A federal appellate court delivered a victory to U.S. companies housing customer data overseas, ruling Thursday that prosecutors cannot force Microsoft to reveal content from a customer’s email account stored in Ireland.
The 2nd U.S. Circuit Court of Appeals in Manhattan overturned a lower court order finding the company in civil contempt for not handing over the data.
Microsoft offers storage through its “public cloud,” which places data from over 1 billion customers and over 20 million businesses on servers in over 40 countries, the court noted.
The appeals court said Congress passed the Stored Communications Act in 1986 to protect user privacy when new technology causes service providers to store electronic communications for customers. It said Congress expressed concern then that technology developments could erode the privacy interest Americans traditionally enjoyed in records and communications.
“Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas,” the appeals court said in a decision written by Judge Susan L. Carney. “We see no reason to believe that Congress intended to jettison the centuries of law requiring the issuance and performance of warrants in specified, domestic locations, or to replace the traditional warrant with a novel instrument of international application.”
The appeals ruling acknowledged that so-called cloud computing had changed the landscape for storage, letting companies hold customer data in distant lands.
“Three decades ago, international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users’ 21st-century demands for access and speed and their related, evolving expectations of privacy,” the three-judge wrote.
The Justice Department said it was disappointed and considering its options.
“Lawfully accessing information stored by American providers outside the United States quickly enough to act on evolving criminal or national security threats that impact public safety is crucial to fulfilling our mission to protect citizens and obtain justice for victims of crime,” Justice Department spokesman Peter Carr said.
Redmond, Washington-based Microsoft Corp. sees the ruling as a “major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments,” Brad Smith, its president and chief legal officer, said in a statement. He said it also “helps ensure that the legal protections of the physical world apply in the digital domain.”
He said people around the world want their personal information protected by the laws of the country in which they live.
“We hear from customers around the world that they want the traditional privacy protections they’ve enjoyed for information stored on paper to remain in place as data moves to the cloud,” he said. “Today’s decision helps ensure this result.”
U.S. prosecutors got a warrant for the information in December 2013, saying they believed the account in a Dublin facility opened in 2010 was being used to further trafficking of illegal substances.
The court record doesn’t address the citizenship and location of the customer, but Microsoft generally stores data close to users’ reported locations.
Dozens of businesses and news organizations supported Microsoft’s arguments. In one court submission, 29 major U.S. and foreign news and trade organizations said journalists and publishers worldwide rely on email and cloud-storage services provided by Microsoft and others to gather, store and review documents protected by the First Amendment.
U.S. prosecutors had argued Microsoft could retrieve information stored overseas from its U.S. offices and that “powerful government interests” override potential negative effects on Microsoft’s business.
“Microsoft should not be heard to complain that doing so might harm its bottom line,” the government argued.