CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Why Microsoft’s Victory in Irish Email Case Matters

Microsoft Building

Microsoft Email Ruling will Make GDPR Conformance Simpler and the Privacy Shield Stronger

Microsoft Building

Microsoft Email Ruling will Make GDPR Conformance Simpler and the Privacy Shield Stronger

Microsoft is not required to hand the personal data of a customer stored on a server in Dublin, Ireland to the U.S. government on the basis of a search warrant issued under the Stored Communications Act. This is the ruling of the U.S. Second Circuit Court of Appeals delivered Thursday: “the Stored Communications Act does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers.”

Microsoft’s chief legal officer, Brad Smith, told the BBC, the ruling “makes clear that the U.S. government can no longer seek to use its search warrants on a unilateral basis to reach into other countries and obtain the emails that belong to people of other nationalities. It tells people they can indeed trust technology as they move their information to the cloud.”

It is an important ruling with major implications for international relations — especially between the U.S. and Europe. It will make U.S. business conformance with the General Data Protection Regulation (GDPR) simpler, and make the Privacy Shield stronger.

Last year the European Court of Justice struck down  the EU/US safe harbor arrangements (Privacy Shield’s predecessor) as unconstitutional. Part of the reason was an assumption that the U.S. government had automatic access without judicial overview to European PII held by U.S. companies.

The easiest option for many organizations would be to store their European data on servers located within Europe. However, if the U.S. government can simply demand that data, then GDPR would still hold the U.S. organizations responsible as the data controllers for the potentially illegal export of European PII. The same arguments that led to the failure of safe harbor would apply to U.S. companies storing data within Europe, and the same argument could be used by European privacy activists to challenge the new Privacy Shield replacement.

When the U.S. government demanded from Microsoft that it hand over the data of one of its customers stored on a server in Dublin it did so by issuing a search warrant issued under the Stored Communications Act. It is believed that the subject is an Irish man thought to be an administrator in the Silk Road dark web illicit marketplace. The U.S. government is separately seeking his extradition to face charges; and access to his emails was requested in the expectation that it would both facilitate the extradition and provide evidence for the charges.

Microsoft took what many commentators in both the U.S. and Europe consider to be a principled position and refused to comply with the search warrant. It has always held that the Stored Communications Act was never meant to apply extraterritorially. The government’s somewhat nuanced argument was that the actual ‘search’ of the data would be within the US and thus not extraterritorial — and took the matter to the courts for enforcement. Despite the government prevailing in all of the lower courts, Microsoft has continually refused to comply, and has appealed the court decisions in each instance.

Advertisement. Scroll to continue reading.

Now its position has been justified, with the court declaring, “we REMAND this cause to the District Court with instructions to quash the warrant insofar as it demands user content stored outside of the United States.” However, it was a close call. While the judges agreed that the wording of the law meant that it should apply within the U.S. alone, Circuit Judge Gerard Lynch added his own commentary “to explain why I believe that the government’s arguments are stronger than the Court’s opinion acknowledges; and to emphasize the need for congressional action to revise a badly outdated statute.”

Lynch does not believe that government access to the data was a privacy matter; merely a poorly worded legal matter. He wrote, “the statute should be revised, with a view to maintaining and strengthening the Act’s privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications and other data where compelling interests warrant it, and clarifying the international reach of those provisions.”

The court’s decision does not mean that the government will never be able to obtain the information it seeks. The most likely outcome is that it will be forced to use the route it originally rejected as too slow and cumbersome: the use of a Mutual Legal Aid Treaty (MLAT) that will ensure judicial overview of the process.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...