If you are not immersed in technology, it may have passed you by that Microsoft has been battling with the US Supreme Court for the past five years on a fundamental question of data sovereignty in cloud services. The stakes were massive.
In short, the question revolved around whether a Hotmail account created by a person who claimed they lived in Ireland, and set up on a server controlled by Microsoft Ireland, should be accessible via a USA subpoena since simply because Microsoft is a company headquartered in the USA.
If Microsoft lost this battle, it would have completely undermined the idea of “data sovereignty” (the idea that housing data on-shore reduced security risks since hostile agents can’t intercept network traffic of sensitive data). But if anybody, anywhere, could have their information disclosed by Microsoft to the USA government on demand, regardless of any local laws then no-one – and especially governments – would ever trust a USA company to deliver cloud services again.
While the battle is not yet over, the USA government recently passed laws to provide greater clarity around these issues. These laws have been supported by Microsoft as a step forward in providing clarity around data access. According to Microsoft, the CLOUD Act:
- creates the authority and framework for the USA to establish international agreements that on a reciprocal basis will enable law enforcement agencies to access data in each other’s countries to investigate and prosecute crimes
- protects privacy and other human rights by stipulating that these international agreements can only be established with countries that protect privacy and other human rights
- creates strong norms to govern surveillance requests, incentivizing governments to ensure that law enforcement requests are narrow, incorporate specific rule of law protections, are subject to judicial review or oversight, and meet baseline legal standards around accountability and transparency
- prevents new international agreements from becoming vehicles for requiring cloud service providers to create back doors to break encryption, with explicit wording in the Act that terms of these agreements “shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data”
- gives cloud service providers added and direct legal rights to protect privacy, with providers having the right to inform foreign governments when their citizens are impacted by USA warrants, and to go directly to court to raise comity concerns under a new statutory process when the USA seeks a warrant that goes beyond the scope of an agreement and that conflicts with a foreign law
- in conjunction with resulting international agreements, will both reduce the potential for conflicts between laws and create a clear legal process for courts to address conflicts under the new comity process when such conflicts arise
While it may not seem an issue of conventional interest to KM, the ability of countries to set rules around control of access to their data is of critical importance to the societies people live in. Everyone with an interest in information and knowledge should be keeping an eye on developments in this space.