Court case bolsters Microsoft’s cross-border data jurisdiction case

Digital Privacy

Microsoft is embroiled in a long-running case against the US government over their request to access data Microsoft held in Ireland on an Irish national.

The case began in December 2013 when a New York district court judge issued a warrant asking Microsoft to produce all emails and private information associated with a certain account hosted by Microsoft. The account’s emails were stored on a server located in Dublin, Ireland, one of many datacenters held by Microsoft around the world to improve the speed of service it provides its non-U.S. customers. Microsoft provided account information kept on its U.S. servers but refused to turn the emails over, arguing that a U.S. judge has no authority to issue a warrant for information stored abroad. Microsoft moved to vacate the warrant for the content held abroad on 18 December 2013. In May 2014, a federal magistrate judge disagreed with Microsoft and ordered it to turn over the emails. Microsoft appealed to the District Court for the Southern District of New York.

The district court found in favour of the government and Microsoft appealed to the Second Circuit.

Now the US Supreme Court has ruled on an unrelated case which should nevertheless provide a useful precedent for Microsoft’s case.

The case before the Supreme Court arose from allegations that tobacco and food company RJR Nabisco and related entities participated in a global money-laundering scheme in association with various organized crime groups. The European Community and 26 of its member states first sued RJR in the Eastern District of New York in 2000, alleging that RJR had violated RICO.

The Supreme Court ruled nothing in the text of RICO establishes that Congress meant to allow a provision for private lawsuits to recover for injuries outside the U.S.. “A private RICO plaintiff therefore must allege and prove a domestic injury to its business or property,” it added.

The implication is therefore that US laws do not apply overseas unless Congress explicitly states so in the law’s body.

Microsoft has pointed out point out that the Electronics Communications Privacy Act, which is being used by the government against the company, does not apply outside of US borders.

Microsoft insists that if the US government wanted access to the data they should pursue existing legal avenues to access the data, such as going through the EU mechanisms for law enforcement and data transfer.  Ireland’s government coming out in support of Microsoft and even offering to speed up evaluation of any request that the US government would make in this case.

If the US Government prevails in its insistence that it has jurisdiction over any data held overseas by an American company it could have a damaging effect on the business of cloud service companies such as Microsoft and Google, who may be shut out of markets such as the EU with tight privacy laws.