One judge Francis told Microsoft on the 25th April 2014 to get its Global Criminal Compliance Team together and obey a warrant issued for its American headquarters. That district court judge could not care less if the data the warrant demanded was not physically stored within the jurisdiction of the Court. He did not even consider the Hague convention or the fact that the data is stored in the equipment of another company, a subsidiary, based within the EU. He did not even give EU legislation, or the Safe Harbor principles, a glimpse. He cited US law and bluntly told the corporation that if its US headquarters do not impose it on its limbs overseas, it shall be penalised.
That is one cheeky judge – question is, will Microsoft call his bluff? More importantly, what are the implications for the country where the data is physically stored, namely Ireland?
Jurisdiction
A warrant was issued by the US authorities for the disclosure of, inter alia, context of email accounts and other data regarding an individual. The problem with the warrant is that the said data is stored ‘on the cloud’, ie remotely, at Microsoft’s data centre in Ireland. With regard to international law Ireland forms part not of the American, but of the jurisdiction of the European Union. The EU has its own set of rules when it comes to data transfer, to which the Americans have agreed to comply : the Safe Harbor principles (Annex I to Comm Decision 2000/520/EC OJ 2000 L 215/7).
Art 25(1) of the Data Protection Directive 95/46/EC requires that any third country personal data may be exported to from the EU jurisdiction should afford an adequate level of protection for that data. Art 25 allows for a veto of the transfer initiated by any EU member state should there be doubts regarding that protection, which veto can be carried out by the Commission using the process in Art 31.
In Microsoft’s case the requested data will be used to expose and prosecute a person, without the EU’s involvement or consent. Art 26 allows for derogation when the transfer is legally required, but there needs to be some assessment, an element of cooperation between the jurisdictions; not a mere usurpation.
In my opinion the judge acted ultra vires for his powers do not go as far as to override international law. His judgement can set a very bad precedent both for the EU, as well as Irish credibility in the ICT sector – which I will discuss below.
Separate Legal Personality
Microsoft has registered three external (Dutch) companies in Ireland whose address points to its data centre: Microsoft International, Microsoft Holdings and Microsoft Manufacturing. There is also a number of other companies, most notably Microsoft Ireland Operations Ltd, an Irish company, based in the city centre. These companies are all subsidiaries to Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
The concept of the separate legal personality of a company is well established in both common (Salomon v Salomon) as well as US law (Louisville C&C v Letson): an incorporated entity is an artificial person distinct to other persons related to it – natural or legal (ie other companies). In the case though that a company is under the total control of another, usually a parent company, it can be said that they form a single economic entity. This principle is also very well established in EU law (see eg Viho v Commission).
I fail to find the part of the judgment in which Judge Francis even considered the fact that the warrant was not issued for any of these companies – and how could it, since they are out of the jurisdiction. The warrant was issued for Microsoft Corporation in WA. I also fail to find the part where he assessed the relationship between the companies in order to reach the conclusion that they form a single entity and therefore the American parent company could interfere to that extent with the functions of the subsidiary. Instead, he threatened the parent in order to oblige it to interfere with its subsidiaries. I see that as highly unethical and, once more, ultra vires.
Ireland’s Position
Ireland’s finances are largely dependent on its ICT sector. The country’s development programme is based on the investment and preference of domicile of foreign ICTs. You can download a short summary of the Irish legal framework and policy here. We are supposedly the ever-growing technology hub of Europe and Microsoft has been our regular since the 80s – as such Ireland has a responsibility to the rest of the EU to uphold its laws, and data protection in particular.
One would assume that the Data Protection Commissioner, the authority responsible for the enforcement of data protection law in Ireland, has a heavy weight to pull – I will comment on the DPC’s remote location, funding and independence some other time. For now all I have to say is that if the Data Protection Commissioner does not contest Francis J’s judgment, if he does not alert the Irish government of the dangers behind allowing the US government to cease data however it feels like from servers within this jurisdiction, then he is in no position to protect the EU data subjects that he is, ultimately, in charge of protecting. There is no guarantee that the emails in question do not involve personal, even highly sensitive, information of EU citizens, all of which is about to be disclosed to the US authorities without any opposition.
Other than vetoing the warrant using the aforementioned mechanism, the Commissioner should remind the Irish-based Microsoft companies of their data protection obligations under EU and Irish law. In case of a breach legal action should be taken and the company, or group of companies, should be informed of such potential action. The ECJ should also have a saying, maybe by way of preliminary reference. Furthermore, the Irish Government cannot sit and play duck, they need to make a statement about how this country will uphold data privacy and follow due process.
If we are incompetent of securing the data we fought so hard to host, then we should not be hosting it.
This is by no means a small matter, not for the EU but most importantly not for Ireland; our reputation is at stake – and if we start losing our investors, so is our economy.
Cibus {per} Mentis 