How Europe may redefine America's electronic spying
As the Justice Department battles with Microsoft over e-mails stored in Ireland, a forthcoming agreement would allow European citizens to sue US government agencies that misuse their data.
For both law enforcement agencies and technology companies, the way that users' data is shared remains a thorny subject, but for vastly different reasons.
The Justice Department is hoping it will prevail over Microsoft in an effort to get the tech giant to turn over e-mails concerning drug smuggling. But as the case – which involves a Hotmail e-mail account stored on a server in Ireland – goes before a federal appeals court on Wednesday, the US government is also involved in a quieter effort to redefine how data is shared between law enforcement in the US and Europe.
The data sharing “umbrella agreement,” which was finalized on Tuesday, is intended to provide guidelines on how personal data is used in criminal investigations, including terrorism cases.
Most notably, the European Commission says, the agreement will provide protections against the misuse of European citizens’ data by US agencies, including allowing them to sue in US courts. American citizens are currently allowed to sue EU agencies that misuse the data, but the US doesn’t have a similar provision.
“The United States must guarantee that all EU citizens have the right to enforce data protection rights in US courts, whether or not they reside on US soil,” says Jean-Claude Juncker, the commission’s president, in a statement about the agreement. “Removing such discrimination will be essential for restoring trust in transatlantic relations.”
The new agreement, which has been in the works since 2009, comes amid a firestorm of debate over US government surveillance, which has extended to spying on top European officials, including French President Francois Hollande, two previous French presidents, and German Chancellor Angela Merkel, the Monitor reported in June.
It must also be approved by Congress, which introduced legislation to adopt the provision – known as the Judicial Redress Bill – in March, with a companion bill introduced in the Senate in June. With debate on that measure still forthcoming, the fate of Microsoft may provide a key first look at how international privacy law evolves in the digital age.
In that case, now unfolding before the Second Circuit Court of Appeals in New York, the Justice Department attempted to force the tech giant to turn over private e-mails directly, without working with law enforcement agencies in Ireland. Microsoft says the Justice Department’s search warrant does not authorize a search of data stored outside the US.
Legal experts say a ruling in the government’s favor could force tech companies to revamp their policies on what information is disclosed to law enforcement agencies. The case also comes on the heels of a dispute between the Justice Department and Apple involving the release of text messages the company says should remain encrypted.
"From a legal and regulatory perspective, it’s an interesting time in privacy," says Craig Newman, a partner at Patterson Belknap Webb & Tyler, who often focuses on cybersecurity cases and attended Wednesday's hearing.
Mr. Newman says it's still unclear how the court may rule. On one hand, the government of Ireland has filed a legal brief noting that there is an existing agreement, known as a mutual assistance in law enforcement treaty – a legal mechanism that facilitates cooperation between police in different countries – between the US and Ireland.
But in May, US federal judge Gerard Lynch, who is part of the panel overseeing the Microsoft case, ruled that bulk collections of phone records by the National Security Agency was illegal, forcing Congress to revamp the legislation, known as the Patriot Act, which had made that data collection possible. What is clear, however, is that the ruling will likely have international implications on privacy.
“Private citizens of democratic governments should be able to influence those laws,” Jim Kinsella, a former Microsoft executive who now runs a secure cloud storage company in Europe called Zettabox, told the Guardian. “A European citizen has no influence when he uses a Google account that goes through sets of servers the US says they get to reach into.”
The case has led to an outpouring of support for Microsoft, with an unlikely group of allies from tech companies – including Google, Apple, Amazon, and AOL – major news organizations and civil liberties group filing briefs on Microsoft’s behalf, according to court records.
By contrast, perhaps because it has yet to be publicly debated in Congress, the European agreement has drawn much less public notice, though both measures could have wide-ranging impacts on how government agencies collect data.
In an attempt to fix what privacy advocates see as an overreach into citizens' personal lives by law enforcement, The European Commission's agreement also allows European citizens to correct mistaken information used by law enforcement agencies in both regions.
For example, if a person’s name is the same as a suspect in an international criminal investigation and appears mistakenly on a so-called “black list” in the US, they can petition to have their name removed. Without this provision, the commission says, some people could be prevented from flying or be denied a visa.
Mr. Newman, the cybersecurity lawyer, says some companies, such as Yahoo, have begun separating their international arms from their domestic businesses in an effort to preempt concerns about data protection. If a case involved e-mails from a Yahoo account registered in France instead, he says, US-based Yahoo would likely not be required to turn it over the messages.
"The question is whether today’s argument in the Second Circuit is a way station of sorts on the way to the Supreme Court, or to Congress to fix the law," he says.