Microsoft said it will drop its lawsuit against the Department of Justice over gag orders that prevent companies from telling customers when their personal data has been accessed by investigators. Its decision came after the DOJ issued a new binding policy that requires prosecutors to give more detailed reasons when applying for gag orders and makes it much harder to seek one that lasts indefinitely.
In a blog post about the company’s decision to withdraw the lawsuit, which it filed against the U.S. government in April 2016, Microsoft president and chief legal officer Brad Smith wrote that the DOJ’s new policy “is an important step for both privacy and free expression. It is an unequivocal win for our customers and we’re pleased the DOJ has taken these steps to protect the constitutional rights of all Americans.”
The DOJ’s new policy says prosecutors must “conduct an individualized and meaningful assessment regarding the need for protection from disclosure” and give specific reasons if they decide to apply for a gag order.
Smith wrote that even though secrecy orders may be necessary in some cases, Microsoft’s lawsuit was “based on a growing and disturbing trend. We highlighted the fact that the government appeared to be overusing secrecy orders in a routine fashion–even where the specific facts didn’t support them–and were seeking indefinite secrecy orders in a large number of cases.”
When Microsoft filed its lawsuit last year, it explained that over an 18-month-period, 2,576 of the legal demands it got from the U.S. government “included an obligation of secrecy,” while 68% appeared to contain “indefinite demands for secrecy.”
“Until today, vague legal standards have allowed the government to get indefinite secrecy orders routinely, regardless of whether they were even based on the specifics of the investigation at hand. That will no longer be true,” Smith wrote.
Microsoft is calling for Senate to advance the EPCA Modernization Act of 2017, which was introduced in July by Senators Mike Lee and Patrick Leahy to update privacy laws for electronic communication information served in third-party service providers, as well as geolocation information.