US interception in the EU faces new legal challenges

US government orders against Microsoft to hand over email data 'infringes privacy legislation' in other countries

New legal challenges have been made to the legality of US interception of email and internet communications in the UK and Europe.

The Center for Democracy and Technology (CDT), a non-profit organisation in the US, has lodged a legal claim challenging the US government’s ability to order social media companies to intercept data in the EU.

The move deals a further blow to the US argument that interception by social media companies is legal outside the United States.

It comes amid mounting concerns from US businesses and manufacturers that the US government’s collection of private and commercial data is deterring businesses and consumers from using US cloud service providers. 

Last year’s revelations by Edward Snowden, the National Security Agency (NSA) whistleblower, have led to controversy by exposing  the extent US government requests for email and communications data from social media companies.

But, while Snowden revealed US social media companies can be ordered to release data held on their US servers to the NSA, the American government is being challenged over its use of criminal warrants to secure data held outside the US.

The CDT has filed a document in the US court for the Southern District of New York.

It supports Microsoft in its appeal against a ruling that the company must obey a US warrant and hand over customer email data stored in its Dublin cloud datacentre.

CDT made its submission as an amicus curiae brief, in which an uninvolved third party brings relevant information to bear on a case of broad legal principle.

No legal foundation

The group argues that the order requiring Microsoft to hand over data from its Dublin data centre has no legal foundation, and that affording extraterritorial reach to US warrants violates fundamental principles of international co-oporation. 

More on privacy

  • Customer data privacy detracts from merits of geofencing
  • Most mobile apps fail on privacy, warns ICO
  • Apple tightens privacy rules for health apps
  • Microsoft, rivals challenge U.S. government over cloud data privacy
  • Location-based mobile management raises employee privacy concerns

“There is no basis in law for the extraordinary result sought by the United States," says the group.

US is “infringing privacy legislation”

The US government’s position is arbitrary and designed to infringe privacy legislation in other countries, the CDT argues, citing an earlier US Supreme Court case.

“Here, the government again attempts to leverage a significant real-world difference between physical evidence and electronic data... to expand its authority and diminish privacy protection – to extend warrants extraterritorially and circumvent the laws of the nation in which the data is stored.”

Surveillance undermines cloud services 

Other organisations submitting legal arguments alongside the Center for Democracy and Technology include the Chamber of Commerce of the United States, the National Association of Manufacturers and the Software Alliance.

The groups are trade organisations whose members hold data on cloud servers and who believe they hold an interest in the case.

Their submission states that the beneficial economic and societal uses of cloud computing would be undermined by infringements of privacy relating to the data stored.

They claim that business and individual users will spurn cloud technology if their data is held by providers who are liable to pass it to government agencies.

Mutual Legal Assistance Treaties – the correct approach

The Center for Democracy and Technology argues that the correct way for governments to access the data of foreign nationals is to make a formal request to the foreign government in question, rather than to order US technology companies such as Microsoft to intercept it.

“The US government itself has recognised the need to respect the laws of other nations when it seeks evidence located in their borders. That is why the United States has entered into Mutual Legal Assistance Treaties (MLATs), which provide a means of obtaining another country’s assistance in gaining access to data stored in that country – including evidence in criminal and related matters.”

Questions raised over security of Parliamentary data

The Microsoft case is likely to have implications for reassurances made by William Hague in September, over the security of UK parliamentary data, following  Parliament’s decision to use Microsoft’s cloud services for Parliamentary data.

Hague indicated the storage of the data, which is likely to include sensitive emails, files and correspondence from MPs and ministers, within the EU would ensure that Microsoft, which owns Office 365, would not be liable to demands from the US government.

“The relevant servers are situated in the Republic of Ireland and the Netherlands, both being territories covered by the EC Data Protection Directive," he said.

Hague said the proper way for the US government to access such data would be through a direct request to the UK government.

"Any access by US authorities to such data would have to be by way of mutual legal assistance arrangements with those countries,” said Hague.

Privacy violations 

CDT believes that, if the US government is successful in enforcing its warrant against Microsoft, the public will lose trust in US technology companies, particularly in Europe, where citizens enjoy greater privacy rights.

Memories of Nazi data abuses had a significant impact on the development of European privacy legislation, the CDT argues.

“The ‘extensive accumulation of personal data by the Nazi regime’ is one example of the ‘abuse in recent history of private and personal information’ that has supported European vigilance in protecting personal privacy and resisting state intrusions into private life’.”

Pressure groups warn Microsoft of breach of Irish law

A separate amicus brief was lodged on Monday by Digital Rights Ireland (DRI), in conjunction with UK civil rights organisations Liberty and the Open Rights Group. 

DRI argues that the US warrant against Microsoft  would violate Irish law, were Microsoft to release the data. They also argue that only the MLAT approach ensures the protection of internationally held data.

“We say that requests for data held in Ireland should be made through the Mutual Legal Assistance Treaty system between the US and Ireland in a way which would ensure compliance with Irish law. In short, we argue that the US should not unilaterally assert jurisdiction over the personal information of foreigners held abroad.”

Read more on Network security strategy