Chapter 3

PRIVACY: A Fundamental Human Right

In the winter of 2018, after a long day of public events and back-to-back meetings in Berlin, we were ready to call it a day. But Dirk Bornemann and Tanja Boehm, from our local German team, had a different idea. They insisted on one final stop, a former prison in the northeastern section of the city.

A week earlier, the opportunity for this diversion had piqued our curiosity, but the icy weather and jet lag had dampened our enthusiasm. This detour, however, turned out to be one of the most memorable days of the year.

The wintry light faded as we drove through the streets of the German capital. Through the car window a fast-moving reel of architecture told a tale of the city’s past. Edifices dating back to Prussia, the German Empire, Weimar, and Nazi eras gave way to sterile Communist-era concrete blocks as we closed in on our destination: the former German Democratic Republic’s Hohenschönhausen prison.

The once top-secret military compound had been part of the headquarters of the Stasi, short for State Security Service. The Stasi served as East Germany’s “shield and sword,” ruling over the country with repressive surveillance and psychological manipulation. By the time the Berlin Wall fell, the Stasi employed almost ninety thousand operatives backed by a secret network of more than six hundred thousand “citizen watchdogs” who spied on their East German coworkers, neighbors, and sometimes their own family.1 The Stasi accumulated a staggering number of records, documents, images, and video and audio recordings that if lined up would stretch sixty-nine miles.2 Citizens who were considered flight risks, threats to the regime, or asocial were detained, intimidated, and interrogated at Hohenschönhausen from the end of World War II until the end of the Cold War.

As the gate of the former prison swung open, we pulled past a concrete watchtower, where we were met by a seventy-five-year-old former prisoner, Hans-Jochen Scheidler. His athletic physique and easy smile belied his age and the ordeal he’d suffered at the prison. He shook our hands enthusiastically and led us into the large gray building where he’d spent a dark seven months.

In 1968, Scheidler left Berlin to pursue a PhD in physics at Charles University in Prague. “The Prague Spring was one of the happiest times of my life,” he said, recalling the loosening of restrictions and political liberalization that took place in the capital that year. “Every weekend I celebrated Prague Spring there.”3 But Czechoslovakia’s move toward liberty came to a swift end when half a million Warsaw Pact troops rolled into the country and suppressed the reforms.

That August, the twenty-four-year-old was home in Berlin when he heard the devastating news. The dream of a new era, one he considered a “more human version” of socialism, had been snatched away. In protest, Scheidler and four of his friends printed little leaflets criticizing the Soviet regime and slipped them into the mailboxes of East Berliners that night.

Caught in action, they were all arrested later that evening by the Stasi and sent to the very place where we now stood. He would spend seven months in one of the small, dark cells we visited, barred from seeing other inmates, talking with other people, or even reading a single piece of paper. His parents had no idea where he was or why he had vanished. He was subjected to cruel psychological torture. Even after his release, Scheidler wasn’t allowed to study or work in his chosen field of physics.

The point of our visit that day was suddenly clear.

Today, much of the world’s political activism doesn’t start on the streets, as in Scheidler’s time; it starts on the internet. Electronic communication and social media have provided a platform for people to mobilize support, spread messages, and voice dissent—accomplishing in days what would have taken weeks during the Prague Spring. Hans-Jochen had engaged in the 1960s equivalent of sending an email. And he was arrested while pushing “send.”

When we talked about privacy issues inside Microsoft, we often talked about the leading role the German government had played in enacting and enforcing new laws. Dirk and Tanja wanted us to see firsthand why they and others in Germany cared so much about these issues. As the stewards of vast amounts of personal data, tech companies need to appreciate, perhaps as only people who suffered under the Nazis and Stasi could, the risks of data falling into the wrong hands. “Many of those who came to this prison were arrested for things they did in the privacy of their homes,” Dirk said. “It was a system of total surveillance designed to control the people.”

The experiences under the Nazis and Stasi, he explained, had made modern-day Germans wary of electronic surveillance. And the Snowden revelations had only fed those suspicions. “If data is collected, it can always be abused,” he said. “It’s important that, as we operate around the world, we remember that governments can change over time. Look what happened here. Data collected about people—their political, religious, and social views—can fall into the wrong hands and cause all sorts of problems.”

Back in Redmond when I talked with employees about privacy, Scheidler’s story helped illuminate what was at stake when we handled our customers’ data. Privacy wasn’t just a regulation that we had to abide by, but a fundamental human right that we had an obligation to protect.

The story also helped people understand that when cloud computing went global, it involved more than laying fiber-optic cables under oceans and building data centers on other continents. It also meant adapting to other countries’ cultures while maintaining our commitments to core values by respecting and protecting other people’s privacy rights.

A decade ago, some in the tech sector thought they could serve the customers of the world solely from data centers in the United States. But soon real-world experience dispelled this notion. People expected web pages, emails, and documents with photos or graphics to load on their phones and computers instantaneously. Consumer tests showed that a delay of just a half second would get under people’s skin.4 The laws of physics required building data centers in more countries, so this content wouldn’t have to travel on cables halfway around the world. This geographic proximity is key to reducing what we call data latency, or the lag in transmission.

Even before our Quincy data center broke ground, we started hunting for a European home for what would become our first data center outside the United States. The early front-runner was the United Kingdom, but soon Ireland entered the race.

Since the 1980s, Ireland had been something of a second home to the American tech sector. Microsoft had been the first technology company to invest there in a big way. Tax incentives and an English-speaking workforce first drew companies to the Emerald Isle. The country then used its membership in the European Union and its welcoming spirit to attract people from across Europe and then from around the world to live and work there, especially in the Dublin area. It fed the Celtic Tiger and sustained a new generation of prosperity for the small country. At Microsoft we took pride in our connections and contributions to this growth.

Back in the 1980s, our European customers installed our software from CD-ROMs, which were manufactured in Ireland. But as software transitioned to the cloud, the Irish realized that the CD business would eventually vanish. They needed to make a new economic bet for the country.

The Irish Department of Enterprise, Trade and Employment did a masterful job of seeing this future and building a foundation that attracted data centers to the country. When they visited me and others in Redmond when the cloud was just a twinkle in our eye, they made the case for putting our first European data center near Dublin. The delegation included a senior official named Ronald Long, whom I’d worked with during my days as a lawyer at Covington & Burling in London. I’d once spent an afternoon hammering out a challenging public policy issue with him in Dublin.

I paused reluctantly in our meeting in Redmond and explained that it just wasn’t feasible for us to build our first European data center in Ireland. There was no high-speed fiber-optic cable connecting Ireland to the European mainland, and without that, a data center in Ireland simply didn’t make sense.

Ron’s answer was simple: “Give us three months.”

How could we say no to that?

Three months later the Irish government had negotiated a contract for precisely the type of cable needed. And we were on our way to building a data center south of Dublin. We started with a small building. Then we added more. And more.

In 2010, Microsoft began storing in Ireland our data for customers across Europe. Today we have data centers in several other countries across Europe, but none is as large as our data center campus in Ireland, which matches our biggest facilities in the United States. It fills two square miles. Together with the large data centers run by Amazon, Google, and Facebook, it has helped turn Ireland from a small island into a data superpower.

Ireland today provides one of the world’s best locations for data centers. While some may think it’s because of tax incentives, other factors are far more important. One is the weather. At a time when data centers are collectively the world’s largest consumers of electricity, Ireland’s mild climate provides the ideal temperature for computers. The buildings don’t need to be cooled, and the heat recirculated from the servers themselves is often all that’s needed to warm the buildings in the winter.

But more important than the weather is Ireland’s political climate. The nation is both part of the European Union and the beneficiary of a durable local consensus that respects and protects people’s human rights. There is a strong but pragmatic data protection agency that understands technology but ensures that tech companies protect the personal information of their users.

As I commented to officials while visiting nations in the Middle East, “Ireland is to data what Switzerland is to money.” In other words, it is a place where people should want to store their most precious personal information. It feels like the last place that would produce a modern-day counterpart to the Stasi prison we had walked through in Berlin.

Unfortunately, the global operation of data centers has become far more complicated than simply putting data in a place like Ireland. One reason is that more countries now want to store their data within their own borders. While this prospect had never excited the tech sector, in some ways it’s understandable. In part it’s a matter of national prestige. It also guarantees that a government can apply its own laws and ensure that its search warrants can reach all the country’s data.

The pressure to put data centers in more countries is giving rise to what rapidly is becoming one of the world’s most important human rights issues. With everyone’s personal information stored in the cloud, an authoritarian regime bent on broad surveillance can unleash draconian demands to monitor not only what people are communicating, but even what they’re reading and watching online. And armed with this knowledge, governments can prosecute, persecute, or even execute those individuals they consider threats.

This is a fundamental fact of life that everyone who works in the tech sector needs to remember every day. We’re fortunate to work in one of the most lucrative economic sectors of our lifetime. But the money at stake pales in comparison to the responsibility we have for people’s freedom and lives.

For this reason, every decision to put a Microsoft data center in a new country requires a detailed human rights assessment. I review the findings and get personally involved whenever these raise concerns—especially when the final answer needs to be no. There are countries where we have not and will not place data centers because the human rights risks are too high. And even in other nations where the risks are lower, we store business but not consumer data, put in place additional safeguards, and remain vigilant. New demands can suddenly create quiet but dramatic crises. There are days and nights that test the moral courage of those responsible for the cloud.

Even when all this goes well, a second dynamic can undo all the protection that comes from storing data in a place like Ireland. It’s when a government in one country seeks to require a tech company to turn over data stored in another. If there is no orderly process that safeguards human rights, then countries all around the world can seek to reach over each other’s borders, including into safe havens like Ireland.

In some respects, it’s not a new issue. For centuries, governments around the world agreed that a government’s power, including its search warrants, stopped at its border. Governments had the authority to arrest people and search homes, offices, and buildings within their own territory, but they couldn’t swoop into another country to snatch a person or remove documents. Instead they had to work through the government of that sovereign territory.

There were times when governments ignored this system and instead took matters into their own hands. This disrespect for borders increased international tensions and contributed to the events that eventually led to the War of 1812 between the United Kingdom and the United States. Hostilities between the two countries swelled when the British Royal Navy ruled the seas but was perpetually short of sailors for its naval war against Napoleon. To replenish its depleted crews, the British would send “press gangs” onto foreign ships and into foreign ports to kidnap men and impress them into service. While the theory was that the King’s navy was picking up British subjects, the press gangs didn’t exactly look for passports. When it was revealed that they were grabbing people indiscriminately and forcing some American citizens into the Royal Navy, the United States demanded action. The young nation barred armed British vessels from calling on American ports entirely. The message was clear: Respect our laws or leave the country.5

It would take the War of 1812 before both governments came to their senses and agreed to respect each other’s sovereignty. A new field of international treaties emerged that provided for the extradition of criminals and access to information in other countries. Many of these new agreements were called MLATs, or mutual legal assistance treaties.6 Over the past decade, however, it has become apparent that they’re often ill-suited for an era of cloud computing. Law enforcement agencies were understandably frustrated by the slow pace the MLAT process sometimes entailed, but while governments discussed ways to update the agreements and accelerate the process, progress was slow.7

As data moved to the cloud, law enforcement agents sought a way to work around the MLAT process. They would try to serve a warrant on a tech company located within their jurisdiction, demanding emails and electronic files that were stored in a data center located in another country. As they saw it, there was no longer a need to rely on an MLAT. They didn’t even need to tell the other government what they were doing.

Most governments, however, were understandably less than enthusiastic about having a tech company pull their citizens’ data and turn it over to foreigners, bypassing their own legal protections. Back in 1986 when the US Congress had enacted ECPA, it had included a provision that ensured that other countries couldn’t do this. They didn’t want to see foreigners act like press gangs for digital data. ECPA made it a crime for a US tech company to turn over certain types of digital data such as email, even in response to a legal demand from a foreign government. Similarly, the 1968 Wiretap Act made it a crime to intercept, or wiretap, communications inside the United States for a foreign government. We were required instead to go through an established international process with an MLAT.

Europe’s laws were less explicit, but we knew their views mattered as much as those of people in our own country. They didn’t like foreign governments reaching into their territory any more than American officials did, especially because the European Union and its members had enacted strong laws to protect their citizens’ privacy rights. We knew that like British ships in American ports in the early 1800s, our data centers would be welcome on European soil only if we agreed to respect local laws.

As cloud computing became more ubiquitous and data more accessible, however, the temptation for governments to act unilaterally to seek data in other countries proved irresistible. On an individual, case-by-case basis, this was understandable. A law enforcement investigator needed information and wanted it as quickly as possible. Why take the time to go through a lengthy MLAT process with another government if a tech company with an office down the street could be compelled to act more quickly? If the other government objected, the tech company would end up dealing with the fallout rather than a local prosecutor.

At Microsoft, we soon found ourselves in the middle of these new battles, ducking bullets from both sides. Cases in two countries came to epitomize this challenge.

One country was Brazil. On a January morning in 2015, one of the leaders of our Brazilian subsidiary was in Redmond for a sales meeting when he stepped out into the hallway to answer a call from his wife. She was home in São Paulo and sounded frantic. The Brazilian police had come to arrest him and were demanding that he appear. They’d burst through the building’s gates and locked down his apartment. What was his crime? He worked for Microsoft.

The Brazilian police insisted that we turn over personal communications in connection with an ongoing criminal investigation under Brazilian law. But we had no data center in Brazil at the time, and the laws of physics would require this to occur in the United States. We explained that this would constitute committing a crime under US law, and instead we encouraged them to work through the MLAT process in place between the two countries. The Brazilian authorities took a dim view of our suggestion. They had already brought one criminal case against another one of our local executives in São Paulo in a similar situation, and fines against Microsoft were rising on a monthly basis.

We asked Nate Jones to try to negotiate with the Brazilian officials. “We were stuck between a rock and a hard place, and the Brazilian rock didn’t want to budge,” he later said.

While it was easy for Nate to continue to address the issue from the security of his office in Redmond, our local leaders in Brazil didn’t have that luxury. The authorities in São Paulo briefly jailed one of our executives and refused for years to dismiss the criminal charges against him. We readily took on the expenses to defend him in court and said we’d move him and his family out of Brazil if they wanted. We also took on the challenge of appealing more than $20 million in fines against the company.

The second challenge came from the United States. In late 2013, a warrant had arrived demanding email records in connection with a drug trafficking investigation. While that was typical, a review of the account quickly revealed something that was not. These emails appeared to belong to someone who was not a US citizen. And they were stored not on American soil but in Ireland.

We hoped the FBI and DOJ would turn to the Irish government for assistance. After all, the United States and Ireland are close, friendly allies with an updated MLAT in place. We spoke with officials in Dublin and confirmed they were willing to help. But the DOJ officials didn’t like the precedent this set for a practice they didn’t want to pursue. They said we needed to comply with the warrant.

For us, the precedent was equally important. If the US government could reach into Ireland without regard to Irish law or even having to let the Irish government know, then any other government could do the same thing. And they could try to do this anywhere. We decided to litigate rather than concede.

In December 2013, we took our case to federal court in New York. Our journey to the courthouse building in Foley Square in Lower Manhattan brought me back to my professional roots. I had spent my first year after graduating from Columbia Law School in 1985 working for a district judge on the twenty-second floor of the same narrow building near Wall Street. The clerkship provided an insider’s view of the mechanics of the law.

New York felt a long way from the town of Appleton, in northeastern Wisconsin where I had grown up. And while the big city was quite a departure from my Midwestern upbringing, I hadn’t appreciated when I arrived for my first morning of work that I also was something of a novelty. I brought not only the eager disposition of a new law school graduate, but a sight that was unusual for the storied courthouse—a new employee carrying a heavy but powerful personal computer.8

I had bought my first computer the preceding fall at a time when, for most people, the devices were still uncommon. If truth be told, the soon-to-be-discontinued IBM PCjr wasn’t much of a computer. But I had loaded on it a software program that had transformed my final year of law school. It was version 1.0 of Microsoft Word. I loved the software so much that I still have the disks, manual, and plastic case sitting in my home office today. Compared to a pen and paper or the typewriter I had used in college, word processing was like magic. Not only could I write faster, I could write better. So I persuaded my wife, Kathy, a new lawyer herself, that before starting my first job, I should spend ten percent of my annual $27,000 salary to buy a better PC and install it in my office at work. Thank goodness she was so supportive.

The judge for whom I worked was seventy-two years old at the time, and the office with my desk was filled with shelves of well-organized boxes containing his meticulous handwritten notes from more than two decades of trials and cases. There was an elaborate—and time-tested—filing system with typed cards for each of the points that needed to be assembled for jury instructions. My arrival with a personal computer raised some eyebrows. That’s when I first realized the importance of using my computer to do what I needed to do better—writing memos and drafting legal decisions—without upsetting old practices that still worked well. It’s a valuable lesson that I take with me to this day: Use technology to improve what can be improved while respecting what works well already.

Fast-forward to 2014, and once again we were injecting new computing technology into the same courthouse. We knew we likely faced a long battle, a view that was quickly confirmed when a local magistrate judge ruled against us, setting the stage for a lengthy climb up a tall appellate ladder.

The public response to our case was swift, especially across Europe. A month after our defeat, I traveled for a series of meetings that started in Berlin with government officials, members of Parliament, customers, and reporters. While I knew our Irish warrant case would be of interest, I hadn’t expected the intensity and consuming focus on the case. In truth, as I began the first morning at eight o’clock talking with a reporter, I struggled before my second cup of coffee to recall the name of the magistrate judge who had issued the initial decision against us. Our litigation team had already recovered from the blow, picked itself up, and was warming up for round two before the district judge. We’d moved on, but I quickly learned that the Germans had not.

By the end of my two days in Berlin, the minutiae of the decision and the name of the magistrate judge who had written it were seared in my memory. Everywhere I went, people almost immediately started talking to me about Judge Francis. Almost no one outside a small legal circle in New York had heard of him, but in Berlin in 2014, James C. Francis IV, the magistrate judge who had ruled against us, had become a household name.

The questions seemed endless. “What did he mean by . . . ? Why did he say . . . ? What happens next?” The Germans brought copies of Judge Francis’s decision that they’d carefully annotated. A few people read passages aloud to me. Many had studied every page.

By the time I sat down the first afternoon with the chief information officer for one of Germany’s largest states, I was weary. The CIO laid Judge Francis’s decision on the mahogany table between us. He ground his index finger squarely into the legal decision and declared, “There is absolutely no way that my state will ever put any of our data in an American company’s data center unless you get this reversed.”

The issue followed us on our international travels that entire year. In Tokyo, I had not expected the same reaction I’d experienced in Berlin. But at a reception I was besieged by a crowd of enterprise customers determined to tell me in person how important the outcome of our Irish data center case was to their business. “Microsoft must win this case,” they said again and again. They too would watch closely as our case worked its way through the courts. At public appearances around the world, I repeatedly vowed that we would stick with the case and attempt to take it all the way to the Supreme Court if needed.

As the case slowly ground forward, we recognized that even if we won, the lawsuit had its limitations. It could call the question on the reach of search warrants under existing law, but it could never put in place a new law or the new generation of international treaties needed to move past outdated MLAT agreements.

We started to draft new proposals and walk the halls of government offices around the world in search of allies who might spearhead the broader initiatives needed. Legislation was introduced in Congress,9 but we also needed to couple this with new international agreements.

In March 2015, we caught a break. A meeting I attended at the White House created an opportunity to review ongoing privacy and surveillance issues. As I described the criminal case against our Brazilian executive and the fines against Microsoft, President Obama interrupted and observed, “This sounds like a mess.” The group discussed and the president endorsed the opportunity to develop a new approach to international agreements, preferably with one or two key allied governments like the United Kingdom or Germany.

Eleven months later, in February 2016 and with little fanfare, the UK and US proposed the draft for a more modern bilateral data-sharing agreement. One of our building blocks was now emerging. But the agreement couldn’t go into effect without a new statute passed by Congress, and despite broadening endorsements across Capitol Hill, the DOJ continued to balk at any legislation that would change the way it used search warrants to obtain data around the world. We faced a legislative stalemate, and without a broader compromise it was difficult to be optimistic about our prospects.

As it turned out, the Supreme Court itself broke the stalemate, and in an unlikely way.

It would take until late February 2018, but on an unseasonably warm morning we walked down First Street in Washington, DC, toward the towering pearly facade of the United States Supreme Court.10 We paused to take in the magnificent sight where the global implications of cloud computing would be presented to the Court’s nine justices.

The Supreme Court’s majestic four-story building sits directly across from the US Capitol—the physical intersection of the American judicial and legislative branches. Look one direction and the Capitol’s gleaming dome fills the sky. Turn around and you’ll gaze up the stretch of deep marble steps, past soaring columns, toward a pair of tall carved doors that mark the court’s entrance.

When we arrived on February 27, a long trail of people snaked down the iconic staircase and around the block, a line of hopeful observers waiting to watch us face off against our own government. This would be the final judicial showdown in a battle that had started four years earlier when we refused to move email across the Atlantic from Ireland.

It was the fourth time Microsoft had argued a case before the Supreme Court. I’ve always found it a striking experience. We bring the issues created by the world’s most modern technology into a courtroom that looks the way it did almost a century ago. No phones and no laptops are permitted. Each time, after I leave my devices behind, I take my seat in the massive red chamber that resembles a curtained stage. I then gaze up at the courtroom’s lone piece of technology: a clock.

I’ve come to appreciate the Supreme Court’s ability to consider technology’s implications in a setting where no modern technology is in view. Our first case before the court, back in 2007, involved patent issues that arose, coincidentally, from our CD manufacturing in Ireland.11 A week after the argument, I encountered one of the court’s senior administrators, who said, “You looked a little dismayed when some of the justices were speaking.”

I realized that I clearly had not done a good job of keeping a poker face. I still remember the occasion. At the time, one of the justices was discussing with opposing counsel the implications of Microsoft “sending photons” from New York to computers in Europe.12

“What has this case got to do with photons?” I wondered. “And why are we talking about New York?”

But I had learned a valuable lesson that went beyond the need for me to keep a straight face during the hearing. The justices didn’t always understand every detail of the latest technology, but they had younger clerks who did. And the justices complemented that factual understanding with wisdom and judgment that often went even beyond the law itself. Despite the public rancor over nominations and certain controversial cases, the Supreme Court remains one of the world’s truly great institutions. Most days nine justices try to reason through challenging problems together. I’ve been in courtrooms around the world and have developed a confidence in what the US Supreme Court can accomplish.

On this morning, after an hour of oral argument, the court’s nine justices left both sides with less confidence than either of us would have liked. While there was ample room to speculate on who might triumph, it was impossible to make a prediction with great confidence. Whether by accident or by design, the justices created the perfect atmosphere to encourage both sides to reach a settlement.

But there remained a huge hurdle. Only if a new law was passed could both sides agree that a Supreme Court ruling was no longer necessary. In other words, a settlement required new legislation that could only come from the other side of First Street, the Capitol.

At one level, asking for an act of Congress felt like asking for an act of God. Congress was divided on almost everything, and it wasn’t in the habit of passing much legislation. But we saw a small window of opportunity. I talked through our options with Fred Humphries, a long-standing Washington hand who leads our government affairs team. Together with the White House, we decided to try.

It would not have been conceivable without bipartisan efforts in both the Senate and House of Representatives that had begun shortly after we had filed the lawsuit four years before. But after two legislative hearings and a slew of iterations, we sat down for a final round of discussions with the DOJ that was brokered by Senator Lindsey Graham, using his position as chairman of the Senate Judiciary Subcommittee on Crime and Terrorism.

Graham acted with determination to encourage people to come together. He had held a well-attended hearing at which I had testified almost a year earlier, in May 2017. The British government sent its deputy national security adviser, Paddy McGuinness, to testify as well, given the implications for its international agreement with the United States. He combined an amiable Scottish disposition with a pragmatic but hardheaded understanding of what it took to fight terrorism in the UK. White House Homeland Security adviser Tom Bossert talked regularly with McGuinness and pushed everyone to find common ground in Congress.

Following the Supreme Court’s argument, there soon emerged a new text that both sides agreed to support. It was given a new name, the Clarifying Lawful Overseas Use of Data Act, or CLOUD Act.

The legislation had provisions that we cared about. It balanced the international reach for search warrants that the DOJ wanted with a recognition that tech companies could go to court to challenge warrants when there was a conflict of laws. This meant that if Ireland, Germany, or the entire European Union wanted to block unilateral foreign search warrants through their local laws and instead compel a more transparent or collaborative approach, they could do so and we could rely on this in a US courtroom.

Even more important, the CLOUD Act created the new authority for modern international agreements that could replace these unilateral efforts. These agreements can enable law enforcement agencies to access data in another country with faster and more modern procedures, but with rules to protect privacy and other human rights. Like all legislation, especially those that involve compromise, it wasn’t perfect. But it had most of what we had spent more than four years trying to advance.

But finding a vehicle to get the CLOUD Act passed remained a big problem. It was unlikely that both the Senate and the House would have time on their legislative calendars to take up the issue by itself, especially in the short time before the Supreme Court ruled. We’d need to attach it to another piece of legislation.

We recognized that the only real prospect for passage would be to attach the proposal to a budget bill. This would be a difficult stretch for two reasons. First, Congress was having a hard time passing budget bills. And second, for that very reason congressional leaders had become reluctant to attach non-budget proposals to budget bills.

It was apparent, however, that with Senator Graham’s support Senate Republicans might support the idea. But it would go nowhere if Senate Democrats balked. We knew immediately that there was one person who could make a difference. In many ways, we regarded him not only as a legislative leader but also as a veritable force of nature—Senate Minority Leader Chuck Schumer. While he was only remotely familiar with the issue, he studied it quickly and took the cause on board.

With Bossert, Graham, and Schumer all pushing, there ensued a feverish effort to bring along leaders in the House of Representatives. Soon both Speaker Paul Ryan and Minority Leader Nancy Pelosi were steeped in discussions about whether to include the CLOUD Act in the budget bill. Negotiations led to another round of amendments. Every couple of days it seemed as if the effort was almost dead, but we talked repeatedly with Bossert and we all resolved not to give up. Remarkably, after many rounds of calls and conversations, it stayed alive. And on March 23, 2018, President Donald Trump signed an omnibus budget bill that included it. The CLOUD Act was now law,13 and the Supreme Court case would shortly be settled.

It had been more than four years since we had first gone to the federal courthouse in New York. But it had been less than a month since we had left the steps of the Supreme Court. The final stages had proceeded so quickly that it took by surprise even those of us who had been involved in every detail.

While we were pleased with the result, it also made for some mixed feelings. We believed the CLOUD Act made for a strong law. But as with all legislation and all court settlements, it also had elements of compromise. One thing we had learned long ago was that it was more fun to fight a battle but typically more rewarding to strike a deal. It usually was the only way to make progress. And deals required some give-and-take.

They also required that we do a good job of explaining the result, especially when it was complicated. That was one reason we typically planned for a variety of outcomes and had communications material ready to go. But the CLOUD Act had moved so quickly and required so much time talking with people in Washington that we were less prepared for this aspect than we should have been.

Inquiries started to pour in from customers, privacy groups, and government officials around the world about what the CLOUD Act said and how it would really work. Customers had questions, and privacy groups expressed concerns. We scrambled, and soon we were providing briefings around the world and publishing material to fill the gap.14 It was an exercise that involved Microsoft sales reps in almost every country—a fact brought home as I was stopped on the street a month later in France by a local Microsoft employee who recognized me as I walked by the restaurant where he was eating dinner. His dinner grew cold as he chased me, recovered his breath, and peppered me with questions about the new law.

The outcome reflected both how far we had come and how far the world still needs to go. There is now a framework for a different future based on new agreements between nations. As US Assistant Attorney General Richard Downing said on the CLOUD Act’s first anniversary, the law “offers not simply a solution to the challenge of this moment, but also an aspirational kind of solution.” As he explained, it’s “a solution aimed at fostering a community of like-minded, rights-respecting countries that abide by the rule of law—where countries can minimize their conflicts of law and advance their mutual interests based on shared values and mutual respect.”15

But the CLOUD Act is like a foundation on which new houses must be built. We live in a world where law enforcement must move quickly, privacy and other human rights need protection, and countries’ borders deserve respect.

New international agreements can accomplish all of these if they’re put together thoughtfully and pursued with persistence.

In other words, years of work still lie ahead.