Microsoft Wins Landmark Cloud Case Over Emails Stored In Ireland

The United States government cannot force Microsoft to hand over emails and communications stored in servers outside of the US, a court ruled on Thursday in what is a major win for privacy advocates and Microsoft itself.

The 3-0 ruling by the 2nd US Circuit Court of Appeals means that the US Department of Justice cannot make Microsoft give it access to servers located in Ireland, which the DoJ wanted to investigate a drugs case.

Circuit Judge Susan Carney concluded that emails held by US providers held overseas are outside of the remit of domestic search warrants issued under the Stored Communications Act (SCA).

Disadvantage

The court also argued that US providers would be at a competitive disadvantage if they were forced to hand over communications data stored overseas.

“This Court should not endorse that view, which risks placing US providers at a significant competitive disadvantage in foreign markets,” said the ruling.

“This Court should conclude that the SCA does not authorise US courts to issue warrants that operate extraterritorially to compel providers to disclose foreign information lacking a substantial nexus to the US.”

The ruling has overturned a previous decision in 2014 that ordered Microsoft to release the emails of a suspected narcotics criminal to the Department of Justice, in a case related to Silk Road.

Microsoft had said that if it lost the case, a “global free-for-all” would start, with any country able to ask US companies to hand over data stored in servers. The DoJ had argued that a ruling in favour of Microsoft would give criminals the ability to exploit legal loopholes.
UK-based privacy campaigner Open Rights Group welcomed the ruling, and urged the UK government to take note.

“States should not arbitrarily reach across borders just because they feel they can bully companies into doing so,” said Open Rights Group’s Legal Director Myles Jackman.

“We urge the UK Government to take note as the Investigatory Powers Bill will also attempt to create powers compelling overseas companies to do the UK’s bidding. We need to establish a firm principle that companies abide by domestic law where they operate, rather than being answerable to every government across the globe that makes demands of them. The established route for requests for data by law enforcement agencies should be through treaties.”

The Information Technology and Innovation Foundation (ITIF) also applauded the decision.

“We are pleased to see that the Court has recognized that the Stored Communications Act does not allow the government to compel a service provider, such as Microsoft, to produce the private data of its customers when that information is located abroad,” said Daniel Castro, ITIF vice president.

“While this ruling helps clarify an important question about the privacy of data stored in the cloud, more reforms are still needed to prevent negative consequences from this decision. The risk now is that foreign governments may try to force companies to store data within their borders to make it impossible for US officials to execute a search warrant, an outcome that would raise costs for consumers and limit innovation.”

The case has highlighted ongoing tension between cloud computing providers and governments over data sovereignty and location, and the ruling will likely set precedent over using decades-old laws in the modern era of cloud.

In April, Microsoft told TechWeekEurope that it needs to be explicit and transparent in alerting customers to when their data may be handed over to any third parties, including “surveillance” agencies and the US government.

The company’s comments came two days before Microsoft sued the United States government for the right to tell its customers when a federal agency may be snooping on their emails and other data stored on cloud servers.

However, when Microsoft does receive so-called ‘lawful’ data requests from governments, the company offers up that data. Once such instance is in the aftermath of the Paris terrorist attacks last November.

Microsoft said it received 14 lawful requests for data related to terror suspects in France and Belgium, and responded to the government requests within 30 minutes. Issues of national security are obviously an exceptional circumstance, said Microsoft.

Take our cybersecurity quiz here!