Microsoft responds to speed of CLOUD Act enactment and data privacy concerns

Microsoft has admitted the speed in which the CLOUD Act was enacted was ‘a bit of a shock’ – but added there was more to do to protect users’ privacy rights across borders.

The act, which stands for ‘clarifying lawful overseas use of data’, was signed into law two weeks ago and ultimately represents the culmination of a case which began four years ago concerning an email in Dublin.

During a drug trafficking investigation in 2013, Microsoft refused to provide details of an email that a US citizen had stored on one of its servers in Ireland. Microsoft’s argument was: if the US government does not have the power to search a home in another country, it should not have the power to search the contents of emails stored overseas.

Back in 2014, this publication reported on a ruling from Judge James C. Francis, who ruled US-based providers must hand over customer emails even if they are in an overseas location. Following a further ruling in August by US District Judge Loretta Preska, ZDNet described it as ‘single-handedly kill[ing] trust in the US technology industry.’

The CLOUD Act “establishes a procedure for a provider of electronic communication service to seek protection from mandatory disclosure of non-US data to the [US government] where disclosure would violate the non-US law of the jurisdiction where the data is stored,” according to law firm Baker McKenzie. Yet while this procedure has been established, privacy concerns may also remain.

In a lengthy blog post earlier this week, Brad Smith, Microsoft president, said the act ‘both creates the foundation for a new generation of international agreements and preserves rights of cloud service providers to protect privacy rights until such agreements are in place.’

“Our goal has always been not to make repeated visits to court to litigate contentious propositions but to establish new international rules that will avoid legal conflicts and advance privacy rights and law enforcement needs together,” wrote Smith. “It is here that the CLOUD Act makes a vital contribution.”

Scott Bekker, editor in chief at Redmond Channel Partner, wrote in an editorial that the passage of the CLOUD Act “gives Microsoft and its channel partners a much stronger privacy story for international customers and an opportunity, along with other US-based cloud providers, to continue leading the global charge for cloud computing.”

Yet Smith added there was a ‘heavy responsibility’ on tech companies in what was already a turbulent period of time. “The cloud has made the role of tech companies on privacy issues a practical necessity,” Smith wrote. “The CLOUD Act preserves and expands this role with legal certainty. It creates a responsibility for tech companies both to help protect public safety and preserve personal privacy.

“At Microsoft, our answer is that we appreciate and accept the responsibility thrust upon us,” Smith added. “We acknowledge that no company will ever be perfect, and we recognise that constant learning will be essential to fulfilling this responsibility each day. But we also point to our track record.

“We did not sue our own government four times and devote energy to these issues over four sometimes long years to stop showing resolve now. This journey is not yet complete, and we look forward to continuing to work with so many others to see it to a successful conclusion.”