Episode 78: The ISM’s Report on Business June 2015 and Senior International Correspondent Prof Adriana Sanford

Beyond Borders global supply chain strategies 30 ISM November | December 2014 Technology is an impor-tant driving force for global economic devel-opment. However, in the wake of high-profile data breaches in the United States and revelations of classified U.S. surveillance pro-grams by Edward Snowden, there will be many more global tech-nology challenges over the next decade. Businesses are just beginning to understand the macro-powers of regional blocs such as the European Union and NAFTA, to define not only trade, but also secu-rity, science and technology.

There is currently a struggle to maintain privacy in a world increasingly dependent on digital intercon-nection. Although there are con-flicting security threats and privacy protection issues in the U.S. and Europe, it’s clear a global consis-tent approach is needed. Cyber war is one of the biggest threats of the 21st century, and as businesses continue to confront boundary-less crimes and terrorism, the need for collaboration on both sides of the Atlantic and a focus on long-range goals and principles is necessary. There has been intense global interest in the European Commission’s new data pro-tection proposal and its effect on non-EU businesses and their global supply chains.

In 2012, the commission proposed a major reform of the EU legal framework on the protection of personal data. The new proposals will strengthen individual rights and tackle the challenges of globaliza-tion and new technologies. The new EU legislation is expected to address current vulnerabilities of companies’ business IT systems, including payment, ERP and cus-tomer relationship management systems, as well as some of the other challenges currently facing our information society. It’s anticipated the reform leg-islation will provide a basic frame-work for data privacy legislation to other regions and countries around the globe. Supply management practitioners will see a major shift in business leadership attitudes regarding the protection of all personal data. That’s because the binding nature and extraterritorial reach of the upcoming EU reform will affect any business that pro-vides goods or services to EU citi-zens, as well as those that monitor the activities of EU citizens.

The reform legislation is good news for EU consumers because it holds all third parties accountable for data breaches and will stream-line the current data protection requirements and procedures for all 28 EU countries. The privacy framework is expected to provide a uniform set of guidelines for all the European countries, assuring Cybersecurity Collaboration Needed Between U.S., EU Upcoming European Union privacy reform highlights the need for consistent, global legislation to help businesses protect customer and supplier information. By Adriana Sanford, J.D., Dual LL.M., and Wilfried Grommen 2. www.ism.ws 31 businesses and EU consumers consistent legislation and adequate protection.

Multinational companies, such as Hewlett-Packard, that supply data services to large enterprises wel-come this unified regulatory frame-work because it offers consistent regulation for all its European data centers. Many multinational com-panies already employ a dedicated data privacy officer who handles the compliance requirements with the various data protection author-ities. They are also in close collab-oration and discussion with the EU regulatory committees in Brussels regarding the proposed regulation. Not surprisingly, the request by the U.S. government for per-sonal data processed by Microsoft outside the U.S. is creating serious concerns for the cloud computing industry. The July 2014 U.S. court ruling upholding a warrant and requiring Microsoft to deliver data from a Dublin, Ireland, data center to prosecutors in a law enforcement investigation case bypasses the existing formal procedures that are agreed upon by both nations. The Mutual Legal Assistance agreement was designed to manage foreign government requests for access to information and ensure certain safe-guards in terms of data protection. Additionally, in the recent Google Spain case ruling, the Court of Justice of the European Union ruled that, as regards the issue of territoriality of the EU rules, these rules apply “even if” the physical server of a company’s processing data is located outside Europe. The Court of Justice clearly stated that EU rules apply to search engine operators, if they have a branch or a subsidiary in an EU member state.

The need for collaboration between the United States and the EU has never been greater for multi-national companies and technology businesses. Consumer cloud service providers are concerned about the ramifications of conflict of laws where inconsistent or conflicting data privacy legislation could hinder their ability to do business and store data in centers in Europe or other locations. In a world where cloud computing is rapidly expanding, a modern, multinational, cross-boundary approach to privacy and data protection would help global businesses. Companies want to expand globally without the added burden of penalties for non-compli-ance due to conflicting country laws. Over the next few years, the EU will be preparing for Horizon 2020, one of the biggest publicly funded worldwide research and innovation programs to date with a budget of nearly 80 billion euros.

Horizon 2020 will not only raise the level of excellence in Europe’s science and technology base, but also ensure a steady stream of world-class research along with major invest-ment in key industrial technologies. It’s an attractive program for mul-tinationals searching for cyberse-curity information, consistent data protection laws and those who believe privacy is (or should be) a basic human right. ISM Adriana Sanford, J.D., Dual LL.M., is an ASU Lincoln Professor of Global Corporate Compliance and Ethics, a clinical associate professor in the W. P. Carey School of Business, and a College of Liberal Arts & Sciences residential college faculty fellow at Arizona State University in Tempe, Arizona.

Her current academic research focuses on comparative law regarding cybersecurity, privacy and data protection. Wilfried Grommen, located in Brussels, is chief technologist of public sector and European institutions for Hewlett-Packard. For more information, send an email to author@ism.ws. Capital, government, currency and religion: Cardiff; the British pound sterling; Wales is a consti-tutional monarchy as part of the United Kingdom. Mind your manners: Politeness in communication is highly valued. Expect to hear a lot of “please,” “thank you” and “sorry.”

The Welsh tend to be indirect communicators. Down to business: Being on time for meetings, and fol-lowing schedules and deadlines, matter in Wales. Decisions tend to be made from the top down. Humor is often used in negoti-ations, sometimes as a defense mechanism or in the form of self-deprecation and/or irony. Avoid hard-selling and any sort of conflict or confrontation. What to wear: For men, conser-vative, dark or medium-colored suits with shirts and conserva-tive ties; for women, stylish yet classic business suits or dresses and blouses. Jeans or busi-ness- casual attire may be appro-priate depending on the industry. Source: www.culturecrossing.net/ basics_business_student.php?id=240 Around the World Wales © Institute for Supply Management®. All rights reserved. Reprinted with permission from the publisher, the Institute for Supply Management®.

12/15/14 Tech and media companies, privacy groups and leading computer scientists all filed legal briefs on Monday backing Microsoft in a case against the US government it claims is “fundamental to the future of global technology”. Microsoft is challenging a government order to hand over emails held on servers at its datacenter in Dublin, Ireland. The company has lost twice in court but is challenging the order in the US court of appeals for the second circuit in New York.

Technology companies including Apple, Amazon, Cisco, eBay and Verizon all filed in support of Microsoft. As have two of the US’s largest business organizations, the US Chamber of Commerce and the National Association of Manufacturers, as well as media organisations including ABC, CNN, Fox News and the Guardian. The unusual level of cooperation among often fiercely competitive organisations comes as privacy advocates argue the US is overreaching its authority in a manner that will set a dangerous precedent for government access to online information across the world.

“We believe that when one government wants to obtain email that is stored in another country, it needs to do so in a manner that respects existing domestic and international laws. In contrast, the US government’s unilateral use of a search warrant to reach email in another country puts both fundamental privacy rights and cordial international relations at risk,” Brad Smith, Microsoft’s general counsel, said in a blog post. At a press conference organised by Microsoft, Victoria Espinel, president and chief executive of the software industry trade group BSA (The Software Alliance), said: “We need to think carefully about the precedent that could be set here.” She said that allowing the US government to use the US courts to access emails stored in Ireland would allow other governments to make similar moves and demand access to information stored in the US. Such a move would damage trust in the technology sector, reduce productivity worldwide and harm privacy, she said. News organisations, including the Guardian, have expressed concern that a victory for the US would allow Washington to go after information stored by newsrooms in the cloud.

“We have stuff governments around the world want. This case may not be about digital journalism but the next case will be,” said Bruce Brown, executive director of the Reporters Committee for Freedom of the Press. The case centres on a drug investigation currently being conducted by US authorities. Smith said the legal system already had practices in place for international crime investigations and that using the US courts to reach documents stored overseas was unnecessary and dangerous. He said in most cases Ireland already handed over documents to the US when asked through its own courts. “The US has well-established treaties with countries around the world that allow them to seek the information they need while ensuring that citizens of other countries retain the privacy protections offered by their own laws and courts. And there’s ample opportunity for work to modernise these agreements further,” he said.

http://www.theguardian.com/technology/2014/dec/15/microsoft-email-warrant-lawsuit-tech-media-companies-join

June 11, 2015 The US Department of Justice’s (US DOJ’s) case against Microsoft Ireland will likely be the “case of the year” for legal practitioners that play in the cross-border and technology arenas. The case is currently before the Second Circuit Court of Appeals, and many people following the case expect to see some action this summer.

This post gives a quick update on the background and key issues raised by the case so our clients and readers can be informed as new information develops. Facts Refresher In December 2013, the US DOJ successfully applied for a search warrant ordering Microsoft to produce the contents of the email account of a Microsoft user who the government suspected to be a drug trafficker. In complying with the request, Microsoft discovered that while metadata related to the email account was stored in the United States, the main contents of the account were stored in Ireland.

Microsoft agreed that it needed to turn over the US metadata, but refused to turn over the content stored in Ireland on the grounds that a US search warrant held no authority in Ireland. The US DOJ disagreed with Microsoft’s decision, and an ongoing legal battle ensued. The Battlefront The legal issues in the Microsoft Ireland case are relatively straightforward; Microsoft claims that a US judge has no authority to issue a search warrant for records stored in a foreign jurisdiction. The US DOJ’s argument centers around two points: (1) the “search” pursuant to the search warrant would not occur until an agent located in the United States reviewed the email account’s contents, so the search would not technically be occurring in Ireland, and (2) a search warrant for data should be treated more like a subpoena, which is not subject to territorial limitations.

Why Is This a Big Deal?

The Microsoft Ireland case raises a lot of important legal issues in the technology (including outsourcing) and cross-border transactions space. A few of the key issues are summarized below:

If the US government is successful in its attempts to gain access to data located overseas pursuant to search warrants, US companies may be forced to host data only in those jurisdictions where the local law permits such disclosure, in order to avoid serious conflicts of laws issues. On the other hand, if the US government is unsuccessful in its attempts to gain access to data located overseas through search warrants, it could significantly limit the government’s ability to catch criminals, especially considering that picking a data host location/country is often a trivial choice unrelated to where a US company (or the host’s users) are located. Faced with such a situation, lawmakers may consider broader regulation of the space.

This case also raises the question: Is the United States willing to expose itself to the reverse situation? That is, is the United States willing to honor search warrants issued by foreign judges? What if the foreign jurisdiction has a history of not “playing nice” with US politics? Supreme Court Bound? Whatever the outcome of the Second Circuit’s decision, it is unlikely that the case will be resolved there. The stakes are too high. On the government side, the threats to policing power are generally considered real and every court so far has agreed with the government’s arguments. Meanwhile, the oft-maligned Microsoft Corporation has become the unlikely standard bearer for a substantial consumer privacy dispute and has gained some unlikely allies along the way, such as: Government of Ireland, European Parliament members Telecommunication/broadband carriers such as Verizon and AT&T 28 tech and media companies such as Apple, Amazon, eBay, Cisco, and HP 23 nonprofits/trade organizations such as EFF, ACLU, Brennan Center and the Software Alliance Because the stage is international, the stakes are high for both Microsoft and the US DOJ. It is likely that this case will not be resolved until 2016 or later. That said, it should be the topic of much debate for the remainder of 2015. We hope this is a helpful primer for our clients and readers to prepare them for the inevitable flood of questions once the case hits the news again. http://www.natlawreview.com/article/microsoft-ireland-case-status-and-what-s-to-come

December 24, 2014 Ireland files a brief backing Microsoft’s opposition to handing over emails that are stored on servers in Dublin. Microsoft Ireland waded into an email privacy case Tuesday by filing a friend-of-the-court brief supporting Microsoft’s opposition to turning over emails in a criminal case that are stored on servers in Dublin. The Irish government filed the motion in the US Court of Appeals for the Second Circuit in New York asking the US to respect its sovereignty.

“Ireland does not accept any implication that it is required to intervene into foreign court proceedings to protect its sovereignty,” the brief read. But the Irish government also said it would consider allowing access to data in its country. “As minister for data protection, I have given detailed consideration, from an Irish perspective, to the issues raised in this complex case,” Ireland’s Dara Murphy said Tuesday in a statement. “There are important principles of public policy at play. Having engaged in detailed consultation with my colleagues in government, it was agreed that Ireland should submit an amicus curiae brief to the US court that focuses on the principles involved in this case and that points to the existing process for mutual legal assistance in criminal matters.” The brief notes that the US and Ireland signed a treaty in 2001 that allows them to transfer case evidence to assist in law enforcement activities. The brief has pleased Microsoft, which has called on Ireland to chime in on the issue before any decisions are made by US courts. The US and Microsoft have for the last year been waging a legal war over whether the software company can and should hand over emails from users involved in the narcotics case. Last December, a New York judge said that Microsoft would be required to provide the US government with user emails in connection with a criminal investigation. Microsoft discovered that the emails were residing on one of its servers in Dublin and subsequently refused the request, saying that the US doesn’t have the right to obtain private emails without the “knowledge or consent of the subscriber or the relevant foreign government where the data is stored.” Microsoft says that the stored communications provisions of the Electronic Communications Privacy Act (ECPA) do not apply outside of the United States. Despite Microsoft’s concerns, a court ruled in July that Microsoft must hand over the emails. Microsoft again refused, saying that the US doesn’t have the right to access email communications from people who are not living in the country. While Microsoft General Counsel Brad Smith stopped short of going that far with his statement on the matter on Tuesday, he did write in a blog post on the issue that “the Irish government’s engagement underscores that an international dialogue on this issue is not only necessary but possible.” Smith went on to say that Microsoft has long desired collaboration between governments and not for one to “exercise” any “authority” over another. Microsoft declined to provide additional comment beyond what Smith wrote in his blog post. http://www.cnet.com/news/ireland-says-it-might-help-us-recover-e-mails-from-microsoft/

Dec 24, 2014 The Irish government on Tuesday told U.S. prosecutors that if they wanted assistance in a criminal case, Ireland would happily consider the request. As part of a narcotics investigation, the U.S. Justice Department is trying to force Microsoft MSFT -1.76% to hand over emails from a customer account that is stored in a Dublin data center. In a rare move, Ireland filed papers in a New York federal appeals court on Tuesday saying the country would consider a U.S. government request for evidence in a criminal prosecution — under treaties that protect Irish sovereignty. The move echoes Microsoft’s appeal against handing over the emails, saying that a search warrant cannot reach beyond U.S. shores. Microsoft has said that acceding to U.S. prosecutors’ demands would violate Irish sovereignty by bypassing a treaty known as the Mutual Legal Assistance Treaty, under which the Irish and U.S. governments help each other with evidence and witnesses in criminal cases. Tech and civil liberties groups have filed briefs supporting Microsoft. U.S. prosecutors have argued that where the data is physically located shouldn’t make a difference, because Microsoft can access the information from its U.S. offices. “They have total control over those records, can produce them here, and that’s all that matters,” federal prosecutor Serrin A. Turner said. In the amicus brief, Ireland stopped short of weighing in on whether the Justice Department was going too far. It said that it would continue to cooperate with the U.S. and other countries in fighting crime. “Ireland would be pleased to consider, as expeditiously as possible, a request under the treaty, should one be made,” the Irish government said in the court filing. The case comes as U.S. tech companies are increasingly trying to show that they protect customers’ information against government requests. Tech companies regularly, but not always, comply with warrants and other judicial requests for evidence. Over the last few years, several major companies including Microsoft, Twitter TWTR -1.31% and Google GOOGL -1.02% have begun publishing reports that catalogue the demands they receive from various countries. Ireland is home to the European headquarters of many American tech companies, including Apple, Google and Facebook FB -2.03%. Its office in charge of data protection is seen in other parts of Europe as business-friendly. Data protection has taken on even greater importance in Ireland of late. The country doubled the budget for the office of the data protection commissioner to €3.65 million ($4.45 million), and it recently created a minister-level position for data protection. “The right of individuals to the protection of their personal data is an essential foundation for modern society and the growing digital economy,” said Dara Murphy, the new Irish government minister for data protection, regarding the Microsoft case. “We must ensure that individuals and organizations can have confidence in the rules and processes that have been put in place to safeguard privacy.” Privacy concerns related to the U.S. government became a more urgent issue after former U.S. government contractor Edward Snowden released documents detailing American spying programs. Mr. Murphy said, however, that the Snowden issue wasn’t a factor in discussions about filing the brief. He said Ireland had been asked by several tech and civil liberties groups to weigh in. http://blogs.wsj.com/digits/2014/12/24/ireland-tells-u-s-to-use-treaty-in-microsoft-email-case/

12/15/14 Today represents an important milestone in our litigation concerning the U.S. Government’s attempt to use a search warrant to compel Microsoft to obtain and turn over email of a customer stored in Ireland. That’s because 10 groups are filing their “friend of the court” briefs in New York today.

Seldom has a case below the Supreme Court attracted the breadth and depth of legal involvement we’re seeing today. Today’s ten briefs are signed by 28 leading technology and media companies, 35 leading computer scientists, and 23 trade associations and advocacy organizations that together represent millions of members on both sides of the Atlantic.

Collectively these briefs make one conclusion unmistakably clear. This case involves not a narrow legal question, but a broad policy issue that is fundamental to the future of global technology.

As we’ve said since this case began, tech companies such as Microsoft for good reason store private communications such as email, photos, and documents in datacenters that are located close to our customers. This is so consumers and companies can retrieve their personal information more quickly and securely. For example, we store email in our Irish datacenter for customers who live in Europe.

We believe that when one government wants to obtain email that is stored in another country, it needs to do so in a manner that respects existing domestic and international laws. In contrast, the U.S. Government’s unilateral use of a search warrant to reach email in another country puts both fundamental privacy rights and cordial international relations at risk.  And as today’s briefs demonstrate, the impacts of this step are far-reaching.

Today’s briefs come from:

• Leading technology companies such as Verizon, Apple, Amazon, Cisco, Salesforce, HP, eBay, Infor, AT&T, and Rackspace. They’re joined by five major technology trade associations that collectively represent most of the country’s technology sector, including the BSA | The Software Alliance and the Application Developers Alliance. These groups raise a range of concerns about the significant impact this case could have both on the willingness of foreign customers to trust American technology and on the privacy rights of their customers, including U.S. customers if other governments adopt the approach to U.S. datacenters that the U.S. Government is advocating here.

• Two of the country’s largest business organizations, the U.S. Chamber of Commerce and the National Association of Manufacturers, that collectively represent millions of American companies. Their filing discusses the potential ramifications for the American economy at large and the ability of businesses in all sectors to take advantage of the efficiencies offered by cloud computing.

• Five of the country’s leading civil liberties organizations from across the political spectrum: the Center for Democracy & Technology, the American Civil Liberties Union, the Electronic Frontier Foundation, the Brennan Center for Justice at New York University School of Law, and the Berkman Center for Internet & Society at Harvard. Their brief focuses onthe significant implications for constitutional and privacy rights of the arguments advanced by the Government and endorsed by the District Court.

• Seventeen major and diverse news and media companies, including CNN, ABC, Fox News, Forbes, the Guardian, Gannett, McClatchy, the Washington Post, the New York Daily News, and The Seattle Times. They’re joined by ten news and media associations that collectively represent thousands of publications and journalists. These include the Newspaper Association of America, the National Press Club, the European Publishers Council, and the Reporters Committee for Freedom of the Press. These organizations are concerned that the lower court’s decision, if upheld, will erode the legal protections that have long restricted the government’s ability to search reporters’ email for information without the knowledge of news organizations.

• Thirty-five leading computer science professors from 20 of the country’s leading universities. Their brief seeks to help the court grasp the underlying technology so that it applies the law correctly.

• Digital Rights Ireland, an organization focused on the protection of privacy in Ireland and the European Union, joined by other European civil liberties groups. Their filing notes that the proper way for the U.S. to obtain the information is through use of the mutual legal assistance treaty agreed between the U.S. and Ireland, thereby ensuring fundamental privacy rights are respected.

You can see the entire list of signatories to today’s briefs here.  On behalf of Microsoft, I want to convey our appreciation for each of these groups for their involvement.

Today’s filings also reflect the continuing growth in concerns about the issues raised in this case since the District Court’s decision just five months ago. At that time, five companies, one trade association, and one advocacy group filed briefs for that Court’s consideration.

As we said last week when Microsoft filed its own brief in this case, it doesn’t need to be this way. The U.S. has well-established treaties with countries around the world that allow them to seek the information they need while ensuring that citizens of other countries retain the privacy protections offered by their own laws and Courts. And there’s ample opportunity for work to modernize these agreements further.

Law enforcement plays a vital role in investigating crimes and keeping our communities safe. We are not trying to prevent them from playing this role, but we believe reforms are needed that ensure that they do their work in a way that promotes vital privacy protections and builds the trust and confidence of citizens in the U.S. and around the world.  The challenges are not unique to the United States. But the U.S. government has the opportunity to help lead the way in devising and enacting much needed reforms. Even while the court case moves forward, it is time for the Administration and the U.S. Congress to engage in a holistic debate on the solutions to these issues and find a better way forward.

http://blogs.microsoft.com/blog/2014/12/15/business-media-civil-society-speak-key-privacy-case/