Microsoft scored an important victory when the Second Circuit ruled that the government is not authorized to issue warrants for customer data stored overseas. In In re Warrant to Search a Certain E-mail Account Controlled & Maintained by Microsoft Corp., known as the Microsoft-Ireland case, the government issued a warrant to obtain Microsoft customer content stored on a server in Dublin, Ireland. The Second Circuit held that the government could not use warrants to disregard traditional territorial limitations.

The Microsoft-Ireland decision should offer a level of comfort for the cloud computing industry as a whole and for U.S. companies that have an international storage footprint.

Key Takeaways

  • The decision limits the government’s right to access information stored internationally.
  • If a company is issued a warrant, the key question is not where the warrant is executed, but where the data is stored. The government cannot compel companies to produce data if the data sought is stored completely on foreign soil.
  • This ruling should also reduce the apprehension some EU residents have regarding U.S. companies’ ability to protect their data, as long as the data is stored in the EU.
  • This case eliminates a situation where companies would have to choose between complying with EU law or cooperating with the U.S. government. Prior to this decision, it would be very difficult for a company receiving a warrant for data stored in the EU to comply with U.S. and EU law.

In his concurrence, Judge Gerard Lynch noted that U.S. online privacy laws implemented in 1986 are woefully inadequate to address the issues of today and urged Congress to take action on modernizing U.S. data protection statutes.

While this case is still subject to appeal (as the government may seek an en banc hearing at the Circuit level or file a petition for certiorari to the Supreme Court), this decision could spark major changes in U.S. data privacy law.