What could Microsoft's data sovereignty fight mean for Australia?

Microsoft is currently battling with the US government over the country's effort to force the software giant to hand over data on a customer stored on a server in Ireland.

The outcome of this legal fight will determine whether the US has jurisdiction to enact warrants for private information on American companies outside its geographical borders.

Microsoft's concern is not only that firms based in Europe where it - and other technology companies - have invested billions in data centres would stop trusting it with their data should the FBI be allowed to barge open the door at will.

But it has also warned that a decision in the US government's favour would result in a free-for-all globally - where other governments would be able to require Microsoft and others to hand over data stored overseas.

A legal tug-of-war could ensue where technology companies are caught between the laws of the country where the data is stored, and the country demanding access to it.

It's these implications that have Australian businesses worried.

The issue of laws bound to national borders in the age of the borderless internet and cloud computing - where data can fly over many jurisdictions within seconds - is a knotty one, legally speaking.

It's why the Australian Signals Directorate cautions [pdf] against outsourcing the handling of non-publicly available data to companies located offshore.

The ASD also warns businesses that foreign-owned vendors operating in Australia may be subject to foreign laws such as an overseas government’s lawful access to data held by the vendor. 

What's at stake?

The US Patriot Act gives the US government the power to undertake surveillance outside its borders in the name of national security, but not criminal investigations, as with the Microsoft situation.

Similarly, search warrants to search private records apply only within the US, not outside it.

The US government in normal circumstances uses mutual assistance laws to access private information stored overseas.

These laws allow governments to assist others with criminal investigations and prosecutions, in the knowledge the same assistance would be provided in the opposite situation.

Ireland is pushing the US government to take this path.

But the crux of the US government's argument is that emails stored in the cloud are business records of the company storing them, rather than private records - which would therefore afford the records less legal protection.

Legal ability to extend its jurisdiction to offshore borders would have significant and wide-ranging effects globally.

"This would create an enormous amount of uncertainty for people going into the cloud," Macquarie Telecom policy manager David Forman said.

"You'd now have to be comfortable with the laws [of the country where your data resides] as well as the laws of the US - or the home country of the company [who's storing your data].

"It could create wave after wave of uncertainty."

“The case will set a precedent that will have a worldwide impact,’’ according to Gregory T. Nojeim, senior counsel for the Center for Democracy and Technology, which is supporting Microsoft.

“If US warrants compel US providers to disclose communications stored outside the country, foreign governments will argue that their legal orders work in the United States, including countries that have lousy surveillance laws, or that don’t follow the laws they do have.

"Welcome to the Wild West.”

President of the Cyber Security Council of Germany, Arne Schönbohm, said the future of the internet was at stake.

“Do we have different islands where you store US data and data for Europe? Do you do the same for China and the same for Saudi Arabia? Or will we have a global internet?”

Two lower court judges have already ruled twice against Microsoft. They found that because the data could be accessed by Microsoft US employees, the FBI search warrant was territorial and therefore valid.

Since then, Redmond has pulled together an unlikely group of supporters including Apple, Cisco, Verizon, the Electronic Frontier Foundation and several other media companies.

Technology and IP lawyer Patrick Fair says there's already a precedent in civil cases to compel individuals to produce information stored overseas.

"That's been the default position in civil cases for a very long time," Fair said.

"If you're in a civil case and you're ordered to produce evidence, it doesn't matter where the information is held. The question is whether the information is within your custody or control."

But he did note that there had been cases where a party had declined to hand over the information over fears of breaching the relevant country's laws.

"A court is reluctant to make somebody breach the law of another country. If disclosure of the information would breach the law of the place where it is held, you may resist providing it to a local court," Fair said.

"An important issue in the context of the Microsoft case is national sovereignty. Should the government of one country be able to access and review the information held in another without making a request to local authorities?

"This issue is particularly acute where the information sought does not pertain to citizens of the country seeking access." The customer in the Microsoft case is a non-US citizen.

And if others were to follow?

Whatever the outcome, the case is likely to complicate life for US technology companies already struggling to regain customer trust thanks to the NSA's spying activities.

Not to mention the global impact should a non-Western government look to take a similar approach.

"One can imagine a race to the bottom, with State A’s efforts to put in place robust privacy protections completely eroded by State B’s ability to access data stored in State A," according to Jennifer Daskal, founding editor of US national security law and policy forum Just Security.

“We would go crazy if China did it to us,” Microsoft attorney Joshua Rosenkranz pointed out.