How Europe may redefine America's electronic spying
For both law enforcement agencies and technology companies, the way that users' data is shared remains a thorny subject, but for vastly different reasons.
The Justice Department is hoping it will prevail over Microsoft in an effort to get the tech giant to turn over e-mails concerning drug smuggling.聽But as the case 鈥 which involves a Hotmail e-mail account stored on a server in Ireland 鈥 goes before a federal appeals court on Wednesday, the US government is also involved in a quieter effort to redefine how data is shared between law enforcement in the US and Europe.
The data sharing 鈥渦mbrella agreement,鈥 which was finalized on Tuesday, is intended to provide guidelines on how personal data is used in criminal investigations, including terrorism cases.
Most notably, the European Commission says, the agreement will provide protections against the misuse of European citizens鈥 data by US agencies, including allowing them to sue in US courts. American citizens are currently allowed to sue EU agencies that misuse the data, but the US a similar provision.
鈥淭he United States must guarantee that all EU citizens have the right to enforce data protection rights in US courts, whether or not they reside on US soil,鈥 says Jean-Claude Juncker, the commission鈥檚 president, in about the agreement. 鈥淩emoving such discrimination will be essential for restoring trust in transatlantic relations.鈥
The new agreement, which has been in the works since 2009, comes amid a firestorm of debate over US government surveillance, which has extended to spying on top European officials, including French President Francois Hollande, two previous French presidents, and German Chancellor Angela Merkel, the Monitor reported in June.
It must also be approved by Congress, which introduced legislation to adopt the provision 鈥 known as the Judicial Redress Bill 鈥 in March, with a companion bill in June. With debate on that measure still forthcoming, the fate of Microsoft may provide a key first look at how international privacy law evolves in the digital age.
In that case, now unfolding before the Second Circuit Court of Appeals in New York, the Justice Department attempted to force the tech giant to turn over private e-mails directly, without working with law enforcement agencies in Ireland. Microsoft says the Justice Department鈥檚 search warrant does not authorize a search of data stored outside the US.
Legal experts say a ruling in the government鈥檚 favor could force tech companies to revamp their policies on what information is disclosed to law enforcement agencies.聽The case also comes on the heels of a dispute聽between the Justice Department and Apple involving the release of text messages the company says should remain encrypted.
"From a legal and regulatory perspective, it鈥檚 an interesting time in privacy," says Craig Newman, a partner at Patterson Belknap Webb & Tyler, who often focuses on cybersecurity cases and attended Wednesday's hearing.聽
Mr. Newman says it's still unclear how the court may rule. On one hand, the government of Ireland has filed a legal brief noting that there is an existing agreement, known as a聽mutual assistance in law enforcement treaty 鈥 a legal mechanism that facilitates cooperation between police in different countries 鈥 between the US and Ireland.
But in May, US federal judge Gerard Lynch, who is part of the panel overseeing the Microsoft case, ruled that bulk collections of phone records by the National Security Agency forcing Congress to revamp the legislation, known as the Patriot Act, which had made that data collection possible. What is clear, however, is that the ruling will likely have international implications on privacy.
鈥淧rivate citizens of democratic governments should be able to influence those laws,鈥 Jim Kinsella, a former Microsoft executive who now runs a secure cloud storage company in Europe called Zettabox, told . 鈥淎 European citizen has no influence when he uses a Google account that goes through sets of servers the US says they get to reach into.鈥
The case has led to an outpouring of support for Microsoft, with an unlikely group of allies from tech companies 鈥 including Google, Apple, Amazon, and AOL 鈥 major news organizations and civil liberties group filing briefs on Microsoft鈥檚 behalf, according to court records.
By contrast, perhaps because it has yet to be publicly debated in Congress, the European agreement has drawn much less public notice, though both measures could have wide-ranging impacts on how government agencies collect data.
In an attempt to fix what privacy advocates see as an聽overreach into citizens' personal lives by law enforcement,聽The European Commission's agreement also allows European citizens to correct mistaken information used by law enforcement agencies in both regions.
For example, if a person鈥檚 name is the same as a suspect in an international criminal investigation and appears mistakenly on a so-called 鈥渂lack list鈥 in the US, they can petition to have their name removed. Without this provision, the commission says, some people could be prevented from flying or be denied a visa.
Mr. Newman, the cybersecurity lawyer, says some companies, such as Yahoo, have begun separating their international arms from their domestic businesses in an effort to preempt concerns about data protection. If a case involved e-mails from a Yahoo account registered in France instead, he says, US-based Yahoo would likely not be required to turn it over the messages.聽
"The question is whether today鈥檚 argument in the Second Circuit is a way station of sorts on the way to the Supreme Court, or to Congress to fix the law," he says.
