On 14 July 2016, the US Court of Appeals for the Second Circuit ruled that Microsoft cannot be forced by US law enforcement to hand over customer emails stored in its Ireland data centre. At stake were fundamental questions about privacy in the cloud. The decision has been hailed by the technology sector and privacy campaigners around the world as a global milestone for the advancement of laws balancing the legitimate interests of law enforcement and individuals’ right to privacy. But what does a US Court decision about data on a server in Ireland mean for cloud in Asia? In this post, we look at the Court’s decision and why it is good news for the whole cloud ecosystem in Asia.
What was the case about?
The case centred on a warrant issued by US law enforcement in a narcotics case. The warrant required Microsoft to hand over emails that were stored on a Microsoft server in Dublin, Ireland. Microsoft refused. A District Court in Manhattan ruled in 2014 that Microsoft was compelled to hand the emails over. Microsoft appealed, arguing that if law enforcement required access to data stored in a country outside of the US, it would need to go to the government of that country and follow the legal process – in this case, a law enforcement treaty between the US and Ireland. Microsoft’s stance was backed by privacy campaigners and numerous other technology companies, who recognised that a ruling against Microsoft could lead to a free-for-all in extra-territorial data access requests, damaging trust in the global cloud.
The US Court of Appeals unanimously agreed with Microsoft’s position in a ruling described by Microsoft President and Chief Legal Officer, Brad Smith, as “a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments”. In effect, the Court ruled that Microsoft and other cloud services providers cannot be compelled by a US search warrant to hand over data stored in other jurisdictions.
What does the decision mean for cloud in Asia?
This case is positive news for all parts of the cloud ecosystem in Asia. There are at least three clear positive outcomes from this case.
It is positive news for cloud customers, who can have confidence that their data will be protected by privacy laws in their own country
Asia is in the midst of a digital transformation powered by cloud technologies. Companies across the region are adopting cloud services to improve services and drive operational efficiencies. For companies in Asia, the concept of ‘risk’ has evolved, enabling companies to ‘do or try something new’ rather than just ‘maintain the status quo’. Even among regulators, it is increasingly accepted that a failure by companies to embrace new technologies may actually increase risks and jeopardise competitive advantage. Nonetheless, recent research by Forester Consulting reveals that despite a strong interest in cloud, the pace of adoption has been slowed by concerns about privacy and security. Among these concerns is a fear that data stored in the cloud is more likely to be handed over to law enforcement. In a post-Snowden era, access by US law enforcement has been a particular concern, not least since many of the biggest cloud service providers are headquartered in the US. That is why this decision is so important. It emphasises that working with cloud service providers, including those headquartered in the US, does not expose cloud customers and end users to an increased risk that their sensitive data will be accessed by foreign law enforcement without an appropriate process that respects local laws.
It shows that cloud services providers understand and are ready to address cloud customer concerns
It is telling that a cloud services provider, Microsoft, supported by numerous other technology companies, led the way on this issue, recognising customer concerns about the threat to individual privacy arising from broad data access rights. This is part of a wider trend of cloud services providers in Asia taking the lead to address customer concerns and deliver cloud in a way that meets all applicable compliance requirements. For example, the Asia Cloud Computing Association, an industry body representing various cloud services providers, has published a set of ten ‘Safe Cloud Principles‘ for the financial services industry. These principles set out what customers should expect from their provider in order to comply with applicable regulations in Asia. The fact that cloud services providers are taking these proactive steps to address customer concerns can only be good news for all parts of the cloud ecosystem in Asia.
It will help with the growing trend of cloud-friendly regulations in Asia
The case will also have been watched carefully by policy makers in Asian countries. These policy makers are increasingly alive to the fact that 21st century trade and industry depends on the use of new technology solutions. In the past, policy makers have wrestled with concerns about data security and the ability of foreign governments to access data, leading to regulations that harm international trade, such as requirements for in-country data centres. The landscape is already changing, with policy makers such as the Monetary Authority of Singapore publishing a growing list of cloud-friendly regulations. This case will help to accelerate this trend by building trust in the cloud, and that will be a very positive outcome for cloud service providers, customers, regulators and individuals in Asia.