Why NZ intervened in the US vs Microsoft data access case

New Zealand's official privacy watchdog has taken the unusual step of filing an independent legal brief with the United States Supreme Court. Picture / Getty Images

New Zealand's official privacy watchdog has taken the unusual step of filing an independent legal brief with the United States Supreme Court in a long-running court case that could have wide-ranging ramifications for cloud computing providers and their customers everywhere.

The top legal institution in the US is pondering elements of an investigation in a drug trafficking case that's been going on since 2013, involving an American citizen's email messages.

Whether or not US law enforcement can demand that American companies hand over data under warrants when the information is stored overseas - in this case, on Microsoft's servers in Ireland - is the issue the US Supreme Court will decide on.

That seemingly simple request from US law enforcement raises multiple serious issues as the data stored by American companies overseas is subject to another country's laws, John Edwards, the New Zealand Privacy Commissioner, said.

Edwards' office has filed an amicus curiae legal opinion with the US Supreme Court that doesn't support either the US or Microsoft, in the hope that the Americans will see sense and not attempt to extend their domestic laws to other countries.

Existing law struggles with trans-national internet data flows and the provision of cloud computing services over the internet, Edwards said.

One problem is that the US law that the authorities rely on, the Stored Communications Act (SCA) "is not fit for purpose", as it's old and outdated, having been enacted long before email existed, Edwards added.

Allowing US domestic law to reach outside the country would put both cloud computing providers and their customers in an impossible position: if a US search warrant is executed on an American provider, and the data is seized by law enforcement, it could put both the cloud company and its customers in breach of privacy laws in the countries where the information is physically stored on servers, he said.

There is the matter of standing up for New Zealanders in these cases, Edwards said.

"There could be New Zealanders' data on the servers in Ireland," he said.

"A New Zealand company storing data with overseas providers must do its due diligence and understand where that information is held," Edwards said.

Privacy Commissioner John Edwards's office has filed an amicus curiae legal opinion with the US Supreme Court that doesn't support either the US or Microsoft. Picture / Mark Mitchell

Otherwise, the company could find itself in breach of New Zealand privacy laws if the data it holds is seized by the authorities of other countries, he pointed out.

This is not to say that it's impossible for US and other countries' law enforcement to gain access to data they need for criminal and other investigations.

Edwards' submission sets out the case for why the US can work through existing mutual legal assistance treaties (MLATs) if it wants to get at data stored in other countries.

Such treaties enable law enforcement overseas to contact equivalent agencies in New Zealand and other countries to seek their assistance.

Going through a mutual assistance treaty is a mechanism that respects the laws of both countries involved.

New Zealand can for instance decline to assist and hand over data in cases that involve the death penalty, under the treaties with other countries.

This legal collision between existing, pre-internet law, and today's reality where data moves across national borders with ease could threaten the entire business model of cloud computing.

This legal collision between existing, pre-internet law, and today's reality where data moves across national borders with ease could threaten the entire business model of cloud computing.

Because of this, Microsoft, which is betting the house on becoming a global cloud computing provider (and is gunning for New Zealand government business) simply cannot afford to lose the case.

Doing so would put the company in an untenable position, where it would be in conflict with the privacy laws of the country its customers' data is hosted in, if it obeyed US warrants.

So far, Microsoft is showing no signs of giving up the fight, and has won several legal bouts since 2013.

However, the US government continues to press for access to information overseas based on American domestic laws.

It is not just New Zealand that is worried about the consequences of US law reaching outside the country's border in the internet age.

Three years ago, the Irish government filed similar submissions supporting the position that local laws have to be respected.

The European Union which last year tore up a data access deal with the US, until the new Privacy Shield one was negotiated that better protects people's information from searches, is also voicing its opposition in the matter.

These types of issues are likely to pop up frequently in the future as cloud computing continues to be adopted, Edwards said.

To stop them from clogging up the legal system and to avoid difficult to resolve cases where the laws of different countries are at odds with each other, statutes need to be modernised to reflect the reality of today's internet.