Cloud privacy – significant developments

There were two significant developments last week for the privacy in the cloud:

  1. The European Commission endorsed the EU-US Privacy Shield, which will replace the earlier Safe Harbor scheme that had been found wanting by the European Court of Justice in the Schrems decision.
  2. The 2nd Circuit Court of Appeals in the US decided that a warrant issued under the Stored Communications Act did not require Microsoft to produce the contents of a particular subscriber’s stored emails that were held on servers located in Ireland.

Both of these developments concern the circumstances in which US law enforcement and national security agencies should be entitled to obtain access to personal data held within Europe by US headquartered online service providers.

A key reason given by the European Court of Justice for finding that the European Commission’s decision to approve the Safe Harbor scheme was invalid was that the Commission had failed to consider whether the US “ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order”. In order to overcome this criticism, the Commission’s reasons for approving the Privacy Shield arrangements contain a lengthy discussion of the practices of US national security agencies in monitoring communications involving non-US citizens, and the relevant legal framework authorising and controlling such activities. Ultimately, the Commission’s assessment is that sufficient safeguards are in place so as to conform with the standard set out in the Schrems judgment. The Shield framework recognises that the laws on both sides of the Atlantic may change from time to time, so there will be a joint annual review of the Shield arrangements. To support transparency of that review, US businesses that choose to self-certify under the Shield are permitted to voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcement or national security reasons. These kinds of transparency reports have become fairly common for large providers of cloud based communications services.

The Microsoft case was ultimately decided on a technical legal point – namely the difference between a “warrant” and an “administrative subpoena”. The court held that a warrant is a directive subject to territorial limitations – authorising the seizure of items within a jurisdiction. An administrative subpoena, on the other hand, requires the recipient to produce documents to a specified location within a jurisdiction, provided those documents are under the control of the recipient and irrespective of the location of those documents. The instrument in question in this case was a “warrant” and the court found no Congressional intent to apply the legislation extraterritorially. The result is that US law enforcement authorities will now be required to rely on the Mutual Legal Assistance Treaty process, instead of warrants issued under the Stored Communications Act, in order to obtain access to the content of recent emails (ie less than 180 days old) stored on servers located outside the US. There is no doubt that the MLAT process is far more cumbersome for law enforcement agencies to invoke. Media reports suggest that the US Department of Justice is in discussions with some jurisdictions on methods to streamline those procedures. One of the members of the court in the Microsoft case wrote separate reasons in which he emphasised “the need for congressional action to revise a badly outdated law”.

If the US Congress amended the Stored Communications Act warrant laws, that would trigger an adequacy review by the European Commission which could affect the Shield arrangements.