Out-Law / Your Daily Need-To-Know

Reding: US authorities wrong to ask Microsoft directly to hand over customer data stored in the EU

02 Jul 2014, 9:49 am

A senior EU official has criticised US authorities for demanding access to data stored in Ireland by Microsoft about its customer without following agreed protocols designed to ensure privacy rights are protected.

Viviane Reding, former EU Justice Commissioner and now MEP following May's European Parliament elections, said the effect of an order by a US district court judge that backed the approach of the US authorities "is that it bypasses existing formal procedures that are agreed between the EU and the US, such as the Mutual Legal Assistance Agreement, that manage foreign government requests for access to information and ensure certain safeguards in terms of data protection".

In April New York district court judge James Francis rejected claims by Microsoft that a warrant issued to it by US law enforcement to search data the company held was unauthorised because the data was stored on servers in Ireland. Microsoft had claimed the warrant could not be used to search through electronic data stored by US companies on foreign-based servers. However, the judge rejected the company's arguments about territorial limits of the warrant powers.

Microsoft has lodged an appeal against that decision and has received support for its position from Apple and Cisco. Reding expressed the European Commission's own concerns about the US district court's ruling in a letter to Dutch MEP Sophie in't Veld (2-page / 74KB PDF).

"The Commission's concern is that the extraterritorial application of foreign laws (and orders to companies based thereon) may be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the [European] Union," Reding said. "In addition, companies bound by EU data protection law who receive such a court order are caught in the middle of such situations where there is ... a conflict of laws."

Reding said the Commission has previously communicated its concerns on the issue to the US government and said that foreign governments should not approach companies directly for access to personal data held in the EU.

"The Commission remains of the view that where governments need to request personal data held by private companies and located in the EU, requests should not be directly addressed to the companies but should proceed via agreed formal channels of co-operation between public authorities, such as the mutual legal assistance agreements or sectorial EU-US agreements authorising such transfers," Reding said. " In the context of the negotiations on the umbrella agreement on data protection in the area of law enforcement and judicial cooperation, the Commission has asked the US to undertake commitments in that regard, in order to avoid these potential conflicts of laws."