Court upholds Microsoft's data privacy victory

US gov cannot force companies to hand over data stored abroad

Gavel

Microsoft scored another win yesterday in its battle to protect data stored abroad from search warrants issued in the US.

The US had demanded Microsoft hand over data stored in its Ireland data centre, but after a series of rulings and appeals stretching back to 2013, the US Court of Appeals for the Second Circuit yesterday denied a US Justice Department request for a hearing before the full circuit of eight judges, meaning a 2016 ruling in favour of Microsoft stands.

The decision effectively means the US cannot rely on ther Stored Communications Act (SCA) to access data held abroad.

Brad Smith, Microsoft's chief legal officer, commented: "This decision puts the focus where it belongs, on Congress passing a law for the future rather than litigation about an outdated statute from the past."

The lawsuit dates back to 2013, when a New York court issued a search warrant on behalf of a US law enforcement agency, demanding Microsoft hand over data related to a drug-trafficking investigation that was stored in an Ireland data centre.

Microsoft argued that the warrant was a significant jurisdictional overreach and refused to hand over the data, saying as it was stored in Ireland it was a matter for the Irish authorities. The US's counterclaim, however, was that the warrant applied to Microsoft itself and, because Microsoft is an American company, all its data is subject to US law.

The company lost the first two court hearings, both of which were held in New York, where the warrant was issued, with the judge finding in favour of the agency's argument. However, in 2016 judges considering the case at a third hearing at the 2nd Circuit Court of Appeals found in favour of Microsoft.

The US Justice Department then appealed for a hearing before the full circuit - consisting of all eight judges, rather than a three judge panel - but this resulted in a 4-4 deadlock. Consequently, the previous ruling in favour of Microsoft still stands.

Circuit Judge Susan Carney, who concurred in the denial of the appeal, said in the court judgement: "It is common ground that Congress did not intend for the SCA's warrant procedures to apply extraterritorially. Because the electronic communications to be accessed and disclosed pursuant to the Microsoft warrant are stored in a Dublin datacenter, we reasoned, the execution of the warrant would have its effect when the service provider accessed the data in Ireland, an extraterritorial application of the SCA."

In a statement to the Seattle Times, Justice Department spokesman Peter Carr said: "We are reviewing the decision and its multiple dissenting opinions and considering our options."

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Is your board up to speed on IT infrastructure?
Business strategy

Is your board up to speed on IT infrastructure?

23 Oct 2020
What is an MSSP?
Security

What is an MSSP?

13 Oct 2020
Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020
IT Pro Live: Trust through conversations in the 'suddenly virtual' enterprise
Business

IT Pro Live: Trust through conversations in the 'suddenly virtual' enterprise

1 Sep 2020

Most Popular

Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020
Hackers demand ransom from therapy patients after clinic data breach
Security

Hackers demand ransom from therapy patients after clinic data breach

27 Oct 2020