The future of Cloud Computing before U.S. Supreme Court

A lawsuit currently pending before the US Supreme Court has global implications and leads to concerns among data protectors, companies and associations all over the world. The lawsuit USA v. Microsoft (Case No. 17-2) concerns the extraterritorial effect of a US search warrant.

The US Supreme Court is currently considering whether Microsoft is required by the Stored Communications Act (SCA) to disclose contents from its email customers’ accounts, even if the provider is located outside of US territory.

The background to this delicate legal dispute is a criminal case from the New York drug milieu. As part of their investigation, American investigators needed insight into a suspect’s email data in 2013. The New York district country judge issued a warrant asking Microsoft to produce all emails and information associated with an account they hosted. The company refused to turn over the data stored on a server in Dublin, Ireland arguing that a US judge has no authority to issue a warrant for information stored abroad. Microsoft appealed to the United States Court of Appeals for the Second Circuit, who found in favor of Microsoft deciding the SCA had no extraterritorial effect.

The importance of the litigation before the US Supreme Court is demonstrated by the long list of Amicus Curiae letters received by the court. These are an instrument of the American Common Law, as an uninvolved party to present an opinion to the proceedings. Among them are the Bundesverband der Deutschen Industrie e.V. (BDI), Deutscher Industrie und Handelskammertag e.V. (DIHK), the French trade association Medef, BITKOM, the Gesellschaft für Freiheitsrechte e.V. and the EU Commission.

In their statements to the Supreme Court, the business associations point out the outstanding importance of data protection which is a fundamental right incorporated in the German and European Constitutions. The protection of personal data is covered by Art. 7 and Art. 8 of the Charter of Fundamental Rights of the EU. The recently adopted omnibus E.U. data law, the General Data Protection Regulation (Datenschutzgrundverordnung) reflects the European Union’s determination that effective protection of this fundamental right requires a uniform standard for data protection, within the European Union and within the countries processing E.U. data. Therefore, the GDPR regulates the transfer of European data regardless of it’s location. In addition, the report points out the severe problems for legal practice if the Supreme Court should decide in favor of the American Department of Justice. The legal framework for data transfer to the USA is the EU-US Privacy Shield. Such bilateral treaties and achievements of international cooperation in the fight against crime would be undermined.

The Gesellschaft für Freiheitsrechte, a Berlin-based NGO, sees the global right of access by US authorities as a threat to European data protection standards. In their written statement before the Supreme Court, they also emphasized the outstanding importance of data protection in the European Union.

In their Amicus letter, DIHK and the BDI also emphasized that such a data breach by US authorities would create a dilemma for European companies doing business in the USA. If they were to become addressees of a search warrant issued by the American authorities, they would have to decide whether to comply with it and thus violate European law. This would pose unprecedented challenges to global business relationships and would throw a wrench into the countless routine business arrangements.

Microsoft offers a solution with its cloud services Azure and Office 365, while the cooperation with T-Systems, a subsidiary of Deutsche Telekom, enables the US company to offer its cloud services directly from Germany. The customer data is stored exclusively in German data centers in Frankfurt am Main and Magdeburg. As a data trustee, T-Systems monitors and controls access to the data, while Microsoft employees do not have administrative top-level rights.

In our highly digitalized world, which is advancing at a breathtaking pace, our personal data represents our personality in the digital world and enjoys fundamental rights protection. In Germany the privacy of personal data is understood as a crucial part of a person’s dignity and has been confirmed and strengthened by German legislation and jurisdiction.

One could now argue that the US legal system is also committed to the rule of law, and a US court had already found probable cause to issue the warrant. The adequacy of the US due process standard is not questioned, neither is the libertarian tradition of the United States and their strong bond to the Fourth Amendment of the US Constitution. But guaranteeing the US Justice Department unfettered access to extraterritorial data will encourage other nations to make similar demands – States, in which the rule of law must be doubted. This would create a serious threat to our personal data. The consequence would be fleeing into data protectionism and in the worst-case scenario it could be the end of the free internet as we know it, the World Wide Web could fall apart. That would have a huge impact on global business relations all over the world. Digitalization also creates unprecedented challenges for the judiciary. The Supreme Court applies legislation, which was written before the creation of several modern Internet technologies facilitating global communications. A decision of the Supreme Court in the case No 17-2 is expected to be made in mid-2018 and is eagerly awaited all over the world.


Supreme Court Verfahren 17-2:

United States Court of Appeals for the second circuit; 14″2985, Microsoft v. United States:

Brief amicus curiae of Gesellschaft fur Freiheitsrechte e.V.:

Brief amici curiae of Bundesverband der Deutschen Industrie e.V., Deutscher Industrie- und Handelskammertag e.V., Ibec clg, Konfederacja Lewiatan, and Mouvement des Enterprises de France: