The United States Court of Appeals for the Second Circuit just granted data privacy a huge victory. In a surprise unanimous 3-0 decision, the court ruled in favor of Microsoft and protecting the privacy of individual email messages. Although the court took an important step in guarding privacy, those rights in the digital world still lag behind the long-established privacy rights in the physical one. Now the other two branches of government must act to address this gap. Congress needs to pass legislation to modernize a 30-year-old law governing electronic communications. And the Obama administration should implement the Privacy Shield agreement as soon as possible to address the ongoing confusion between data privacy and security practices across national boundaries.
Under the court's landmark decision, the federal government can no longer compel Microsoft to turn over customer emails stored on servers in Ireland. The government sought access to these messages as part of a criminal narcotics investigation. Nearly three years ago, Microsoft refused to comply with the search warrant served by federal law enforcement. Since then, the government and Microsoft have litigated this previously unsettled question of law. Microsoft contended the power of a government search warrant does not apply to information it stores for its customers. The government asked the court to classify an individual's emails as business records for a company, which would subject them to a warrant.
In the meantime, the Court of Justice of the European Union (CJEU) -- the highest court in EU legal matters -- invalidated effective immediately a 15-year-old agreement between the U.S. and EU countries. Safe Harbor provided legal protection to companies that exchanged data across national boundaries despite the different data privacy standards in place between the U.S. and EU countries. For instance, Safe Harbor permitted Facebook to make available the data in a post published by a user in Germany to a user in Idaho.
But in light of the "Snowden leaks" or the disclosures about NSA surveillance programs operating in other countries, the CJEU ruled Safe Harbor could no longer provide legal protections for U.S. practices that violated EU data protection rules. The U.S. and EU approaches to data privacy are marked by the differences between the presumptions of allowable activities. The U.S. permits "collecting and processing of personal data" except when it is explicitly limited by domestic statutes. The EU, however, prohibits all processing of personal data unless there is an explicit legal basis that permits it.
In invalidating Safe Harbor, the CJEU created uncertainty for the almost 5,000 technology companies that regularly conduct data transfers across the Atlantic. The U.S. and EU began discussions about the Privacy Shield agreement, which is intended to replace Safe Harbor. Finalized just last week, government officials contend Privacy Shield is more detailed than its predecessor and includes stronger data privacy protections and oversight procedures. The U.S. and EU can remain each other's largest trading partners under Privacy Shield enabled by the seamless and legitimate flow of data across borders.
In its final months in office, the Obama administration finalized Privacy Shield with the EU. Now it needs to implement it and work with U.S.-based tech companies to remove any uncertainty about exchanging data across the Atlantic. Then, Congress must take action to improve the process for law enforcement agencies to request email data from U.S.-based tech firms when conducting a criminal investigation. All three branches of government have a responsibility to help digital privacy rights catch up with physical ones. If our government achieves parity between privacy rights across those two spheres, then Americans will be safer and can enjoy the protections of their individual privacy.
Julie Anderson is principal of AG Strategy Group.