US government takes Microsoft to full Appeals court over cross-border data jurisdiction

Digital Privacy

In July this year it looked like Microsoft had won its appeal against the US Government in a long-running case over their request to access data Microsoft held in Ireland on an Irish national.

The case began in December 2013 when a New York district court judge issued a warrant asking Microsoft to produce all emails and private information associated with a certain account hosted by Microsoft. The account’s emails were stored on a server located in Dublin, Ireland, one of many datacenters held by Microsoft around the world to improve the speed of service it provides its non-U.S. customers. Microsoft provided account information kept on its U.S. servers but refused to turn the emails over, arguing that a U.S. judge has no authority to issue a warrant for information stored abroad. Microsoft moved to vacate the warrant for the content held abroad on 18 December 2013. In May 2014, a federal magistrate judge disagreed with Microsoft and ordered it to turn over the emails. Microsoft appealed to the District Court for the Southern District of New York.

The district court found in favour of the government and Microsoft appealed to the Second Circuit.

On the 14th July 2016 a three-judge panel from the 2nd U.S. Circuit Court of Appeals in New York overturned the court order requiring Microsoft to turn over to the U.S. government the contents of a customer’s email account stored on an Irish server.

The 3 judge panel ruled that the Stored Communications Act “does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers,” and that the “presumption against extraterritorial application of United States statutes is strong and binding.”

The Government has however not let the case lie, and has taken the case to the full panel of the US Appeals court. There they argued that the law trumped privacy concerns, saying there was a “widespread recognition that the limit of privacy is reached where the warrant begins.”

They also argued that as Microsoft had control of the data in Ireland there was no extraterritorial issue and that allowing a private company to thwart a legal request from the government set a dangerous precedent, saying “The opinion has created a regime where … private, for-profit businesses answerable only to their shareholders can thwart legitimate and important criminal and national security investigations.”

Microsoft insists that if the US government wanted access to the data they should pursue existing legal avenues to access the data, such as going through the EU mechanisms for law enforcement and data transfer. The government complained this was slow and cumbersome, though Ireland’s government earlier offered to speed up evaluation of any request that the US government would make in this case.

Microsoft also noted that instead of forcing the company to compromise their business the government should fix any issues with the current data sharing agreements with foreign governments. If the US Government prevailed in its insistence that it has jurisdiction over any data held overseas by an American company it would have a damaging effect on the business of cloud service companies such as Microsoft and Google, who may be shut out of markets such as the EU with tight privacy laws.

“Three experienced judges already agreed this 30-year-old law doesn’t apply to email content abroad,” Microsoft spokesman David Cuddy said in a statement to The Washington Post. “We want to work with Congress and the Justice Department on a modern solution that benefits both privacy and public safety rather than debating the reach of obsolete law.”

It appears whoever ultimately wins the case may eventually find its way to the US Supreme Court where it may then finally be resolved.