Organisations which manage data across multiple jurisdictions are again looking with interest to the Supreme Court of the United States of America. A long running case with important implications has resurfaced.
The case relates to emails which are held by the US based entity Microsoft Corporation, on servers in Ireland. A warrant for production has been issued, addressed to Microsoft Corporation in the United States.
The case is of significant interest because many international organisations that deal primarily with personal information (for example well known social media companies) maintain servers in the Republic of Ireland. Objectively, this seems to be for the purpose of facilitating compliance with European Union data protection laws. Further, it is common for customers of such businesses outside the United States to also have their data stored in Ireland as this is thought to inter-operate in a predictable fashion with privacy laws of other jurisdictions. In particular, Irish data centres store significant information about Australian individuals.
If US warrants are found to be enforceable outside the USA, there could be a move for data storage to be radically decentralised, held by locally incorporated companies in the individual’s country of residence. This would require significant changes in operations.
The recent development is a new stage in a long running controversy. A New York judge, in 2013, issued a warrant to Microsoft Corporation in the United States, for production of certain emails relevant to a narcotics prosecution, and held on Microsoft’s servers in Ireland. Microsoft had declined to produce the emails, on the basis of Irish data protection laws which are binding on it in Ireland. Although the Department of Justice may be able to obtain access through other means (such as under ‘mutual assistance’ treaties with the Republic of Ireland), the Department has continued to pursue disclosure through the Courts, and clarify the scope of the 1986 Stored Communications Act.
In January 2017, the Second Circuit Court of Appeal, in a 4-4 split decision, denied the Department of Justice a reconsideration of the July 2016 Appeal Court decision that Microsoft did not have to comply with the warrant.
Under Australian law, it is usually considered that information held in Australia (and subject to legally binding protections) should not be removed from Australia to respond to a foreign order for production. The English case of X AG v A Bank [1983] 2 All ER 464 supports this view. (In that case, it was found that the London branch of a US incorporated bank could not be compelled to pass data to its head office to respond to a mandatory information request. The data was protected by the banker’s duty of secrecy under English law.)
Although considered significant, a victory by the Department of Justice on appeal would not directly affect the more common situation of information being held by a related body corporate in the foreign country, but might cause that to be tested in future.
This article was written by James Moore, Partner