Microsoft wins appeal against US government over cross-border data jurisdiction

Microsoft has just won its appeal against the US Government in a long-running case over their request to access data Microsoft held in Ireland on an Irish national.

The case began in December 2013 when a New York district court judge issued a warrant asking Microsoft to produce all emails and private information associated with a certain account hosted by Microsoft. The account’s emails were stored on a server located in Dublin, Ireland, one of many datacenters held by Microsoft around the world to improve the speed of service it provides its non-U.S. customers. Microsoft provided account information kept on its U.S. servers but refused to turn the emails over, arguing that a U.S. judge has no authority to issue a warrant for information stored abroad. Microsoft moved to vacate the warrant for the content held abroad on 18 December 2013. In May 2014, a federal magistrate judge disagreed with Microsoft and ordered it to turn over the emails. Microsoft appealed to the District Court for the Southern District of New York.

The district court found in favour of the government and Microsoft appealed to the Second Circuit.

Today the 2nd U.S. Circuit Court of Appeals in New York overturned the court order requiring Microsoft to turn over to the U.S. government the contents of a customer’s email account stored on an Irish server.

A three-judge panel ruled that the Stored Communications Act “does not authorize courts to issue and enforce against U.S.?based service providers warrants for the seizure of customer e?mail content that is stored exclusively on foreign servers,” and that the “presumption against extraterritorial application of United States statutes is strong and binding.”

Microsoft insists that if the US government wanted access to the data they should pursue existing legal avenues to access the data, such as going through the EU mechanisms for law enforcement and data transfer.  Ireland’s government coming out in support of Microsoft and even offering to speed up evaluation of any request that the US government would make in this case.

In a blog post Microsoft’s chief counsel Brad Smith wrote:

We obviously welcome today’s decision by the United States Court of Appeals for the Second Circuit. The decision is important for three reasons: it ensures that people’s privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs.

First, this decision provides a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments. It makes clear that the U.S. Congress did not give the U.S. government the authority to use search warrants unilaterally to reach beyond U.S. borders. As a global company we’ve long recognized that if people around the world are to trust the technology they use, they need to have confidence that their personal information will be protected by the laws of their own country.

While Microsoft filed and persisted with this case, we benefited every step of the way from the broad support of many others. We are grateful for this support, including the filing of amicus briefs in the case by 28 technology and media companies, 23 trade associations and advocacy groups, 35 of the nation’s leading computer scientists and the government of Ireland itself. The enormous breadth of this support has been vital to the issue, and it remains so as we look to the future.

Second, since the day we filed this case, we’ve underscored our belief that technology needs to advance, but timeless values need to endure. Privacy and the proper rule of law stand among these timeless values. We hear from customers around the world that they want the traditional privacy protections they’ve enjoyed for information stored on paper to remain in place as data moves to the cloud. Today’s decision helps ensure this result.

Finally, as we’ve recognized since we filed this case, the protection of privacy and the needs of law enforcement require new legal solutions that reflect the world that exists today – rather than technologies that existed three decades ago when current law was enacted. We’re encouraged by the recent bipartisan support that has emerged in Congress to consider a new International Communications Privacy Act. We’re also encouraged by the work of the U.S. Justice Department in pursuing a new bilateral treaty approach with the government of the United Kingdom.

Today’s decision means it is even more important for Congress and the executive branch to come together to modernize the law. This requires both new domestic legislation and new international treaties. We should not continue to wait. We’re confident that the technology sector will continue to roll up its sleeves to work with people in government in a constructive way. We hope that today’s decision will bring an impetus for faster government action so that both privacy and law enforcement needs can advance in a manner that respects people’s rights and laws around the world.

The win is good news for both privacy advocates and US cloud businesses, as if the US Government prevailed in its insistence that it has jurisdiction over any data held overseas by an American company it would have a damaging effect on the business of cloud service companies such as Microsoft and Google, who may be shut out of markets such as the EU with tight privacy laws.