European Union lawmakers and legal scholars have waded into the fight at the U.S. Supreme Court between Microsoft and the Justice Department, arguing that forcing the tech giant to turn over emails stored in Ireland would violate the General Data Protection Regulation (GDPR).
In one of many amicus briefs filed Thursday on behalf of Microsoft, attorneys at White & Case wrote for European Parliament members, including Jan Philipp Albrecht, and former EU Justice Commissioner Viviane Reding. They argue that the U.S. government must work through bilateral treaties in order to lawfully obtain the data.
Albrecht helped shepherd the GDPR in the European Parliament to its ultimate adoption in 2016, and has been outspoken on digital privacy issues. He is the vice chairman of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, and also sits on the legislature’s Special Committee on Terrorism.
“The successful execution of the U.S. warrant would extend the scope of U.S. jurisdiction to a sizeable majority of the data held in the world’s datacenters (most of which are controlled by U.S. corporations) and would thus undermine the protections of the EU data protection regime, specifically intended and designed to cover data stored in an EU Member State,” the members of parliament argue.
New York-based White & Case partner Owen Pell is counsel of record for the 10 EU lawmakers signing onto the brief, who also include Sophie in ‘t Veld of the Netherlands, and Birgit Sippel and Axel Voss of Germany.
Their arguments were echoed in a separate submission by 21 EU data protection and privacy scholars from institutions across Europe — such as the University of Luxembourg and Technical University of Munich — filed by attorneys at Holwell Shuster & Goldberg. The scholars also stressed that the U.S. must make use of Mutual Legal Assistant Treaties (MLATs), and not try to circumvent them using a domestic warrant.
“The United States has entered into MLATs with the European Union and Ireland that would authorize Irish authorities to transfer personal data from Microsoft’s servers in Ireland to the United States,” they write. “The GDPR provides no other basis for Microsoft to comply with the SCA warrant.”
The SCA, or Stored Communications Act, is the U.S. statute at the heart of the case now before the Supreme Court. The Justice Department is seeking to overturn a landmark 2016 ruling in favor of Microsoft and other tech companies by the U.S. Court of Appeals for the Second Circuit limiting the geographic reach of the SCA to data stored in the U.S.
The U.S. government argues that a U.S. company turning over data stored on a foreign server is not an “extraterritorial” application of the SCA. Holwell Shuster partner Daniel Sullivan, counsel to the EU scholars, said in an interview that the risk of conflict with EU law indicates otherwise.
Albrecht similarly argued in an amicus brief in 2014 to the Second Circuit that EU law does not allow for the transfer of personal data to the authorities of third countries outside of a legal framework like the MLAT. He based those arguments on the GDPR’s predecessor, the 1995 Data Protection Directive, and other EU laws, including the Charter on Fundamental Rights.
Since then, the GDPR has been enacted (it comes into full force in May), bringing with it steep new monetary penalties for violations. A ruling by the European Union’s highest court in the first case brought by Austrian privacy advocate Max Schrems in 2015 also emphasized that EU law continues to see the U.S. legal regime as not upholding fundamental EU data privacy rights.
The nationality, citizenship status, or location of the Microsoft email account’s owner has never been publicly disclosed in the litigation. But on Twitter Friday, Albrecht and his policy adviser Ralf Bendrath emphasized that what matters under EU law is where the data is located.
Plus: The GDPR follows the market location principle, which means that every data subject in connection to activities on the EU market is protected by EU law – no matter which citizenship (or maybe even location) that person has and where the controller/processer is located.
— Jan Philipp Albrecht (@JanAlbrecht) January 19, 2018
“[E]very data subject in connection to activities on the EU market is protected by EU law — no matter which citizenship (or maybe even location) that person has and where the controller/processer is located,” Albrecht wrote.
The European Commission, the EU’s executive arm, and the government of Ireland weighed in on the Microsoft case in December in support of neither party. However, both emphasized the importance of the MLAT treaties.