President Trump meets with Apple CEO Tim Cook, Microsoft CEO Satya Nadella, and Amazon CEO Jeff Bezos in the State Dining Room of the White House June 19, 2017 in Washington, DC. (Chip Somodevilla/Getty Images)
A slew of interesting amicus briefs were filed in the Microsoft Ireland case last week. They include independent briefs (meaning not for either party) by the United Kingdom, Ireland, European Commission (EC) and more. Not surprisingly, 36 state governments also filed in support of the United States, reminding the court of the many difficulties faced in accessing sought-after evidence that have resulted from the Second Circuit ruling, and urging reversal as a result.
Of the many issues raised, one of the most interesting – and still unresolved – is the question as to whether and in what situations a decision in favor of the U.S. government will generate a conflict of laws. The issue is at the heart of the Irish government and EC briefs. It is also raised in the brief of the New Zealand Privacy Commissioner. But despite the extensive amount of ink spent on the matter, the answers remain murky – as is the reality. The actual answer: It depends.
Given that reality, the e-Discovery Institute’s brief is particularly notable – and one that I hope that Court takes into account. Written on behalf of 40 e-discovery practitioners and professors, it offers a thoughtful proposal to the Court as to how to deal with the potential conflict of law problems that would result from a U.S. government win – meaning a decision that the SCA reaches data held extra-territorially. Specifically, it urges the Court to couple such a ruling with an explicit requirement that courts engage in a robust comity analysis if and when a conflict of law emerges, and even suggests the procedural mechanism by which such comity concerns get raises. It thus urges Court to take up an approach akin to that I have argued for Congress to adopt – and it is an approach that I strongly endorse.
I explain both the underlying issues and proposed solution in more detail in what follows.
Conflict of Laws Issue
One of the key questions raised by the Microsoft Ireland is whether, and to what extent, a win for the United States will put U.S. companies in the middle of competing legal obligations – with the United States compelling production of data that other nations prohibit companies from disclosing. Microsoft has pointed to a handful of statements by European officials to suggest a risk of conflict, but it has never claimed an actual conflict in the particular dispute before the Supreme Court.
Of particular importance going forward is whether, and to what extent, a warrant authority that reaches extraterritorially-located data (as the US government seeks) will conflict with the EU’s soon to be implemented General Data Protection Regulation (GDPR). Among other things, the GDPR imposes a number of restrictions on the transfer of personal data from an EU-member state to a non-EU member state. If, as some scholars have claimed, the kind of disclosures sought by the U.S. government would violate the GDPR, that would be a big deal—exposing companies to significant fines and potentially even civil or criminal prosecution under national laws simply for complying with a U.S. warrant.
Enter the European Commission (EC) brief. Written in order to “ensur[e] that the Court proceeds based on an accurate understanding of EU law,” the EC reminds the Court that, yes, the transfer of data from the EU to the US constitutes the processing of data and is thus subject to the GDPR. The GDPR sets a number of limits on when such transfers can take place.
Specifically, Article 48 deals with the kinds of situations presented when an entity such as Microsoft (or Google or Facebook, or any of the other major multi-national companies that are likely to be effected by the Court’s ruling) transfers data to the United States in response to a law enforcement request. In the words of Article 48:
Any judgment of a court . . . requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.
While some have claimed that this makes MLAT (or another equivalent international agreement) the only basis for such transfers, the EC says that this language makes mutual legal assistance treaties (MLATs) the “preferred option for transfers” (emphasis added). This is also the view of the Irish government, which states in its brief that the MLAT procedures “represent the most appropriate means to address requests such as those which are the object of the warrant in question” (emphasis added).
It also is the the view of EU’s Article 29 Working Party (WP29), which is made up of a representative of data protection authorities from each EU member states. Given that the data protection authorities will be on the front lines of enforcing the GDPR, the views of the WP29 are particularly relevant. The WP29 states that MLATS “must – as a general rule – be obeyed when law enforcement authorities in third countries request access or disclosure from EU data controllers” (emphasis added). The WP29 statement goes on to emphasize, however, its preference for MLATs – warning that the “circumvention of existing MLATs or other applicable legal basis under EU law by a third country’s law enforcement authority is therefore an interference with the territorial sovereignty of an EU member state.”
While all of these statements express a preference, in some case a strong one, for reliance on MLATs or other equivalent international agreements, none of these statements claim that MLATs are the only permissible basis for accessing EU-held data. Nor could they, based on a plain reading of the GDPR. After all, the final clause of Article 48 explicitly recognizes the possibility of “other grounds for transfer.”
The EC brief analyzes these other possible grounds for transfer and determines that two are potentially relevant here:
First, transfer is permitted if “necessary for important reasons of public interest.” (Art. 49(1)(d)). The EC brief then describes “interest in the fight against serious crime—and thus criminal law enforcement and international cooperation in that respect” as the kind of recognized public interest that counts.
Second, transfer is permitted when “necessary for the purposes of compelling legitimate interests pursued by the controller.” As the EC brief acknowledges, controllers (e.g., Microsoft, Google, Facebook) arguably have a “legitimate interest” in avoiding civil or criminal sanction for failing to abide by U.S. legal requirements. Transfers pursuant to this provision, however, is subject to a number of additional conditions, including that it relate to only a limited number of data subjects, is not repetitive, is independently assessed by the transferring entity, is subject to suitable safeguards, and is accompanied notice to the the appropriate “supervisory authority,” generally the relevant Data Protection Authority.
Somewhat obliquely, the EC concludes reminding the Court that “Article 49 is entitled ‘Derogations for specific situations.’ Therefore, these grounds are to be interpreted strictly.” But it does not elaborate further.
In other words, there are exceptions to the required use of an MLAT or other international agreement. But there are no blanket exceptions simply because a U.S. court has demanded disclosure. Rather, the EC seems to suggest that transfers outside of the MLAT system are permissible, but they are reserved for certain situations, perhaps certain categories of cases, or perhaps only on an individualized assessment of the relevant interests at stake.
The E-Discovery Institute’s Solution: Required Comity Analysis
With that background, the E-Discovery Institute’s brief becomes particularly salient. Drawing on years of experience dealing with conflict of law issues in the context of civil discovery orders, the brief proposes the following: first, if the Court rules in favor of the government, it should explicitly recognize the risk of conflict with foreign laws; second, the Court should require that lower courts do a comity analysis in such situations, balancing the relevant equities to determine which law should govern; third, the Court should provide specific guidance on how lower courts ought to conduct the comity analysis; and fourth, to the extent lower courts compel production despite a conflicting foreign law, the courts should be required to mitigate the conflict as much as possible.
Much of the brief draws on litigation experience in the aftermath of the Supreme Court’s 1987 decision in Aerospatiale. With obvious analogies to the issue facing the Court in Microsoft Ireland, the Aerospatiale case involved a discovery dispute involving documents and other information located in France. It required the Court to decide whether U.S. discovery rules or the discovery rules embodied in the Hague Convention applied.
The Court refused an all or nothing ruling, instead concluding that the answer depended on the fact. It directed the lower court to engage in comity analysis – taking into account the particular facts of the case, the relevant sovereign interests, and the likelihood that use of international discovery rules would be effective – in order to determine what law to apply.
As the e-Discovery Brief notes, this is precisely the kind-of case-by-case analysis that should occur if and when the U.S. exercise of its warrant authority reaches a conflict of laws. As the e-Discovery brief also notes, however, lower courts have faced difficulties in weighing the relevant factors, and instead tended to almost exclusively examine the issues through the lens of U.S. interests.
The brief therefore urges the Supreme Court to go a step further than it did in Aerospatiale, specifying how the comity analysis would take place. Specifically, the brief asks the Court to put the burden on the warrant recipient (Microsoft in the present case) to raise a concern based on conflict; this in turn would put the burden on the government to establish that production is necessary and overrides the foreign interest at issue. The brief also urges the Court to provide additional guidance as to how to assess the relevant interests at stake. It suggests an important distinction between foreign laws that are merely designed to thwart U.S. discovery (which should be given little to no respect) and those which create a substantive right and thus demonstrate a foreign interest that ought to be respected. To this, I would add a distinction between foreign states’ interests in controlling access to their nationals’ and residents’ data (which does seem a legitimate interest) and the interest in controlling access to data based simply on the fact that it is locally-held (which is generally not, in and of itself, enough to establish a legitimate interest).
The brief by former national security and law enforcement officials (including former Secretary of Homeland Security, Michael Chertoff), also filed last week, is a reminder as to why these considerations are so important. As the national security and law enforcement officials brief explains, a ruling that U.S. warrants reach all data anywhere, without regard to countervailing considerations, carries with it a range of policy risks on a global scale – including increased Balkanization as a means of avoiding U.S. law enforcement reach; increased assertions of unilateral jurisdiction in ways that both undercut U.S. citizens privacy rights and expose U.S.-based companies to civil or even criminal penalties for failing to disclose data that U.S. law prohibits them from turning over; and an overall reduction in cooperation and efforts to seek innovative and collaborative approaches to better facilitate law enforcement access to data across borders.
The kind of nuanced ruling suggested by the e-Discovery brief would go a long way to help reducing these kinds of negative policy consequences. It would help ensure that legitimate, foreign interests are taken into account, thus minimizing the incentive to go at it alone and setting the kind of precedent we should want and expect other nations follow when seeking access to U.S. citizen and resident data. In sum, the recommendations included in the e-Discovery brief are ones that the Court should heed.