by Nick Rich, Lead Solutions Advisor, Epiq Systems
The story so far… On December 4th 2013 the Hon James C. Francis IV, Magistrate Judge in the State District of New York, signed a search warrant for the seizure of emails and other records in a particular MSN email account.
This email account was stored on servers located in a data centre in Dublin, Ireland. The data centre was owned and operated by a local Microsoft subsidiary, which Microsoft’s general counsel argued, in an article in the Wall Street Journal, put it out of reach of a U.S. search warrant.
On April 25th 2014, the Magistrate published an opinion denying Microsoft’s motion to quash the warrant. Then on July 31st 2014, Chief U.S. District Judge Loretta Preska ruled against Microsoft’s appeal, finding that the location of the email data was not relevant as Microsoft “controlled it” from the U.S. She did, however, stay execution of the order pending Microsoft’s appeal to the Second Circuit. In her view, emails stored by Microsoft customers or users on Microsoft servers constitute Microsoft business records. On August 29th, Judge Preska lifted the stay of execution of the July 31st order. Microsoft has said it will not comply with the order and will continue its appeal to the 2nd U.S. Circuit Court of Appeals, maintaining the view set out in a statement issued by Brad Smith immediately after the July 31st ruling. The case is therefore ongoing as of publication date.
What are the implications for companies storing their data on the Microsoft Cloud? If this ruling stands up to the appeals procedure, the U.S. government will have successfully asserted its right to obtain, by subpoena or warrant, information created and stored outside the United States, where such information is stored on servers belonging to U.S. corporations. It follows that European corporations whose data is stored on Microsoft’s cloud within European data centres could see that data become subject to investigation by U.S. authorities without recourse to existing agreements between the U.S. government and European sovereign governments.
This potential breach of data privacy/protection in the EU has huge implications:
• European companies with data on servers operated or owned by Microsoft could be compelled to instigate potentially costly data migrations
• Data left on such Microsoft servers based in Europe could be transferred to the U.S. and used in U.S.-based investigations, which could impose substantial legal costs on corporations as they are required to respond – and they could also incur fines for breach of EU laws
• Fines arising from such investigations could cause significant financial and reputational damage to corporations
Implications for companies using other cloud providers.
Of course the implications of this case extend beyond Microsoft to other cloud providers. If your company holds data on servers operated or owned by U.S. based entities there are pressing issues to consider.
Understand your data and know where and how it is stored. Your data should arguably already be incorporated into a litigation/investigation readiness programme. To the extent that it isn’t, consider the following questions:
• Is there a full report (data map) of what data is stored in Europe on servers belonging to US-based cloud providers?
• Is there a process defined and implemented to keep the data map up to date?
• Do the contracts in place with U.S.-based cloud providers stipulate that the data must not move to the U.S. in the ordinary course of events? Have you been advised that this is enough to avoid U.S. judicial enforcement?
• Is this data subject to the retention and disposition policies that have been agreed to within your organisation? Is there a process in place for deleting redundant data?
• Is there a plan in place for migrating the data rapidly should this become necessary?
If, at a minimum, these questions cannot all be answered affirmatively, a corporation could be at risk of seeing its data seized by U.S. authorities in the context of an investigation.
While Microsoft’s appeals process may take months, be aware that its conclusion may have far-reaching consequences for European entities with data stored by U.S. cloud providers. Regardless of the case outcome, savvy legal practitioners should consider creating an action plan to meet these requirements, as the benefits of such a plan far outweigh the risks of not having one.