A long-running legal battle between the U.S. government and Microsoft has been dismissed by the Supreme Court (PDF) after the crux of the conflict was mooted by recent legislation. The company will now be forced to provide data stored on servers in Ireland that it had previously said should be obtained through that country’s authorities.
The case dates to 2013 and has become a sort of landmark on the frontier between global politics and tech. American law enforcement sought data on a user of Microsoft services in relation to a drug trafficking case; Microsoft said that the data in question was located exclusively in a datacenter in Ireland, and as such they must work out access with Irish authorities.
The U.S., of course, took issue with that since Microsoft is an American company, and the argument has gone back and forth for years. So far Microsoft has maintained a slight edge, to the delight of privacy advocates everywhere, who dislike the idea that global tech services should be so vulnerable to a single country’s whims.
It was on its way to a judgment by the Supreme Court, but legislators decided to intervene. The CLOUD Act, tacked onto thousands of pages of mixed bills and budgets pushed forward in a “too big to veto” omnibus spending package, changes the law so Microsoft’s arguments essentially cease to exist.
Under the CLOUD Act, companies must provide information properly requested by law enforcement “regardless of whether such communication, record, or other information is located within or outside of the United States.”
Microsoft itself supported this bill, along with other tech companies like Google and Apple, so this outcome won’t be a surprise. And although the CLOUD Act has its shortcomings, privacy and human rights advocates have offered cautious praise for the way it streamlines the global data exchanges that are so common now in cross-border investigations of major crimes.
The company issued the following statement on the decision:
We welcome the Supreme Court’s ruling ending our case in light of the CLOUD Act being signed into to law. Our goal has always been a new law and international agreements with strong privacy protections that govern how law enforcement gathers digital evidence across borders. As the governments of the UK and Australia have recognized, the CLOUD Act encourages these types of agreements, and we urge the US government to move quickly to negotiate them.
It would be premature and simplistic to say that this is a good or bad thing in the world of privacy — it depends a lot on who you trust and the shifting sands of courts and regulations. Its effects will likely be mixed and will provoke new legal battles while settling others, like this one. Lawmakers, tech companies, and advocacy organizations will all be watching closely.