Forget the old case, DoJ tells Supremes, all hail CLOUD Act
The long-running wrangle began back in 2014, when Microsoft was taken to court by American prosecutors who wanted access to suspects’ emails that Microsoft had stored overseas.
The Feds demanded the private messages under section 2703 of the US Stored Communications Act, but Redmond refused, saying that the search warrant couldn’t extend beyond US borders.
In July 2016, the United States Court of Appeals for the Second Circuit ruled in Microsoft’s favour – a decision the Department of Justice is in the process of appealing against in the Supreme Court.
However, the passage of a new law, signed off last week, known as the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) has thrown a huge question mark over the dispute.
In contrast to existing laws, the CLOUD Act specifies that authorities can demand that firms pass on data, even if it’s held outside the US.
And so the DoJ has filed a motion (PDF) with the Supreme Court saying that, given the passage of the CLOUD Act, the court should vacate the judgment made by the Court of Appeals and dismiss the case as moot.
The DoJ’s argument is that the CLOUD Act now directly governs the warrant that is at the heart of the dispute, which it said settles the dispute.
The US government insisted it was still possible for Microsoft to fully comply and disclose the information in question under the existing warrant, but complained Microsoft wasn’t playing ball.
“Microsoft has refused to acknowledge either that the CLOUD Act applies to the Section 2703 warrant at issue in this case or that Microsoft plans to disclose the required information under the original warrant,” the document stated.
As such, the DoJ said it had decided “the most efficient means of acquiring the information sought is through a new warrant under the CLOUD Act” – and did so on 30 March – even though it maintains it shouldn’t have had to issue one.
The government is “unquestionably entitled” to the information, the filing stated, adding:
“Microsoft no longer has any basis for suggesting that such a warrant is impermissibly extraterritorial because it reaches foreign-stored data, which was the sole contention in its motion to quash… There is thus no longer any live dispute between the parties, and the case is now moot.”
We asked Microsoft to comment, but a spokesperson said the company had “nothing to share”.
However, president Brad Smith has previously issued broadly supportive statements about the CLOUD Act. When it was passed last week, Smith blogged to say it was a “critical step forward in resolving an issue that has been the subject of litigation for over four years”.
It remains to be seen whether the new law is quite as water-tight in its ability to force firms to hand over any and all data as the government wants.
Frank Jennings, cloud lawyer at Wallace LLP, said that although the CLOUD Act offers useful clarity for providers, it might not be the end of the dispute.
“The CLOUD Act requires a provider to preserve, backup or disclose data even if the data is outside the USA. This clarity is useful… Cloud providers can now point to a clear obligation to comply with an up-to-date law,” he said. “However, the battle is not over yet.”
Jennings said the next stage “will be for US providers to show that data outside the US is not in their ‘possession, custody, or control’ but that of someone else”, possibly the customer or a third party.
They could also offer data encryption as standard, with the customer holding the decryption keys, he said. “This is the ‘You can have it but we don’t know what it says’ approach.”
The passage of the CLOUD Act and the access it grants to data held on EU servers – which has been condemned by campaign groups in the bloc – might also lead to other battles, he said.
For instance, it may give new impetus to those seeking to challenge the transatlantic data transfer deal Privacy Shield, and it isn’t yet clear what the EU’s data protection agencies will make of it.
“We await to see whether the new European Data Protection Board [which will come into being with the General Data Protection Regulation] will recognise this as a ‘necessary and proportionate measure… to safeguard national security’ or an attempt to overreach and undermine GDPR from afar,” said Jennings. ®