News Archives

Tuesday, April 17, 2018

Supreme Court Drops Microsoft-Ireland Case

On April 17, the US Supreme Court dismissed the Microsoft-Ireland case on the grounds that Congressional enactment of the Clarifying Lawful Overseas Use of Data (CLOUD) Act in March rendered the case moot.  Microsoft had objected to complying with a search warrant for data stored in Ireland that was based upon the 1986 Stored Communications Act, contending that the Act did not address judicial accessibility to data stored abroad.  The Cloud Act resolved this matter by providing an explicit legal basis for warrants to obtain data stored on foreign servers.  After the dismissal of the case, which both the Department of Justice and Microsoft supported, the DOJ served Microsoft with a new warrant for the Irish data.  Microsoft indicated that it is reviewing the warrant, although compliance with it is not a foregone conclusion.  During five years of litigation in the case, the company had argued that warrants should only be issued on the basis of relevant bi-lateral agreements with foreign countries; none have been negotiated between the US and Ireland.

Both Privacy Shield and SCCs on the Block in Schrems Facebook Case

On April 12, the Irish High Court set forth eleven questions it intends to put to the Court of Justice of the European Union (CJEU) stemming from the complaint against Facebook lodged by Max Schrems with the Irish Data Protection Commissioner in 2013.  A separate complaint by Schrems, it will be recalled, had led to the CJEU’s invalidation of the European Commission’s Safe Harbor adequacy decision in 2015. While most observers believed that the adequacy of protections provided through standard contractual clauses would be the sole focus of what has come to be known as Schrems II, the High Court’s CJEU referral included bombshell questioning of the validity of the Privacy Shield Framework as well.  A CJEU ruling eliminating both standard contractual clauses and Privacy Shield as viable legal bases for personal data transfers from the EU to the US could severely disrupt data transfers from Europe and the U.S. businesses that depend upon them.  The Irish High Court gave Facebook until April 30 to appeal the intended referral to the CJEU, although this appears to be largely a formality.

Much of the early analysis of the Court’s ruling (for example, here) has focused on the magnitude of its potential impact upon Facebook, which is already under enormous pressure in both the U.S. and Europe because of its Cambridge Analytica data breach.  Serious as Facebook’s problems may be, they pale in comparison with the economic upheaval that might attend a near collapse of transatlantic data flows. Two mitigating factors should be noted however.  In the first place, businesses using consent or binding corporate rules as the legal basis for data transfers are unlikely to be impacted by any invalidation of standard contractual clauses and Privacy Shield. Secondly, as Max Schrems suggests in his excellent summary of the case, the CJEU might rule that only “electronic communication service providers,” would be impacted by such a CJEU ruling, since the surveillance law at the heart of its Safe Harbor case, namely FISA sec.702, only applies to them.  This would of course have enormous impact upon companies such as Facebook, Google, Amazon, Twitter, Microsoft and Apple, but might spare thousands of US companies primarily trading in goods and services.