Menu
Microsoft says tech companies ‘whipsawed’ by conflicting laws on global data transfer

Microsoft says tech companies ‘whipsawed’ by conflicting laws on global data transfer

The company is asking for reform of both US law and inter-government treaties

Microsoft is expected to testify that both outdated U.S. laws and agreements between countries on cross-border transfer of data have to be amended as tech companies are increasingly ‘whipsawed’ in legal conflicts in which local authorities are seeking unilateral and extraterritorial warrants over data stored in the cloud.

In written testimony ahead of a U.S. House of Representatives hearing scheduled for Thursday, Microsoft’s President and Chief Legal Officer Brad Smith wrote that countries are “increasingly claiming new extraterritorial legal authority (and interpreting existing legal authorities) to access and intercept data.” In response, other countries are enacting a range of laws, including data localization and data retention requirements, so as to counter such extraterritorial authorities, he added.

A copy of Smith’s testimony was posted on the site of the House Judiciary Committee. Other testimonies also pointed to conflicts between laws in different jurisdictions and the need to streamline Mutual Legal Assistance Treaties (MLATs) for exchange between countries of evidence and information in criminal and related investigations.

“Today, for reasons both technological and political, there are growing conflicts between U.S. and foreign laws regulating production of data in response to governmental surveillance directives,” wrote David S. Kris, general counsel at Intellectual Ventures and a former Department of Justice official.

The issue of cross-border data transfers is particularly sensitive for Microsoft, which is already fighting in an appeals court in New York a demand from the U.S. government that it should turn over certain emails stored in a data center in Ireland in connection with an investigation.

In response to a search warrant, Microsoft provided non-content information held on its U.S. servers but tried to quash the warrant when it found that the account was hosted in Dublin and the content was also stored there.

Microsoft holds that the U.S. Congress did not say that the Electronics Communications Privacy Act "should reach private emails stored on provider's computers in foreign countries." The company favors an inter-governmental resolution to the U.S. demand for access to the emails in Dublin, through the use of MLATs the U.S. has with other countries including Ireland. Ireland has volunteered to consider a request for the data under the treaty.

International legal cooperation worked well, for example, when after the terror attacks in January last year on the offices in Paris of satire magazine Charlie Hebdo, French authorities contacted the FBI for emails from two customer accounts held by Microsoft and the content was delivered to the FBI “all in exactly 45 minutes,” Smith said.

But countries are not always willing to play by these rules because of the delays in the MLAT process in the U.S.  A 2013 report found that the MLAT process is "too slow and cumbersome"  and can take 10 months on an average.

Brazilian courts and legislation, for example, assert the authority to compel U.S. tech companies to disclose the contents of users’ communications to local law enforcement, even if the data is located in other countries, according to Microsoft. The company stores the data in the U.S. and under the ECPA it would be illegal for it to hand over the data even if it belonged to a Brazilian user.

Brazil has refused to seek the information through a MLAT citing time sensitivities, Smith said. The Brazilian government has levied fines against the company's local subsidiary and in one case arrested and charged criminally a local employee, when Microsoft refused to violate U.S. law by complying with the Brazilian orders.

The need to reform MLAT was brought up in other testimonies as well. Jennifer Daskal, assistant professor at the American University Washington College of Law, said the MLAT process can be laborious in the U.S. and the range of responses to this by foreign countries include mandatory data localization requirements, unilateral assertions of extraterritorial jurisdiction, compulsory anti-encryption and even threats to local employees of the U.S. firm.

Another wrinkle for data transfer is likely to be the European Union's upcoming implementation of the proposed General Data Protection Regulation, which is expected to come into force in the spring of 2018. "Once the GDPR comes into force, the conflict between EU law and U.S. requirements will become even more stark," Smith said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

Ingram Micro completed its nationwide roadshow in Auckland last month, kicking off its Innovation Hour series with Hewlett Packard Enterprise. Uncovering the latest in storage, networking and servers, the event outlined key market trends for resellers in 2016 and beyond.

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise
IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

FireEye welcomed 143 channel partners and distributors to FireEye's 2016 annual Partner Conference, FireEye A/NZ Momentum - held at Establishment in Sydney. Delegates heard from senior trans-Tasman channel leaders, marketing and the product divisions in the morning, with FireEye customers, incident responders and threat intelligence analysts sharing knowledge during the afternoon.

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference
​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

With New Zealand businesses now open to innovation, the industry sits on the cusp of significant disruption in the data centre. Driven by software-defined networking, the future of the data centre is fast becoming reality, as the channel seeks to keep up, keep innovating and keep growing. APC by Schneider Electric, Lenovo and key partners outlined how the channel can capitalise at The Grill restaurant in Auckland.

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​
Show Comments