US-EU Data Privacy Dissonance Continues United States v. Microsoft Corp.

By Stephen Dockery

Photo credit bluecoat.com

Widely divergent views of data privacy continue to be a thorn in the side of American-European relations. And until that gap narrows, there is unlikely to be a calm in the legal challenges that are roiling the international business community. Most lately in the case United States v. Microsoft Corp, seen before the U.S. Supreme Court at the end of February.

The U.S. tech company has resisted turning over access to customer data stored in foreign jurisdictions pursuant to the Stored Communications Act (SCA), on the grounds that the data handover would put the business afoul of Irish government data privacy regulations. Following a favorable ruling in the Second Circuit, the case was argued before the Supreme Court on February 27.

The argument focused on the nature of the statute, the types of foreign contacts involved and whether the government was trying to compel disclosure of information by warrant or subpoena. Issues raised by the justices included how foreign data storage could be used to evade U.S. enforcers and whether the disclosures could be made voluntarily.

Justice Breyer focused on the reasonable interpretation of the SCA and how sovereignty and comity issues with foreign powers could be handled under existing judicial doctrines. His questions point toward a long-running crisis of confidence between Europe and the U.S. which underlie the recent spike of data privacy litigation in American and European Courts.

The spark that ignited the data conflict goes back to 2013 when American data surveillance programs such as PRISM, came to light after leaks from former NSA contractor Edward Snowden. The reports led the Court of Justice of the European Union, the highest court in the EU, to toss out the data transfer framework that had been used to govern information handling by companies doing business between the two continents. Companies had been able to self-certify data privacy standards under the agreement known as Safe Harbor.

After extensive negotiations involving the U.S. Department of Commerce and their European counterparts, the parties put together a new privacy agreement called Privacy Shield, which was announced in 2016.

That agreement has been continually challenged in Europe on claims that the new agreement still does not meet European privacy standards because of the existence of the American spying programs. A recent challenge to the regime was tossed out on standing grounds. A challenge to standard contractual clauses, that have been used by companies to try to meet European data requirements was recently referred to the European High court.

The data storage and data transfer space remain very much in flux, and at the heart of all this litigation is a fundamental difference of opinion on the protections afforded to an individual’s privacy. Europe has a powerful pro-privacy tradition that has been memorialized in such documents as the Charter of Fundamental Rights of the European Union.  American privacy protections have been arguably less formalized and there have been contrary actions such as the Foreign Intelligence Surveillance Act which directly empower data collection.

American intelligence agencies can still scoop up massive amounts of data at home and abroad, which is something that gives country data protection authorities and privacy advocates pause. European concerns range from acceptable remedies for privacy violations to assurances of limits to American foreign data dragnets, issues that trade negotiators cannot address in full.

There is a dissonance of privacy rights and procedure between Europe and America that remains unaddressed since the 2013 revelations came to light. So long as remedies and assurances remain elusive, legal challenges and uncertainty will likely continue to disturb the transcontinental marketplace.

The CLOUD Act, which parties alluded to during the Microsoft case oral argument, is a pending bill that could meaningfully alter some of the issues between the US and EU on data privacy in the enforcement sphere. It would allow American prosecutors easier access to information held abroad and establish a procedure for foreign enforcers to access data held by American firms.

The bill has been hailed by some legal experts as fixing the enforcement problem and panned by the Electronic Frontier Foundation as “a dangerous expansion of police snooping.”

Even if the CLOUD Act passes a larger reconciliation, to put privacy authorities at ease and provide definitive remedies for European individuals harmed by privacy violations, may be needed to calm the data privacy waters.