Electronic data hosted on overseas servers are off-limits for US government
Microsoft has landed a significant win in its ongoing legal battle against the US government over the privacy of its customer data located in offshore datacentres.
The US Court of Appeals ruled that the US Federal Government cannot compel companies to turn over electronic data that is stored exclusively on servers located outside the United States.
While government and law enforcement agencies can still obtain access to data held domestically in the US under the Stored Communications Act (SCA), the court has determined that the SCA does not apply to electronic data, like emails, held on servers located overseas.
This deals the US government the latest setback in its struggle with the tech industry over the reach of law enforcement and the limits of personal privacy.
Background
The case of Microsoft vs the United States of America began in late 2013 when the US Department of Justice (DoJ) issued a warrant to Microsoft under the SCA. The DoJ was attempting to seize contents of an email account stored on Microsoft’s servers in Ireland.
If Microsoft handed over the data, it would be in violation of Irish data protection laws. Microsoft refused to comply and challenged the warrant, but was unsuccessful. The court’s initial ruling stated that the SCA applies extraterritorially as Microsoft is an US‐based service provider. Microsoft subsequently appealed the court’s decision resulting in the current ruling.
The crux of the issue was a critical question that remains a concern for many organisations, cloud service providers and private users across the world – who has jurisdiction over private data stored in the cloud?
Safe Harbor Agreement
The result of this case has significant impact in Europe. In October last year, the Court of Justice of the European Union declared invalid a “safe harbor” agreement, on which thousands of companies including Google, Facebook, and Apple rely for the transfer of personal data. Declaring the safe harbor agreement invalid directly impacted the transmission of personal information between the US and Europe.
A new Privacy Shield data protection agreement was quickly published to remediate the situation, but nervousness around data protection remained. The overturning of the DoJ warrants is expected to alleviate some of the trepidation around privacy, data protection and data sovereignty in the region.
Implications
The final outcome is important as it will resolve a myriad of questions around data ownership; questions that have serious implications for public cloud adoption. It is not just the physical location of the server, but as highlighted in this case, it could be where your cloud provider is headquartered.
Australian businesses have a legal obligation to ensure that their customer data and confidential information is protected in line with the Australian Privacy Act. Failure to do so requires full disclosure and can result in hefty penalties for each breach, making data privacy a critical consideration that businesses cannot afford to ignore.
For Australian businesses that are currently using overseas-based cloud providers, Microsoft’s victory offers a precedent for preserving data sovereignty and protecting the privacy of personal and business information – so long as the data remains securely and solely within Australia. Assuming of course, that our government and local Microsoft entity have an appetite to contest claims from foreign governments and law enforcement agencies beyond geographic borders.
Assumptions aside, this risk is something that organisations need to consider. If data sovereignty and privacy are important, the best way to ensure compliance is to partner with a cloud provider who can guarantee that all your data, including any redundancy, backups, billing and reporting remain solely within Australia.
Locally owned and operated, blueAPACHE’s emPOWER Cloud is an enterprise-grade private cloud platform residing exclusively within three geographically diverse datacentres in Australia. We deliver our complete suite of cloud, telephony and unified communications, network, security and support services locally – guaranteeing data sovereignty for those who need it, and offering direct public cloud integration for those that do not.
For more information on data sovereignty and how it may impact your organisation’s cloud strategy, contact the blueAPACHE account team.