The US Supreme Court will decide whether cloud companies can be forced to provide data stored outside the US - United States v Microsoft - after a lower court became deadlocked. Basically this is about the reach of law enforcement against the right to privacy.
“This is a series of posts concerning cloud, privacy and data protection from a global perspective.”
One of the areas of key concern is the interplay between EU data protection rules and laws in other countries that seemingly conflict. Given the US origin of many of the largest cloud vendors, the size of the US market and revelations about NSA surveillance and information gathering, the position in the US continues to be watched closely.
In the Microsoft Warrants case, it was found that Microsoft must comply with a warrant to disclose records in a particular MSN email account and that the location of the data (in Dublin) was not relevant because Microsoft still “controlled it”. Microsoft decided not to comply with the order, voluntarily putting itself in contempt.
Apple, Cisco, Verizon and AT&T all filed Amicus briefs in support of Microsoft’s appeal on the basis that finding in favour of the US Government would conflict directly with EU data protection laws. The US court of appeals for the second circuit declined to enforce the warrant, deadlocked with four judges for and four against. The Supreme Court has agreed to accept the case.
The lack of clarity and the potential conflicts of laws present real challenges for US cloud vendors and their customers.
In my view Microsoft is leading the charge for clarity - both by fighting this case and because of its Azure Germany facility which provides data residency in Germany, and strict data access and control measures provided through a data trustee model governed under German law - in short, out of reach of Microsoft itself or the US Government. (No I don't work for Microsoft!)