EU screams foul over Microsoft data privacy case... three years too late

European officials are only now are expressing concern over a US court ruling that can allow the FBI and NSA to grab oversees data. But Europe knew the risks at least three years prior.
Written by Zack Whittaker, Contributor
Image: stock photo

If anyone's ever late to the party, you can count on Europe to drag its feet.

The European Commission, the executive body of the 28 European member states, has reportedly expressed extreme concern about a court decision, forcing Microsoft to hand over data it stores overseas.

The US Justice Department wants the Redmond, Wash.-based software and services giant to hand over data it stores overseas in a Dublin-based datacenter. That data, however, falls under Irish and European data protection and privacy laws.

But the US doesn't see it that way. Because Microsoft owns the overseas datacenter, the Justice Department believes it has carte blanche over that data — which it needs for a law enforcement investigation.

The greater concern for Microsoft (and the wider US technology industry) isn't just the civil liberties for its customers, but also the affect it will have on US businesses. If the US government can grab data these companies store overseas, nobody outside the fifty states will want to do business with Silicon Valley.

Which is fair enough, really.

Now, according to eWeek, European officials are calling out the US government. While both parties, the US and EU, are not publicly commenting on the case due to the legal restrictions on the case, one European official told the publication:

"The Commission has raised this issue with the U.S. government on a number of occasions. The Commission remains of the view that where governments need to request personal data held by private companies and located in the EU, requests should not be directly addressed to the companies but should proceed via agreed formal channels of cooperation between public authorities, such as the mutual legal assistance agreements."

Which is a nice way of saying, "use the existing international channels." That squares up with sources speaking to ZDNet over the last few months as part of a wider story (which can wait for another day). 

Those channels, known as mutual legal assistance treaties (MLAT), allow one government to go to another and share information across borders. 

But the trouble is that MLAT can be slow — and in some cases, requests can be outright refused.

US Magistrate Judge James Francis called the MLAT process "burdensome and uncertain," while the second justice in the case, US District Judge Loretta Preska, said access to the data "is a question of control, not a question of the location of that information."

"As burdensome and uncertain as the MLAT process is, it is entirely unavailable where no treaty is in place." —
US Judge James Francis

The Justice Department can take what it wants, when it wants — so long as the data is loosely associated with a US company. The Commission told eWeek in response to the ruling that in order to "avoid these potential conflicts of laws," such treaties should be honored.

The US government has been bypassing MLAT for years — the Edward Snowden disclosures showed this. But long before June 2013 when the first leaks began to trickle out, the Commission was fully aware of the risks to its laws, jurisdictional rights, and its citizens' data — not to mention the risks from extraterritorial effects of US law.

It's exhausting having to go over this again, and again, and again. But here it goes.

Back in 2011, Microsoft's then UK managing director said it "could not provide guarantees" that EU-based cloud data would not leave Europe under any circumstances.

Members of the European Parliament (MEPs) were not pleased. They had suspected it for a while but not until then had any US technology giant said it.

And the Commission? It did nothing. It actively stonewalled MEPs by shutting them out of discussions and not answering key questions posed in relation to the scope of US law in Europe.

For months and years, the European Commission was, however, working the back channels to prevent the snooping, by pushing the Justice Department to use the existing MLAT process. Meanwhile, the Justice Department always had its array of cards at its disposal, seen in the recent case that embroiled Microsoft into the row even deeper.

Eventually, European Justice Commissioner Viviane Reding admitted that though US law should not overrule EU law, there could be further clarification on the issue.

That will ultimately come from the International Court of Justice in The Hague, Netherlands, where governments take other nation states to court.

After the Snowden leaks came to light, the Commission finally broke its silence and warned of the risks to the US-EU relationship amid claims European data was being vacuumed up by the clandestine and classified PRISM program.

By this point, Europe had already dished out the latest proposals to its data protection and privacy laws, but the Snowden leaks showed that almost two-decades worth of existing laws were essentially ineffective against the US surveillance state.

One European source said a few weeks ago that while Reding was "not naive" to think that friends don't spy on each other, the scope in which the US was conducting massive surveillance on her fellow citizens was far beyond her, or anybody's expectations.

Reding was furious, but remained state-like through the PRISM scandal — even when she met US Attorney General Eric Holder in Dublin just days after the story broke.

"The meetings we've had — and there have been plenty — the sticking point is judicial redress," according to a senior European official who spoke on the phone a few weeks ago on the condition of anonymity, regarding the conflict between US and EU law.

The official explained that the US would say any significant changes to the transatlantic law enforcement co-operation would require a change in US law, but also cited the "complicated" Congressional scene. To which, the official said Reding told senior Obama administration officials that they must "seek a new mandate" if they can't many any headway during the current Congress.

"In the negotiations, we really thought things would advance," the official said. "But we are still stuck in the same gear, despite nice speeches by the President and the Podesta report."

"So at the end of the day, we keep playing poker but they haven't yet shown their cards," the official said.

After two years of transatlantic negotiations, and the diplomatic double-crossing, she told MEPs, which the Commission is accountable to, to reinstate stronger legal provisions that were taken out. The Commission came under fire after the draft data law was watered down following an extensive US lobbying effort.

European officials were not only aware of the problem, but they systematically avoided the issue and shuttered out parliamentarians to which the Commission is ultimately accountable to. And the Commission's efforts to work the back-channels with their American counterparts in efforts to be treated fairly and equally were mostly unsuccessful, with the exception of finally scoring judicial redress at an agreement-only level for Europeans.

More than three years after it was first made aware of the major flaws in EU data protection and privacy law, the Commission failed to make any significant headway in resolving the differences.

Europe, you can kick and scream all you want now but your long silence made you just as complicit as the US. 

Editorial standards