Corporate Accountability News Highlights is a regular series by Ranking Digital Rights highlighting key news related to tech companies, freedom of expression, and privacy issues around the world.
U.S. Supreme Court hears Microsoft privacy case
Microsoft Corporation headquarters in Redmond, Washington. Photo credit: user Coolcaesar [CC BY-SA 4.0] via Wikimedia Commons.
The case dates back to 2013 when a New York state judge issued a warrant requesting that Microsoft hand over Outlook email information belonging to a user, who was the subject of a drug-trafficking investigation. While the company agreed to hand over metadata stored in the U.S., it refused to hand over the content of the emails, arguing that they are protected by Irish and EU privacy laws since they are stored in Ireland. The company says that the government should try to obtain the sought-after information using the United States-Ireland Mutual Legal Assistance Treaty (MLAT). MLATs are bilateral, multilateral or regional agreements that allow governments to exchange information related to an investigation.
The U.S. government argues that the MLAT process is “costly, cumbersome and time-consuming,” and is not needed since “the privacy intrusion occurs only when Microsoft turns over the content to the Government, which occurs in the United States.”
In court on Tuesday, Microsoft argued that the 1986 law is outdated and that the case should be decided by Congress. The Congress is considering to pass a new legislation, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which would clarify that warrants issued under the Stored Communications Act apply to data stored overseas, while allowing companies to challenge such warrants when they violate the privacy laws of the country where the data is stored.
While supported by tech companies including Microsoft, Facebook, Google and Apple, privacy advocate groups including the Electronic Frontier Foundation (EFF) and Access Now slammed the bill because it allows the U.S government to access data stored in any foreign country without consideration to its privacy laws. The bill would also give the U.S President power to enter into “executive agreements” with other countries for cross-border access to data. Such agreements would allow foreign governments to request U.S. companies to hand over data stored in the U.S, as long as the user is not a U.S citizen or based in the country, “without the procedural safeguards of U.S. law typically given to data stored in the United States,” EFF says.
A decision by the Supreme court is expected by summer. If the court rules in favor of the U.S. government, it would set a new precedent allowing governments to obtain data stored in other countries. The European Union is already considering a bill that would allow law enforcement authorities of any member-state to request data stored not only within the 28 EU countries, but also overseas, Reuters reported.
Companies should disclose information about their process for responding to government requests for user data including their processes for responding to non-judicial government requests and court orders, and the legal basis under which they comply with requests. In addition, companies should publicly commit to push back on inappropriate or overbroad government requests. Companies should also disclose and regularly publish data about these requests including, listing the number of requests received by country and number of accounts and pieces of content affected, and specifying the legal authorities making the requests.
Mobile network shutdowns ruled illegal in Pakistan
A court in Pakistan has ruled that restricting access to mobile networks under ‘’security’’ grounds is illegal. The High Court in the capital Islamabad ruled in favour of four residents who petitioned the court back in April 2016 about intermittent networks shutdowns that occured around the March 23 Republic Day parade celebrations. The residents said the shutdowns impacted their freedoms and daily lives.
According to the Digital Rights Monitor, a project that reports on digital rights and internet governance issues in Pakistan, mobile network shutdowns in Pakistan are often ordered by the federal government, and implemented by the country’s telecom industry regulator ‘’ahead of landmark events and religious and political processions’’ to avoid any potential violations of public order.
Shutting down networks and restricting access to online communications violate human rights. A resolution adopted by the UN Human Rights Council in June 2016 condemns “measures to intentionally prevent or disrupt access to or dissemination of information online in violation of international human rights law.” While governments should refrain from ordering telecommunications companies to restrict services, companies should be transparent about the circumstances under which they may comply with such orders. They should disclose information about how they handle government network shutdown demands, including under whose authority a shutdown is ordered, so that those responsible can be held accountable. None of the telecommunications companies evaluated in the 2017 Corporate Accountability Index disclosed sufficient information about how they handle government network shutdown demands.
Facebook in violation of Belgian privacy laws
A court in Belgium ruled that Facebook violated the country’s privacy laws by tracking non-users on third-party websites without their consent. The company was also ordered to delete all data illegally collected or face fines of 250,000 euros ($311,000) a day.
Facebook said it would appeal the verdict. The case dates back to 2015 when Belgium’s commission for the protection of privacy (CPP) filed a complaint against the company. While a primary court ruled in favour of the CPP, Facebook succeeded in overturning it in 2016.
Internet and mobile ecosystem companies should clearly disclose their practices with regard to user information they collect from third-party websites, including which information they collect, how and for what purposes. The 2017 Index found that while Facebook disclosed information about which information it collects and how for its Facebook and Messenger services, the company did not reveal its purposes for collecting such information, how long they retain it, and whether they respect user-generated signals to opt out of the collection of their data through third-party websites.
