Court upholds Microsoft's data privacy victory

US gov cannot force companies to hand over data stored abroad


Microsoft scored another win yesterday in its battle to protect data stored abroad from search warrants issued in the US.

The US had demanded Microsoft hand over data stored in its Ireland data centre, but after a series of rulings and appeals stretching back to 2013, the US Court of Appeals for the Second Circuit yesterday denied a US Justice Department request for a hearing before the full circuit of eight judges, meaning a 2016 ruling in favour of Microsoft stands.

The decision effectively means the US cannot rely on ther Stored Communications Act (SCA) to access data held abroad.

Brad Smith, Microsoft's chief legal officer, commented: "This decision puts the focus where it belongs, on Congress passing a law for the future rather than litigation about an outdated statute from the past."

Advertisement - Article continues below
Advertisement - Article continues below

The lawsuit dates back to 2013, when a New York court issued a search warrant on behalf of a US law enforcement agency, demanding Microsoft hand over data related to a drug-trafficking investigation that was stored in an Ireland data centre.

Microsoft argued that the warrant was a significant jurisdictional overreach and refused to hand over the data, saying as it was stored in Ireland it was a matter for the Irish authorities. The US's counterclaim, however, was that the warrant applied to Microsoft itself and, because Microsoft is an American company, all its data is subject to US law.

The company lost the first two court hearings, both of which were held in New York, where the warrant was issued, with the judge finding in favour of the agency's argument. However, in 2016 judges considering the case at a third hearing at the 2nd Circuit Court of Appeals found in favour of Microsoft.

The US Justice Department then appealed for a hearing before the full circuit - consisting of all eight judges, rather than a three judge panel - but this resulted in a 4-4 deadlock. Consequently, the previous ruling in favour of Microsoft still stands.

Circuit Judge Susan Carney, who concurred in the denial of the appeal, said in the court judgement: "It is common ground that Congress did not intend for the SCA's warrant procedures to apply extraterritorially. Because the electronic communications to be accessed and disclosed pursuant to the Microsoft warrant are stored in a Dublin datacenter, we reasoned, the execution of the warrant would have its effect when the service provider accessed the data in Ireland, an extraterritorial application of the SCA."

In a statement to the Seattle Times, Justice Department spokesman Peter Carr said: "We are reviewing the decision and its multiple dissenting opinions and considering our options."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


Business strategy

CIO job description: What does a CIO do?

7 Jan 2020
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019
Careers & training

IT manager job description: What does an IT manager do?

28 Oct 2019
Careers & training

What does a CISO do?

25 Sep 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
cyber security

If not passwords then what?

8 Jan 2020
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020