Microsoft won a major decision in a controversial legal battle over email privacy with the U.S. government.
The U.S. Court of Appeals overturned a 2014 decision by U.S. Magistrate Judge James Francis ordering Microsoft to turn over emails of a suspected drug dealer under investigation by the U.S. Department of Justice (DOJ). Microsoft opposed the judge's order and the original warrant in the case because the emails were not stored in the U.S. -- they were held in a data center in Dublin, Ireland. The software giant argued the data center was outside the jurisdiction of U.S. law enforcement, so the DOJ should go through established channels with the Irish government to obtain the data.
The U.S. government claimed the emails were business records of Microsoft, rather than personal messages of the suspected drug trafficker; therefore, the messages should be turned over to law enforcement. Government lawyers also argued, under the Stored Communications Act (SCA), the digital content of the emails was different than physical evidence.
Microsoft, however, opposed those claims and argued the U.S. government's actions in the case would allow it, as well as foreign governments, to reach outside jurisdictions and violate the privacy of customers using cloud services. Microsoft was supported by many other companies, including Amazon and Apple, which filed amicus briefs in 2014, arguing a ruling in favor of the U.S. government would have a chilling effect on cloud data privacy.
The three-judge panel for 2nd Circuit Court of Appeals agreed with Microsoft's stance on email privacy and ruled in the company's favor. "We conclude that § 2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer email content that is stored exclusively on foreign servers," the decision stated.
In the panel's opinion, Judge Susan Carney stated the government's Stored Communications Act warrant could not be used to compel Microsoft to turn over customers' emails stored outside the U.S. "We conclude that Congress did not intend the SCA's warrant provisions to apply extraterritorially," Carney wrote. "The focus of those provisions is protection of a user's privacy interests. Accordingly, the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer's electronic communications stored on servers located outside the United States."
In a separate concurring opinion, however, Judge Gerard Lynch wrote that "the government's arguments are stronger than the court's opinion acknowledges," and emphasized "the need for congressional action to revise a badly outdated statute." Lynch also wrote that the court's decision should not be "celebrated as a milestone in protecting privacy."
Nevertheless, Microsoft declared the ruling as an important decision for protecting cloud data privacy in the 21st century. Brad Smith, Microsoft's president and chief legal officer, said customers across the globe want traditional privacy protections for information stored in the cloud, and the court's decision this week helped to ensure those protections.
"We obviously welcome today's decision by the United States Court of Appeals for the Second Circuit," Smith wrote in a blog post. "The decision is important for three reasons: It ensures that people's privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs."
Microsoft issues call for strong encryption and privacy protections
What the EU GDPR privacy regulation means for cloud services
Microsoft national cloud program GM weighs in on email privacy case