U.S. v. Microsoft Decision Could Create Ripples Across the Atlantic
The GDPR made a recent appearance in U.S. Supreme Court arguments in connection with the United States v. Microsoft litigation. The case raised the issue of whether the United States may issue a search warrant to a U.S. based electronic communications service for data held on a server outside of the United States (in this case, Ireland). At the heart of the case is a 2016 ruling in favor of Microsoft and other tech companies by the Second Circuit limiting the geographic reach of the Stored Communications Act to data stored in the United States. Among the many amicus briefs filed on behalf of Microsoft was one submitted by the European Commission asserting the European Union’s interest in ensuring that the Supreme Court proceed based on a correct understanding of EU law. The case concerns personal data stored in a datacenter in the European Union that is operated by an EU-based subsidiary of Microsoft. Storing such data and transferring it from the European Union to the United States constitutes data “processing” to which the EU data protection rules apply. In the European Union’s view, any domestic law that creates cross-border obligations should be applied and interpreted in a manner that is mindful of the restrictions of international law and considerations of international comity. Depending on the outcome, the Supreme Court’s decision could set up a future conflict for companies seeking to comply with both U.S. and EU laws.