Privacy professionals have been closely watching a case with potentially far reaching implications for international policy.
Since July 2014, Microsoft has been resisting a warrant issued by the US Department of Justice which seeks access to information held on servers in the republic of Ireland which are owned by the US entity Microsoft Corporation. A large number of US headquartered technology companies have, in recent years, chosen to host the data of their non-US customers in EU jurisdictions such as Ireland – to manage privacy concerns. For example, Microsoft, LinkedIn and Facebook maintain servers in the republic of Ireland, often owned by Irish based subsidiaries.
Having refused to comply with a warrant to disclose Irish-hosted data, Microsoft was held in contempt of court in September 2014 (at the request of both parties, in order to give the appeals court jurisdiction). On 14 July 2016, the Second Circuit Appeals Court upheld Microsoft’s appeal against the contempt finding. The Court found that section 2703 of the Stored Communications Act does not authorise US courts to issue and enforce warrants against US-based service providers for the seizure of customer email content, stored exclusively on servers outside of the US. As a result, Microsoft is not required to comply with a warrant to provide the US government with emails stored on its server in Ireland, as part of its investigation of a particular account holder.
Although many details of the matter are sealed, the US government had obtained a warrant for Microsoft to produce certain information in relation to a particular email account holder, based on a finding of probable cause that the account holder’s email account had been used for drug trafficking purposes. Microsoft produced the account holder’s non-content information stored in the US to the government however, in order to fully comply with the warrant, it would have needed to disclose data that it stores on its servers in Ireland.
The Second Circuit Appeals Court agreed with Microsoft’s arguments and noted that warrants, unlike subpoenas, cannot be enforced extra-territorially. The Court also noted that when Congress passed the Stored Communications Act as part of the Electronic Communications Privacy Act, the statute did not expressly state that it was to have extra-territorial application outside of the US.
HWL Ebsworth has a leading team of privacy and cyber security specialists. Please contact us with any questions about this story or your privacy compliance.
This article was written by James Moore and Catherine Stelmach.