Security Experts:

Why Microsoft's Victory in Irish Email Case Matters

Microsoft Building

Microsoft Email Ruling will Make GDPR Conformance Simpler and the Privacy Shield Stronger

Microsoft is not required to hand the personal data of a customer stored on a server in Dublin, Ireland to the U.S. government on the basis of a search warrant issued under the Stored Communications Act. This is the ruling of the U.S. Second Circuit Court of Appeals delivered Thursday: "the Stored Communications Act does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers."

Microsoft's chief legal officer, Brad Smith, told the BBC, the ruling "makes clear that the U.S. government can no longer seek to use its search warrants on a unilateral basis to reach into other countries and obtain the emails that belong to people of other nationalities. It tells people they can indeed trust technology as they move their information to the cloud."

It is an important ruling with major implications for international relations -- especially between the U.S. and Europe. It will make U.S. business conformance with the General Data Protection Regulation (GDPR) simpler, and make the Privacy Shield stronger.

Last year the European Court of Justice struck down  the EU/US safe harbor arrangements (Privacy Shield's predecessor) as unconstitutional. Part of the reason was an assumption that the U.S. government had automatic access without judicial overview to European PII held by U.S. companies.

The easiest option for many organizations would be to store their European data on servers located within Europe. However, if the U.S. government can simply demand that data, then GDPR would still hold the U.S. organizations responsible as the data controllers for the potentially illegal export of European PII. The same arguments that led to the failure of safe harbor would apply to U.S. companies storing data within Europe, and the same argument could be used by European privacy activists to challenge the new Privacy Shield replacement.

When the U.S. government demanded from Microsoft that it hand over the data of one of its customers stored on a server in Dublin it did so by issuing a search warrant issued under the Stored Communications Act. It is believed that the subject is an Irish man thought to be an administrator in the Silk Road dark web illicit marketplace. The U.S. government is separately seeking his extradition to face charges; and access to his emails was requested in the expectation that it would both facilitate the extradition and provide evidence for the charges.

Microsoft took what many commentators in both the U.S. and Europe consider to be a principled position and refused to comply with the search warrant. It has always held that the Stored Communications Act was never meant to apply extraterritorially. The government's somewhat nuanced argument was that the actual 'search' of the data would be within the US and thus not extraterritorial -- and took the matter to the courts for enforcement. Despite the government prevailing in all of the lower courts, Microsoft has continually refused to comply, and has appealed the court decisions in each instance.

Now its position has been justified, with the court declaring, "we REMAND this cause to the District Court with instructions to quash the warrant insofar as it demands user content stored outside of the United States." However, it was a close call. While the judges agreed that the wording of the law meant that it should apply within the U.S. alone, Circuit Judge Gerard Lynch added his own commentary "to explain why I believe that the government's arguments are stronger than the Court's opinion acknowledges; and to emphasize the need for congressional action to revise a badly outdated statute."

Lynch does not believe that government access to the data was a privacy matter; merely a poorly worded legal matter. He wrote, "the statute should be revised, with a view to maintaining and strengthening the Act's privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications and other data where compelling interests warrant it, and clarifying the international reach of those provisions."

The court's decision does not mean that the government will never be able to obtain the information it seeks. The most likely outcome is that it will be forced to use the route it originally rejected as too slow and cumbersome: the use of a Mutual Legal Aid Treaty (MLAT) that will ensure judicial overview of the process.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.