IPPro The Internet Issue 140

More documents

Recommendations

Info

Case Report The Microsoft case: What are the consequences for personal data protection? Nathalie Dreyfus explains the potential for far reaching consequences as a result of the US DOJ v Microsoft, which will be heard at the US Supreme Court later this year US v Microsoft Corp The legal saga of the case of the US Department of Justice (DOJ) v Microsoft began in 2013 when the American authorities sent Microsoft a search warrant. The purpose of which was to obtain the contents of the online emails of a European customer as part of an investigation related to narcotics. The IT giant refused to comply and the request was taken before the American courts. In the first instance decision, the US District Court for the Southern District of New York considered that an American warrant to seize user data, such as emails, was valid, even though such data was situated outside American soil, in this case, in Dublin, Ireland. the case at hand. However, the DOJ did not stop there and appealed against this judgement before the US Supreme Court in October 2017. The latter is expected to deliberate on the case at the beginning of the summer. This much-awaited verdict raises concerns among the experts about the fundamental issues at stake in this case. The US and the GDPR One of the main points raised in the proceedings in this case was obviously how a finding potentially in favour of the US government would comply with the legislation of the EU and in particular the General Data Protection Regulation (GDPR), starting from 25 May. The Court based its findings on article 2703(a) of the Stored Communication Act (SCA) of Title II of the American Electronic Communication Privacy Act. This provision grants American governmental entities the ability to order a private online email company established in the US to disclose the contents of a user email pursuant to a warrant issued according to the procedures described in the Federal Criminal Procedure Rules. Microsoft appealed this judgement raising the question of the applicability of the Stored Communication Act outside American borders, on the basis of rule 41 of the Federal Rules of Criminal Procedure, in the belief that no Federal Court could authorise a warrant for property situated outside the legal limits of the territory of the US. The US Court of Appeals for the Second Circuit did not follow the judgement of the district court, finding in favour of Microsoft in July 2016. In particular, it came to the conclusion that US Congress had not explicitly provided that the SCA should apply outside US borders. To this extent, the court of appeals decided that the SCA did not authorise a US court to validate a warrant such as that referred to in Moreover, it is from this perspective that the European Commission intervened as an amicus curiae, in support of Microsoft’s position. Through a communiqué, it explained that, to the extent that the case refers to the transfer of data from the EU, it is governed by EU law. The new European legislation invites non-European national authorities to sign international and intergovernmental agreements to settle this type of dispute. Article 48 of the GDPR provides that “any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the union or a member state, without prejudice to other grounds for transfer pursuant to this Chapter”. GDPR represents a substantial economic challenge for companies, since the new European regulation provides for large fines—up to 4 percent of total global annual turnover calculated on the company’s previous fiscal period—in the event of failure to comply with the provisions defined in article 48. 16 IPPro The Internet
Case Report Significant difficulties remain, however, for complying with such requirements, to the extent that these cross border agreements are often based on laws and policies that are obsolete. As an example, the mutual legal assistance treaties (MLAT) in terms of transnational criminal cooperation, propose fastidious solutions, which only guarantee minimum legal security. These demands take time, which remains a considerable source of frustration for the national authorities, in view of the lack of efficiency they imply. This is why the US legal authorities prefer conducting a more effective approach: that of the national warrants. This affair undeniably leads to the conclusion that a broader reflexion must be conducted on the legislation relative to personal data, on an international scale. At a time when cyber criminality is increasing, transatlantic cooperation is more important than ever. Now, without legislative action carried out on an international scale, a judgement in favour of the government in the Microsoft case will probably have considerable effects, according to Professor Théodore Christakis in his study of this dispute. In this measure, such an outcome would render transatlantic cooperation very difficult for the authorities in charge of keeping the peace, governments and undertakings. A ruling in favour of the American government would have the consequence of empowering the American authorities to oblige service providers present in the US to supply data, irrespective of where it is stored, which would go against the current legal requirements. In addition, such an outcome would signal to the European authority an incompatibility between US law and EU law, which would make them reluctant to authorise the transfer of European personal data to the US in spite of the privacy shield. The CLOUD Act This affair is obviously in echo of the new American legislation called the Clarifying Lawful Overseas Use of Data (CLOUD) Act voted by Congress and signed by US President Donald Trump, which offers a legal framework for the seizing of emails, documents and electronic communications located in the servers of US companies and stored abroad. One of the principal points of the CLOUD Act resides in the new article 121 it introduces in the Stored Communication Act, which requires a communication service provider to be able to store, backup and even disclose the contents of any electronic records or communications, whether they are located on US soil or outside US borders. The CLOUD Act thus becomes an alternative to the current process of sharing user information between countries, the MLAT, the implementation of which is more straightforward and faster to execute. The major tech firms such as Apple, Facebook or even Google are delighted with such an initiative. They expressed themselves in an open letter in February in these terms: “The CLOUD Act encourages diplomatic dialogue, but also gives the technology sector two distinct statutory rights to protect consumers and resolve conflicts of law if they do arise. The legislation provides mechanisms to notify foreign governments when a legal request implicates their residents, and to initiate a direct legal challenge when necessary.” This opinion is, however, far from being shared with the associations that defend liberties such as the American Civil Liberties Union and the Electronic Frontier Foundation. This contested legislation is patently in conflict with the GDPR and in particular article 48, which, as explained above, deals with foreign—including American—investigations, by prohibiting the transfer or disclosure of personal data unless otherwise expressly agreed internationally. There is therefore a strong wager to be made that the CLOUD act will be subject to further discussions at national and international level. This legislation compiled in the current litigation illustrates the divergence emerging between Europe and the US concerning the treatment of requests for confidentiality and data. They represent a strong position on the part of the overseas government to shed light on the obsolescence of the current legislation in a digital world. The firm Dreyfus & associés specialises in the field of IP. We are up to date on the new developments in European legislation and can provide you with all the help and advice you require concerning your IP rights in Europe. IPPro This legislation compiled in the current litigation illustrates the divergence emerging between Europe and the US concerning the treatment of requests for confidentiality and data Nathalie Dreyfus, founder, Dreyfus & associés 17 IPPro The Internet
Page 1: ISSUE140 17 April 2018 www.ipprothe
Page 4 and 5: Contents www.ipprotheinternet.com @
Page 6 and 7: News Round-Up will the questions re
Page 8 and 9: News Round-Up Hargreaves imported l
Page 10 and 11: Corporate Brand Services Corporate
Page 12 and 13: Copyright Reform the Brussels polit
Page 14 and 15: Country Profile recognised, even th
Page 18 and 19: J. Varbanov & Partners European and
Page 20 and 21: Alibaba Update As an example, in 20
Page 22 and 23: Supported Piracy Badvertising: This
Page 24 and 25: Supported Piracy We live in a cynic
Page 27 and 28: Record Emmanuel Harrar of IPzen exp
Page 30 and 31: Industry Events AIPPI Israel Confer
Page 32: Industry Appointments Movers and sh

IPPro The Internet Issue 140

Create successful ePaper yourself

Delete template?

Save as template?