IPPro Issue 002

Case Report
The Microsoft case:
What are the consequences for personal data protection?
Nathalie Dreyfus explains the potential for far reaching consequences as
a result of the US DOJ v Microsoft, which will be heard at the US Supreme
Court later this year
US v Microsoft Corp
The legal saga of the case of the US Department of Justice (DOJ)
v Microsoft began in 2013 when the American authorities sent
Microsoft a search warrant. The purpose of which was to obtain the
contents of the online emails of a European customer as part of an
investigation related to narcotics. The IT giant refused to comply and
the request was taken before the American courts.
In the first instance decision, the US District Court for the Southern
District of New York considered that an American warrant to seize
user data, such as emails, was valid, even though such data was
situated outside American soil, in this case, in Dublin, Ireland.
The Court based its findings on article 2703(a) of the Stored
Communication Act (SCA) of Title II of the American Electronic
Communication Privacy Act. This provision grants American
governmental entities the ability to order a private online email
company established in the US to disclose the contents of a user
email pursuant to a warrant issued according to the procedures
described in the Federal Criminal Procedure Rules.
Microsoft appealed this judgement raising the question of the
applicability of the Stored Communication Act outside American
borders, on the basis of rule 41 of the Federal Rules of Criminal
Procedure, in the belief that no Federal Court could authorise a
warrant for property situated outside the legal limits of the territory of
the US. The US Court of Appeals for the Second Circuit did not follow
the judgement of the district court, finding in favour of Microsoft in
July 2016.
In particular, it came to the conclusion that US Congress had not
explicitly provided that the SCA should apply outside US borders.
To this extent, the court of appeals decided that the SCA did not
authorise a US court to validate a warrant such as that referred to in
the case at hand. However, the DOJ did not stop there and appealed
against this judgement before the US Supreme Court in October 2017.
The latter is expected to deliberate on the case at the beginning of
the summer. This much-awaited verdict raises concerns among the
experts about the fundamental issues at stake in this case.
The US and the GDPR
One of the main points raised in the proceedings in this case
was obviously how a finding potentially in favour of the US
government would comply with the legislation of the EU and
in particular the General Data Protection Regulation (GDPR),
starting from 25 May.
Moreover, it is from this perspective that the European Commission
intervened as an amicus curiae, in support of Microsoft’s position.
Through a communiqué, it explained that, to the extent that the case
refers to the transfer of data from the EU, it is governed by EU law.
The new European legislation invites non-European national authorities
to sign international and intergovernmental agreements to settle this
type of dispute. Article 48 of the GDPR provides that “any judgment
of a court or tribunal and any decision of an administrative authority
of a third country requiring a controller or processor to transfer or
disclose personal data may only be recognised or enforceable in any
manner if based on an international agreement, such as a mutual
legal assistance treaty, in force between the requesting third country
and the union or a member state, without prejudice to other grounds
for transfer pursuant to this Chapter”.
GDPR represents a substantial economic challenge for companies,
since the new European regulation provides for large fines—up to 4
percent of total global annual turnover calculated on the company’s
previous fiscal period—in the event of failure to comply with the
provisions defined in article 48.
Significant difficulties remain, however, for complying with such
requirements, to the extent that these cross border agreements are
often based on laws and policies that are obsolete. As an example,
the mutual legal assistance treaties (MLAT) in terms of transnational
criminal cooperation, propose fastidious solutions, which only
guarantee minimum legal security. These demands take time,
which remains a considerable source of frustration for the national
authorities, in view of the lack of efficiency they imply.
This is why the US legal authorities prefer conducting a more effective
approach: that of the national warrants. This affair undeniably leads
to the conclusion that a broader reflexion must be conducted on the
legislation relative to personal data, on an international scale.
At a time when cyber criminality is increasing, transatlantic
cooperation is more important than ever. Now, without legislative
action carried out on an international scale, a judgement in favour of
the government in the Microsoft case will probably have considerable
effects, according to Professor Théodore Christakis in his study of this
dispute. In this measure, such an outcome would render transatlantic
cooperation very difficult for the authorities in charge of keeping the
peace, governments and undertakings.
A ruling in favour of the American government would have the
consequence of empowering the American authorities to oblige
service providers present in the US to supply data, irrespective
of where it is stored, which would go against the current legal
requirements. In addition, such an outcome would signal to the
European authority an incompatibility between US law and EU
law, which would make them reluctant to authorise the transfer of
European personal data to the US in spite of the privacy shield.
The CLOUD Act
This affair is obviously in echo of the new American legislation called
the Clarifying Lawful Overseas Use of Data (CLOUD) Act voted
by Congress and signed by US President Donald Trump, which
offers a legal framework for the seizing of emails, documents and
electronic communications located in the servers of US companies
and stored abroad.
This legislation compiled in
the current litigation illustrates the
divergence emerging between Europe
and the US concerning the treatment of
requests for confidentiality and data
One of the principal points of the CLOUD Act resides in the new article
121 it introduces in the Stored Communication Act, which requires a
communication service provider to be able to store, backup and even
disclose the contents of any electronic records or communications,
whether they are located on US soil or outside US borders.
The CLOUD Act thus becomes an alternative to the current process
of sharing user information between countries, the MLAT, the
implementation of which is more straightforward and faster to execute.
The major tech firms such as Apple, Facebook or even Google are
delighted with such an initiative. They expressed themselves in an
open letter in February in these terms: “The CLOUD Act encourages
diplomatic dialogue, but also gives the technology sector two distinct
statutory rights to protect consumers and resolve conflicts of law if
they do arise. The legislation provides mechanisms to notify foreign
governments when a legal request implicates their residents, and to
initiate a direct legal challenge when necessary.”
This opinion is, however, far from being shared with the associations
that defend liberties such as the American Civil Liberties Union and
the Electronic Frontier Foundation.
This contested legislation is patently in conflict with the GDPR
and in particular article 48, which, as explained above, deals with
foreign—including American—investigations, by prohibiting the
transfer or disclosure of personal data unless otherwise expressly
agreed internationally. There is therefore a strong wager to be made
that the CLOUD act will be subject to further discussions at national
and international level. This legislation compiled in the current
litigation illustrates the divergence emerging between Europe and
the US concerning the treatment of requests for confidentiality and
data. They represent a strong position on the part of the overseas
government to shed light on the obsolescence of the current
legislation in a digital world.
The firm Dreyfus & associés specialises in the field of IP. We are up
to date on the new developments in European legislation and can
provide you with all the help and advice you require concerning your
IP rights in Europe. IPPro
Nathalie Dreyfus, founder, Dreyfus & associés
18 IPPro The Internet www.ipprotheinternet.com 19