A court has ruled that the US government cannot use US law to access customer emails in other countries, after Microsoft appealed against a warrant demanding emails storied in an Irish data center.
New York officials working on a drugs trial had demanded access to emails belonging a Microsoft customer, which were held in Microsoft’s Dublin data center. Microsoft appealed the ruling, arguing that the government could not apply the US Stored Communications Act outside of the United States. Now, New York’s Second Circuit Court of Appeals has ruled in favor of Microsoft and struck down the original court order. The US government can still appeal this ruling, however.
It’s not over yet
The case has been seen as a key challenge to US government access to online data outside its borders. After the scale of this snooping was revealed by leaks, service providers have been promoting the benefits of holding data locally, as a means to limit such access. This case challenged that approach, as the US government was attempting to argue that US law applied to data held in Microsoft’s data center.
Microsoft’s decision to fight it has been backed by tech firms including AT&T, Verizon and Apple, and privacy groups such as the Electronic Frontier Foundation.
The appeal has taken nearly two years since Microsoft initially refused to hand over the emails, and the story is not yet over, as the US law enforcement bodies can appeal to the Supreme Court.
There is also other legislation in the pipeline, which might supersede the laws currently in play. The US has Mutual Legal Assistance Treaties (or MLATs) with other nations including the Ireland (and the UK) which set out the conditions under which each nation should recognize warrants from foreign courts. to serve warrants directly to companies without navigating foreign courts.
For now, the decision is being welcomed by Microsoft and others. A statement from Microsoft’s chief legal officer Brad Smith said: ”We obviously welcome today’s decision by the Second Circuit Court of Appeals. The decision is important for three reasons: it ensures that people’s privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs.”