We reported in October last year that the US Government was taking Microsoft to the full 8 member panel appeals court after the 3 judge panel ruled in July 2016 that the Stored Communications Act “does not authorise courts to issue and enforce against U.S.-based service providers warrant in Microsoft’s long-running privacy and data jurisdiction case.
The case began in December 2013 when a New York district court judge issued a warrant asking Microsoft to produce all emails and private information associated with a certain account hosted by Microsoft. The account’s emails were stored on a server located in Dublin, Ireland, one of many datacenters held by Microsoft around the world to improve the speed of service it provides its non-U.S. customers. Microsoft provided account information kept on its U.S. servers but refused to turn the emails over, arguing that a U.S. judge has no authority to issue a warrant for information stored abroad.
Microsoft moved to vacate the warrant for the content held abroad on 18 December 2013. In May 2014, a federal magistrate judge disagreed with Microsoft and ordered it to turn over the emails. Microsoft appealed to the District Court for the Southern District of New York.
In July 2016 it looked like Microsoft had won in front of the 3 judge panel, but the US government did not let the case lie and appeared to the full 8 judge panel.
Now the verdict from the case has come down, with the Second Circuit Court of Appeals in New York being split 4-4 in a vote on Tuesday, leaving an earlier July decision in place, meaning the Justice Dept. cannot force Microsoft to turn over customer data stored on servers outside the US.
Judge Susan Carney, who voted to keep the earlier decision in place, argued that the Justice Dept.’s actions would have would bypassed existing mutual law enforcement treaties.
“And it is for just this sort of reason that the government has in other circumstances taken a position, somewhat in tension with the one it takes here, that courts should be particularly solicitous of sovereignty concerns when authorizing data to be collected in the United States but drawn from within the boundaries of a foreign nation,” she said.
Judge Jose Cabranes wrote in dissent that the decision has “indisputably, and severely, restricted an essential investigative tool used thousands of times a year in important criminal investigations around the country.”
“To top this off, the panel majority’s decision does not serve any serious, legitimate, or substantial privacy interest,” he added.
Microsoft president and chief legal officer Brad Smith said he welcomed the decision.
“We need Congress to modernize the law both to keep people safe and ensure that governments everywhere respect each other’s borders. This decision puts the focus where it belongs, on Congress passing a law for the future rather than litigation about an outdated statute from the past,” he said.
Microsoft has insisted that if the US government wanted access to the data they should pursue existing legal avenues to access the data, such as going through the EU mechanisms for law enforcement and data transfer. The government complained this was slow and cumbersome, though Ireland’s government earlier offered to speed up evaluation of any request that the US government would make in this case.
Microsoft also noted that instead of forcing the company to compromise their business the government should fix any issues with the current data sharing agreements with foreign governments.
If the US Government prevailed in its insistence that it has jurisdiction over any data held overseas by an American company it would have a damaging effect on the business of cloud service companies such as Microsoft and Google, who may be shut out of markets such as the EU with tight privacy laws.
The case may still end up going to the Supreme Court, with a Justice Dept. spokesperson telling ZDNet that the department is “reviewing the decision and its multiple dissenting opinions and considering our options.”