U.S. Microsoft Ireland case shows need for privacy safeguards in cross-border access to data

Today the U.S. Supreme Court heard arguments in Microsoft Corp. v. U.S., also known as the Microsoft-Ireland case. The case centers on whether U.S. law enforcement can access data stored outside the geographic confines of the U.S. borders, implicating users’ privacy around the globe. It is not clear yet how the Court will rule.

The Court is tasked with interpreting whether the Stored Communications Act, a law in place since 1986, permits U.S. law enforcement to demand data stored abroad. U.S. authorities sought data stored by Microsoft in Dublin, Ireland, but instead of using a request via the mutual legal assistance treaty (MLAT) with Ireland, they went directly to Microsoft to demand the user data. MLATs exist to provide a means to grant law enforcement access to data stored abroad in investigations.

A ruling for the U.S. government in this case would be disastrous for the existing system that governments use to request user data, which has been built to ensure user protections and reciprocity. It would invite the U.S. government and other governments worldwide to act unilaterally to access data with few to no privacy protections.

During the hearing, Justices raised questions of statutory interpretation, potential Congressional action, and conflicts with foreign law.  However, regardless of the Court’s decision, the case will answer only the central question of whether the law allows government access to data stored overseas, including requests for the data of persons of another country, and not what limits can be imposed on such access.  

If the Supreme Court sides with the U.S. government, the U.S. could assert authority over data regardless of where it’s stored or the identity of the data subject. Alternatively, a victory for Microsoft would require the U.S. to use MLAT requests to access data stored abroad. It would mean a continued debate about cross-border data requests and likely continued consideration of the dangerous CLOUD Act and similar proposals that would have implications for human rights. As Access Now has reiterated, any system that permits governments to access data abroad must be built on human rights protections and account for the law of the countries involved.