If your customer is in Amsterdam, your data center is in Ireland, you are a US-based company, and you have just been served a search warrant for data by one of these governments, should you comply?
Microsoft recently had to face a similar situation when US federal prosecutors served them with a search warrant that demands access to umails stored on Microsoft’s servers located in Ireland. Microsoft objected to the warrant and took the government to court. The case is still going through the circuit courts and Microsoft has said it will be willing to take it all the way to the Supreme Court.
This is not the first time a conflict like this has arisen and it will not be the last time. This blog looks at the different options Microsoft might take when faced with a warrant for data stored on foreign soil and provides an analysis of each option.
Option #1: Comply with the warrant and surrender the data to US government
Pros: The US Government will be happy and you won’t have to be embroiled in a court battle against the government.
Cons: Your customer will not be happy. You may lose revenues, or worse, suffer damage to your reputation, which could negatively impact your ability to do business in that region in the future. In addition, you may be found liable for violating data protection laws of the country where the data physically resides.
The US government has been known in the past to suppress disclosures of government data requests. In Merrill vs. Holder, an Internet provider sues the US government for putting a long gag order forbidding them talking about a national security letter data request. Twitter is currently suing the government for the right to disclose the number of data requests Twitter receives from the government. This means that not only do you have to surrender customers’ data, it is possible that you can’t even tell them that their data is being examined by a third party (in this case the US government).
One of the fundamental principles of privacy is “transparency”, which means that you have to be transparent with what you are doing with customer data, disclose who gets to see the data, and how long you will store it, etc. If you can’t divulge the fact that a third party has accessed customer data, it is a major violation of privacy and customer trust.
Option #2: Refuse to comply with US government’s request and fight the warrant in court (this is what Microsoft is doing now)
Pros: Your customer will be happy – you are a customer advocate and hero for privacy.
Cons: It will be a long and drawn-out legal battle, and you might lose in the end. The US government’s position has been very clear; foreign data residency does not absolve you from US jurisdiction. As a US-based company, you are expected to comply with US laws irrespective of where your data is.
To fight a search warrant, you need to have a legal ground. Microsoft’s position is that US government does not have the proper legal authority to compel the company to turn over data stored in its Irish data center.
So who has the authority in this case? This is a complex issue that has to do with data sovereignty. Data sovereignty, in the Internet & cloud era, is not always as simple as “where the data is stored”. Instead, a number of factors may impact data sovereignty, including where the data subject is from (in this case Europe), the cloud provider’s nation of origin (US), and the location from which data is accessed and controlled (again, in Microsoft’s case, the US).
Part of the problem is that there aren’t many good precedents for data sovereignty resolution involving multiple countries. Laws that govern the physical world with defined political boundaries do not translate nicely into the borderless Internet and cloud domains. In Microsoft’s case, they could be mired in a long and drawn-out court battle because the laws do not give explicit guidance to how to resolve conflicts like this.
Option #3: Get US and Irish government to come to an agreement, comply with that agreement.
Good luck with that.
Option #4: Step 1: Devalue the critical customer data in your cloud with encryption or masking (and have the customer hold on to the key). Step 2: Surrender all the data the government asks for.
Data masking, encryption are just a few of the techniques that can help you devalue the data. After the data is transformed (devalued) and the customer alone has access to the key, the government will have to subpoena the customer directly to obtain the key in order to get to the data.
Pros: You can comply with government requests and not upset your customers at the same time.
Cons: It’s not always technologically feasible, depending on what kinds of data and what kinds of operations are required in the cloud. In addition, this may work for a business customer but will be difficult to implement with average consumers.
The resolution of the Microsoft case will have far-reaching implications for cloud providers with an international footprint—that is to say, nearly all of the major cloud providers, many of which are based in the US but operate data centers all over the world.
Should Microsoft lose its case and be forced to hand over emails stored in a foreign data center, the US cloud services industry could suffer a major blow, as customers seeking to protect their sensitive data from US government access will no longer be assured that foreign data residency is enough.
For more details, watch our video on data residency laws and owning your data.