Background: What has happened?
In 2013 the US Justice Department has requested emails from Microsoft under the 1986 Stored Communications Act that are being stored on a server in Ireland. Microsoft has refused to comply with the order arguing that such a warrant could not compel American companies to produce data stored on servers outside the United States.
US ruling could infringe other countries' data protection laws
This summer the US Supreme Court will decide the case, which is already causing international turmoil. Most countries argue that a decision by the Supreme Court in favour of the US Justice Department would undermine their own data protection laws. Particularly the European Union regards such a decision as highly problematic: It is impossible for any company to respect the GDPR data protection regulation, which will come into force on May 25th 2018, and at the same time comply with US warrants to hand over data.
That's why the European Commision, the United Nations, and the government of Ireland have now sent so called amicus letters to the Supreme Court. In these letters, they caution the Court not to allow US prosecutors access to data stored outside the USA. They argue that there are international agreements to exchange data of suspected criminals that should not be undermined. Ireland even says that the proceedings of the US Justice Department undermine the country's sovereignty.
Only the United Kingdom, who has also sent an amicus letter, supports the argumentation of the US Justice Department saying that data stored on servers of a company that is having operations in the US could be seized by US authorities, no matter where the data is actually stored.
Severe threat to privacy rights
This case gravely threatens the privacy rights of every citizen: If a state authority can request data from a cloud company solely because this company is having operations in said state, serious questions arise:
- What legislation would apply to protect same data?
- Could all countries the company has operations in request the data?
The problem is this: If U.S. law enforcement can obtain the emails of foreigners stored outside the United States, what’s to stop the government of another country from getting your emails even though they are located in your home country? Any country - even oppressive systems such as Russia and China - could force companies with an active operation in their country to turn over data to the authorities.
Cloud data would not be safe anywhere
This would jeopardize the Internet as we know it. Most major cloud services, Amazon, Google, Microsoft, have operations in lots of countries worldwide. If countries start requesting data from these companies based on their own law instead of based on the laws of the country where the data is stored, any data stored in the cloud become easily accessible to multiple nations.
The right to privacy would become null and void. The sad truth: This development is not going to change any time soon. As prosecutors argue that they need direct access to cloud data for national security reasons and to defend terrorism, the likelihood that they will succeed rises.
The future cloud service must be encrypted
As long as we store our personal data unencrypted in the cloud, authorities - but also malicious attackers - will always try to get their hands on our data. The only way that we can effectively fend off intrusions into our privacy is encryption.
The cloud service of the future must be automatically end-to-end encrypted, leaving the company zero access to our private data. Only then can we be sure that our private data stays private.