The 2nd U.S. Circuit Court of Appeals recently shot down the latest effort by the Justice Department to compel Microsoft to hand over the data of a foreigner stored overseas. Amazingly, the government asserted that a U.S. search warrant should carry jurisdiction over the data of an Irish citizen being stored on a server in Ireland, simply because it is owned by Microsoft, an American corporation.
Thank goodness the federal appeals court has now rejected the government's attempt to have the case reheard, after a lower court ruling in the government's favor -- which held Microsoft in contempt for failing to turn over the data -- was overturned last July.
The outcome affirms a landmark defense of privacy rights against law enforcement overreach and clearly establishes that the U.S. government does not have jurisdiction over the entire world. It also removes a major threat to the competitiveness of U.S.-based multinational companies, which must operate under the privacy rules of the countries in which they operate. Many of those countries unsurprisingly take a dim view of U.S. government efforts to pry into the lives of their citizens. To comply with the U.S. government warrant, Microsoft would have had to violate Ireland's privacy laws.
The decision to reject the government's appeal for a rehearing was decided by a 4-4 split, much closer than it should have been. Justice Department officials pledged to try to take the issue to the Supreme Court.
The new administration could insist that Justice Department lawyers drop the matter. Members of Congress, however, shouldn't count on either the courts or the Trump administration. Instead, they could address the fundamental issue.
The root of the problem is a common one. A law -- the Electronic Communications Privacy Act -- was enacted in 1986 to address issues raised by the technology at the time, and Congress never bothered to update it despite significant advancements in the decades since. Because of this political shortsightedness, courts are left trying to navigate trade-offs between the needs of law enforcement and digital privacy rights using a law drafted in the era of floppy disks.
This has also resulted in massive privacy blind spots -- such as the ECPA's considering emails held by a third party for over 180 days to be abandoned, allowing them to be accessed with a simple subpoena instead of a judge-issued warrant.
Also of concern is that the process for working with foreign governments when investigations cross jurisdictions -- through mutual legal assistance treaties, or MLATs -- has been seen by officials as too cumbersome to pursue. Excessive bureaucratic red tape, in other words, has encouraged investigators to engage in a troubling power grab.
The previous Congress featured a bill, the International Communications Privacy Act, that sought to resolve both of these issues. It would have updated privacy rules to acknowledge modern technological reality by doing away with such silly provisions as the 180-day rule. It also would have streamlined MLAT procedures to make international cooperation more practical.
Another bill, the Email Privacy Act, was just reintroduced in the current Congress and would also update the ECPA. Regardless of the vehicle Congress decides upon, these issues involving the intersection of privacy rights, modern technology and the rights of businesses that operate under conflicting international rules must be resolved by legislators instead of left to bureaucrats and the courts to untangle.