The U.S. government's reach got a little bit shorter Thursday when the Second Circuit Court of Appeals reversed a lower court decision and ruled that the U.S. government can't force Microsoft to hand over customer emails stored in a server in Ireland.
The court's ruling at least temporarily capped a long-running legal battle between the tech giant and the federal government, effectively ordering a District Court to quash a warrant for the data and vacating an order that held Microsoft in contempt for its refusal to yield to the government's demands.
Privacy advocates hailed the ruling as a victory for Microsoft and, if it holds, will likely inspire confidence among privacy advocates and European privacy regulators who worried about the fortitude of the U.S.'s privacy posture.
“It's a big win for Microsoft and other tech companies pushing back against government information requests,” Joseph G. Falcone, partner at the law firm of Herbert Smith Freehills New York LLP, told SCMagazine.com.
“The ruling really puts the U.S. on an even playing field with other governments and will help in future conversations on privacy,” former White House Senior Director for Cybersecurity Ari Schwartz, now managing director of cybersecurity services at Venable LLP, told SCMagazine.com via email.
The court flatly said that Congress didn't intend for warrant provisions in the Stored Communications Act (SCA), its basis for making such data requests, to apply extraterritorially.
Indeed, “the focus of those provisions is protection of a user's privacy interests," Second Circuit Court Judge Susan L. Carney wrote, noting that the SCA “does not authorize a U.S. court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer's electronic communications stored” on overseas servers.
The government, of course, in the preceding years had vigorously argued otherwise. During an investigation of a drug case, the government in December 2013 had pressed Microsoft to turn over emails stored in the Irish server. Microsoft refused, claiming the government had no power to ask for data stored in another country and well outside of its jurisdiction. In April 2014, a federal judge ordered Microsoft to cough up those records. Microsoft again refused and was found in contempt of court. The case has been sitting in the Second Circuit ever since.
Thursday's ruling tempers government reach and will have important implications for privacy.
“The ruling is a striking victory for privacy over the threat of government access and overreach,” Omer Tene, vice president of research and education at at the International Association of Privacy Professionals (IAPP), told SCMagazine.com via email correspondence. “It recognizes that national borders exist even in cyberspace and the cloud. It places an emphasis on the location of data and servers in deciding which legal regime applies.”
The Second Circuit Court's ruling comes just days after the EU-U.S. Privacy Shield was approved by the 28 members of the EU and the European Commission (EC).
Privacy Shield had hit some glitches on its way to approval as European privacy advocates and regulators expressed concern that it didn't adequately address the chief issue that got its predecessor, Safe Harbor, tossed by a European Court of Justice – mass surveillance of private citizens.
“The [Second Circuit] decision limits the power of the [U.S. government] to access data stored in Europe,” said Tene. Although it doesn't address bulk data collection for national security reasons, the core concern of privacy advocates and regulators in Europe, both Tene and Falcone noted, the ruling will likely be referenced going forward.
“It will definitely figure in judicial challenges to Privacy Shield, though I'm not sure it will make a difference at the end of the day in a European court,” said Tene.
The Justice Department has had little success recently in its attempts to cajole customer data from tech companies. Two cases against Apple for access into locked iPhones ended with third parties coming forward to help the government get what it needed.
It was unclear at press time whether the Justice Department will challenge the ruling, but law enforcement officials previously have bristled at efforts by tech companies to spurn their data requests, contending that it would hamper their investigations. But what Thursday's ruling means for national security depends on how the relationship between the two factions evolves.
“For national security, we will have to see how tech companies cooperate with law enforcement moving forward,” said Schwartz. “There has been an effort to build U.S.-U.K. relations that should help in a case like this, but law enforcement will need to come to the table to work with companies to come up with a broader agreement.”
While the Second Circuit's decision put a finer point on privacy, it may face challenges in the future.
“I don't know if this is the last word,” said Falcone.