and to what extent they are enforceable on non-EU companies.  It would appear that compliance with foreign standards may be the more simple and pragmatic solution than trying to navigate the complex web of if’s, when’s and to what extent the GDPR will apply.

The Microsoft Case

The case dates back to 2013, when the U.S. Department of Justice issued a warrant to Microsoft to turn over data stored in its Irish data centre. Microsoft refused to turn over the data not located on the U.S. The company challenged whether a domestic warrant covered data stored abroad.  Microsoft succeeded before the United States Court of Appeal in January 2017, overturning lower courts, which had ruled in favour of the U.S. government.

Microsoft argues that the case has to do with digital privacy.  In an October 2017 blog post, Brad Smith, Microsoft’s Chief Legal Officer, wrote that Microsoft “believes[s] that peoples’ privacy rights should be protected by the laws of their own countries and we believe that information stored in the cloud should have the same protections as the paper stored in your desk.”

Microsoft and privacy advocates also argue that if the U.S. Supreme Court upholds the applicability of a domestic warrant in Ireland, countries around world could then insist that their legal process applies in other countries, and could ultimately compel companies to disclose the data in their data centres without regard for local privacy and data laws.  According to Gregory Nojeim, Senior Counsel and Director of the Freedom, Security and Technology Project at the Center for Democracy & Technology, it would “result in chaos”.

Other companies including IBM,, Apple, Verizon Communications and Google also filed court papers backing Microsoft.

Similarly, in the unusual step of filing an independent submission to the U.S. Supreme Court, the New Zealand’s Office of the Privacy Commissioner urged the U.S Supreme Court to uphold the principle against the applicability of domestic laws in another country.  The Privacy Commissioner stated that if the U.S. were to execute a search warrant in NZ, it would be in violation of the country’s privacy laws.

If the U.S. Supreme Court decides the case in favour of Microsoft, the U.S. government could still gain access data held overseas – albeit through a more cumbersome and longer process. The U.S. Congress will likely address the issue through a bill introduced this year called the CLOUD Act, which will authorise cross-border data warrants with countries that meet certain privacy standards and individual rights.

Either way, the Microsoft case has global implications for data and privacy – so watch this space!