The Microsoft Ireland case considered whether the US government could compel Microsoft to give it access to Hotmail emails it holds on its server in Ireland. Could a US Government search warrant compel Microsoft to retrieve emails it holds on a server in Ireland and hand those emails over to the US Department of Justice (DoJ)? The Microsoft Ireland case is important because had the DoJ been successful, this case would have set a precedent allowing governments around the world to seize information held in the cloud. This has serious implications on the right to privacy and for cloud computing. The full case name is Microsoft Corporation v United States of America.
What does the Microsoft Ireland case mean?
In light of Snowden revelations and countless other privacy scandals, the US government agencies are under increasing pressure to comply with global standards for the protection of personal data. A ruling in the government’s favour could have:
- seriously undermined the US government’s international commitments to data privacy, especially the EU-US Privacy Shield,
- infringed people’s right to data privacy, and
- chilled several important international relationships.
This Microsoft Ireland case has a big impact on cloud providers
Many privacy scandals involve a hack of the cloud. As a result, users have significantly lost trust in the cloud as a means to store their data. Therefore, cloud providers are looking to restore trust. Fortunately, the decision preventing the US government from accessing data stored in the cloud has gone a long way to restore trust in cloud services.
To understand this in more detail, contact us.
Background of the Microsoft Ireland Case
In 2013, a federal magistrate’s court in New York granted a search warrant to the DoJ under the US Stored Communications Act (SCA) against the Microsoft Corporation. The court issued the warrant for both personal user data and the email contents as part of the FBI’s on-going investigation into narcotics trafficking.
Microsoft challenged the warrant first in front of the Federal Magistrate and then a District Court judge. They were unsuccessful on both challenges. Microsoft appealed to the Second Circuit Court of Appeal and arguments closed in September 2015. So, until the decision wass handed down by that court the warrant stood, but could not be executed.
What was Microsoft arguing?
Microsoft argued that the data it holds on Irish servers is not subject to US jurisdiction. If the US wished to access data anyone holds outside their jurisdiction, they must use the appropriate international law channels. This argument was supported by the Irish government. Furthermore, Microsoft argued that the scope of the warrant was too broad and the US were overreaching their jurisdiction. Ironically, the US would be unlikely to give another government access to data anyone holds in the US. They were also arguing that the warrant itself is unconstitutional for failing to be sufficiently specific.
What was the Department of Justice arguing?
They argued that the emails constitute the business records of Microsoft and therefore they could access them by means of a search warrant no matter where Microsoft stores them. The DoJ also had, the controversial piece of legislation, the Patriot Act on their side. The Patriot Act deems that the property to be searched is located where the ISP is situated and not where the server is located. Therefore, the DoJ would be entitled to view the emails.
It seems like everyone had a great deal riding on this decision. The case was heard by the Second Circuit Court of Appeals in September 2015.
The Second Circuit Court of Appeals handed down judgement on 14 July 2016, and ruled against the United States Government stating that the US government could not compel Microsoft, or other companies, to turn over customer emails stored on servers outside the United States.
The Second Circuit Court stated that US statutes are presumed to operate in the US. Therefore, they do not have extraterritorial reach. The court also emphasised the right to privacy regarding the content of the emails and that it needs to be protected. The court went on to say that privacy was a key purpose of the statute involved. Therefore, the legislators cannot have envisaged that it would be used extraterritorially to invade someone’s privacy.
The court in this case emphasised that the privacy rights we have in the physical world extend to the digital world. However, this has only been tested in some areas of techology. The important thing is to familiarise yourself with how the law works for your organisation and cloud computing requirements.
We can help you with the legal aspects regards cloud computing and compliance, like privacy and data protection, access to information, information security, contracts with cloud providers.