Balancing privacy with the rapid advancement of technology is no small task, especially across sovereign borders. But that's the crux of what is possibly the most significant data sovereignty case in the Internet's short history.
Microsoft is in the middle of a dispute with the US government, arising from an investigation in which federal law enforcement sought access to information about a Microsoft account in which the data is stored in Ireland. The fight over the applicability of a warrant highlights the critical need to bring clarity to the issues surrounding the territoriality of data.
Notably, it is important not just for Microsoft’s European business or for the sake of US law enforcement, but for another reason – maintaining users’ trust in technology and the services it enables.
During the dispute, Microsoft produced the address book of the user but challenged the warrant to produce customer’s e-mails. After the magistrate judge upheld the warrant, the company continued to refuse to produce the materials and was held by the district court in contempt. The company appealed, and the last round of proceedings took place on Sept. 9 without resolving the issue.
Regardless of the outcome of the case, law and policymakers will have to balance the interests of a range of stakes, most notably those of private citizens, law enforcement, and the tech industry.
Technology and its main byproduct – data – challenge existing notions about territoriality, sovereignty, jurisdiction, and control. Data has great value for law enforcement, industry, advertising, science, and other fields, but its value to the individual is even greater – it is the most personalized and intimate outcome of one’s interaction with technology and the center of trust in the relationship between the individual and technology. A user needs to trust the interlocutor with the data in order to provide it. Once this trust is undermined – regardless of the reason for it – the individual’s interaction with technology might change. If one mishandles the data, they completely mishandle the trust.
In recent years, a constant stream of data breaches, intrusions into government systems, and attacks on service providers have injected fear and paranoia into our interactions with technology. But while cyber-insecurity is slowly chipping away at our trust in technology, the lack of clarity and consensus on rules for government access to data or private communications could lead to the same result.
Users in whichever county need transparency, predictability, and clarity on what is going happen with their data during its life cycle. Unpredictable situations, such as the issuance of a warrant to seize the contents of an e-mail or an address book, test any rules designed to address data regulation.
Therefore, policies governing transnational data issues must be set and clarified, and not taken with short-term law enforcement, intelligence, or national security goals in mind. Instead, these decisions must take the unique values and sensitivities surrounding data into consideration.
Last week's Safe Harbor opinion from the Advocate General of the Court of Justice of the European Union makes the case in point. A complaint against Facebook that ended up with the CJEU, filed after Edward Snowden's disclosures, argued that the Safe Harbor arrangement does not provide appropriate level of privacy protection. More than 4,000 US companies daily self-certify that they are following EU data protection rules.
The court’s Advocate General now argues that Europeans can't trust that their information in US servers will be safe, citing the systemic deficiencies in the protection of personal data as one of the main reasons. Should the Court agree with the opinion and suspend Safe Harbor, US companies relying on the current mechanism would have to use much more burdensome solutions to prove that data protection significantly hampers their operation.
By failing to address the novel challenges brought on by the unique character of data and the lack of clarity on when and how private sector actors are compelled to comply with legal requirements around the world, the current situation clearly plays in the hands of those who stand on the side of data localization.
Protectionism and data localization initiatives are clearly not in the interest of the United States – they go against the stated US policy on open Internet supportive of innovation, hamper the business of global tech companies, and have a potential for significant economic impact.
The potential loss of confidence in US providers has possible repercussions that go far beyond the monetary costs for individual business. The lack of user confidence in how the industry operates will impact global cloud services and Internet infrastructure providers.
The global Internet has been the enabler of economic growth and innovation in the past two decades. Failure to address uncertainties stemming from its global nature can easily undermine its potential. We could lose as much as $20 trillion of cumulative benefits from information and communication technologies by mismanaging the role of governments vis-à-vis the Internet.
The industry has been striving to enable its users to understand how it handles their data and information. Now it’s time for law and policymakers to augment these efforts by taking into consideration all the equities coming with data.
Klara Jordan is the associate director of the Cyber Statecraft Initiative at the Atlantic Council think tank. Follow her on Twitter @JordanKlara.