At long last, the case pitting the US Department of Justice against Microsoft has been deemed obsolete, following the introduction of the Clarifying Lawful Overseas Use of Data (CLOUD) Act in the US. Both parties have filed motions for it to be dismissed, according to ZDNet.
The issue dates back to 2013, when the DoJ requested that potentially incriminating emails stored in the company’s Irish data centers be handed over in the midst of an inquiry. The company refused, and the case was escalated to the Supreme Court. Microsoft has since been a strong advocate of legislation fit for the cloud era.
It all happened so fast
The company argued that clearly defined rules would offer a necessary update to the Electronic Communications Privacy Act of 1986, written before the creation of the World Wide Web.
The CLOUD Act was revealed in February and passed through Congress as part of the Senate’s Omnibus Spending Bill in late March. It put into law the ability for US authorities to request domestic courts’ permission to gain access to data stored abroad, placing the burden of the decision on a US court judge.
The text also laid out the framework for bilateral agreements with selected nations, which would allow them to access their own citizens’ data stored in the US.
Microsoft was an enthusiastic supporter of the act: together with Apple, Google and Oath, the company sent a joint letter to congratulate the senators who thought up the proposal days after it was submitted.
In a blog post, Microsoft’s president and chief legal officer, Brad Smith, called the text “an important milestone in the journey to modernize the law, enable enforcement officials to do their jobs and protect people’s privacy rights across borders,” but added that “there remains important and urgent work ahead of us.”
Smith spoke of the change brought about by the introduction of cloud computing. Before, the search warrant process concerned only the person or company whose information was required - with cloud becoming mainstream, US authorities were foirced to deal with the cloud service providers instead.
“This changed the privacy equation between citizens and the state. No longer would an individual or company necessarily know when the government was searching its information. And without that knowledge, individuals and companies lacked the ability to protect their rights.”
Smith stated that over the years, Microsoft has fought to strike a balance between the need for law enforcement “to access information quickly” and the need for protection of individuals’ and companies’ privacy.
Thanks to these efforts, he said, it became a constitutional right for cloud companies to publish the number and type of law enforcement and national security requests they receive; the DoJ also updated its guidelines on the seizure of information belonging to a legitimate business, stipulating that any such information must be requested directly from that company rather than the cloud service provider.
But the Irish email case, Smith insisted, was by far the most complex, because it not only created the need to pass new domestic laws, but the nature of the problem also meant that international treaties would have to be agreed, too.
Smith called the act “an important stepping stone and not the end of the journey,” stating that “the cloud has made the role of tech companies on privacy issues a practical necessity. The CLOUD Act preserves and expands this role with legal certainty. It creates a responsibility for tech companies both to help protect public safety and preserve personal privacy.”