A U.S. case Canadian CSOs should keep an eye on

CIOs and CSOs have some concerns about their enterprises storing data offshore, particularly in the U.S., over worries that there’s a risk sensitive corporate or customer data can’t be protected from government reach.

They often cite the Patriot Act, which gives law enforcement agencies there broad power to get after data. There are those — including respected former Ontario privacy commissioner Ann Cavoukian, who dismiss fears about the Patriot Act, arguing that U.S. authorities have many other (legal) ways of getting data held on American servers than that piece of legislation.

A prime example is going on now in New York, where the U.S. Justice department is in court arguing that Microsoft has to comply with an American court order and hand over email in a specified account stored on servers in Ireland. Microsoft has appealed the decision, which will be heard July 31.

As an article in Ars Technica notes, the implication of the government’s position is that U.S. law applies anywhere.

The piece quotes the Justice department arguing that the U.S. Constitution’s Fourth Amendment, which protects citizens against unlawful search and seizure, doesn’t apply in this case. The information wanted is not physical, but digital. In addition, the law under which the subpoena says  Microsoft has to turn over the information doesn’t limit data that is held only within the United States.

That legislation (the Stored Communications Act, get familiar with it) “orders service providers to disclose records upon receipt of a warrant or other
appropriate legal instrument,” says the government in a court brief. “Nothing in the text or structure of the statute carves out an exception for records stored abroad, and none exists in precedent construing the scope of compulsory process.”

True the account is in Ireland, but, the Justice department argues, “all Microsoft account  data, whether stored in the United States, the Dublin datacenter, or in any of Microsoft’s many other locations located throughout the world, are under the control of and readily available to Microsoft’s employees in the United States.

By the way, apparently an Irish lawyer on behalf of the courts there has written the American courts that instead of using a warrant to get the email, there’s a mutual legal assistance treaty between the two countries that could be used.

Privacy advocates complain that this is (another) example of the U.S. trying to impose a domestic law in a foreign country. Others say international law is vague on this and is still being sorted out.

The point is that CSOs trying to advise chief executives of risk have to take note of this case. Their advice should be that all data going offshore has to be encrypted.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web