Time for action on data security

A recent Microsoft case in the US highlights the lack of clarity over data security, and European businesses need to take note.

In late April, the US authorities issued, via a New York court, a search warrant to Microsoft seeking the release of emails and data belonging to one of its customers, even though the account was hosted on an Irish server.

Judge James Francis, who ordered the release, commented that the warrant was legitimate because it was comparable to traditional warrants issued for documents. But the European Commission (EC) doesn’t agree. The spokeswoman for justice, fundamental rights and citizenship Mina Andreeva confirmed the EC’s position by saying any access of data outside of existing agreements was unacceptable.

The warrant exposes once more the rock-and-a-hard-place position that those with European operations can find themselves in when dealing with the competing pressures of EU data protection laws and the demands of overseas law enforcement. As the ECJ’s decision in the recent ‘Google – Right to be Forgotten’ case showed, courts on each side of the Atlantic are capable of claiming jurisdiction over the use of data which takes place thousands of miles away.

The Microsoft case also potentially signals the start of an interesting chapter in the ongoing post-PRISM (the US Government electronic surveillance programme) debate about the relationship between those undertaking surveillance and the internet/technology giants. 

The fact that a major provider such as Microsoft very deliberately publicly challenged the search warrant is very notable. It signals a new era where cloud and other service providers will not meekly give in to demands to release data. Those who are not willing to take this approach may have to spin their PR message harder to explain why not, particularly to European customers.

Maybe Judge Francis just likes to stir things up a bit? Or maybe he’s highlighting a big underlying problem: the disconnect between the legal and law enforcement system of the jurisdiction which, to date, has parented the majority of the digital world in which we live, and the laws of the 95 plus countries around the globe which now have data privacy legislation.

After whistle-blower Edward Snowden’s revelations, US cloud service providers are having to peddle hard to maintain customer confidence. The last thing these companies need is an extended period of uncertainty about what rights of access US law enforcement should have to European data. Instead, they need clear bilateral agreements and frameworks against which they can reassure.

It’s now up to both the EC and US authorities to support this by clear agreements and consistent actions. European businesses can help themselves too. Firstly by maximising their chances of being able to argue that they have cleared customer and staff knowledge/consent obligations if sharing data with law enforcement agencies by reviewing policies, contracts and staff/customer information packs.

Secondly by lobbying European law makers to ensure that the data protection and cyber security legislative packages which will be re-examined after the European elections are clear and practical.  As the law currently stands companies which receive demands to disclose data to non-EU law enforcement agencies or in the course of overseas litigation can be placed in a tricky position. 

James Mullock, digital business partner, Osborne Clarke