In a major victory for data privacy, on 14 July 2016 a landmark decision was handed down by a United States (US) appeal court ruling that, in fact, the US Government could not gain access to data stored on a Microsoft server located outside of the US. Microsoft had previously sought to challenge the granting of a warrant in favour of the US Department of Justice (DoJ) to access files stored on its server located just outside Dublin in the Republic of Ireland. Having twice previously failed to have the warrant order overturned, the Second Circuit Appeals Court in the State of New York has now delivered its verdict ruling in Microsoft’s favour.
What was the case all about?
The case (full title Microsoft Corporation v United States of America), saw the US courts asked to consider whether the US DoJ was lawfully entitled to require Microsoft to permit it access to e-mails from Hotmail.com held on its cloud server in Ireland. The history of the proceedings began in 2013 with the award by a federal magistrate’s court in New York of a search warrant to the DoJ under the US Stored Communications Act of 1986 (SCA), which grants US law enforcement agencies certain powers to direct companies to disclose records which are within its “possession, custody or control”, no matter where those records might be stored across the globe.
Following the terrorist attacks on New York City on 11 September 2001, the introduction of the US PATRIOT Act (full title the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) of 2001 extended the powers granted by the SCA and other legislation, including the Foreign Intelligence Surveillance Act of 1978 and the Money Laundering Control Act of 1986 and gave authorities scope to interpret these statutes more widely.
Microsoft challenged the granting of the DoJ’s search warrant before the federal magistrate and then before a judge in the New York District Court, but saw their case rejected on both occasions. They subsequently appealed further to the New York State Second Circuit Court of Appeal, pleading that since the data in question was held on servers located in Ireland these could not be subject to US jurisdiction, which the DoJ would be overreaching in violation of international law, and also that the warrant had failed to specify sufficiently the precise categories of information to which access was granted.
Microsoft was supported by the Irish Government and also by dozens of intervening parties including Fox News Network, Verizon Communications Inc., Apple Inc., CNN and the US Chamber of Commerce, all of whom sought to uphold the primacy of data privacy protection against encroachment by US law enforcement agencies acting outside of their federal jurisdiction.
The DoJ, meanwhile, cited the PATRIOT Act, noting particularly that it seemed to extend the powers granted to it under the SCA such that any server whose ISP is situated (as was the case with Microsoft) in the US fell within the US authorities’ jurisdiction, regardless of the fact the server may have been physically located outside of the US.
What did the Appeal court rule, and why is this of such wider importance?
Having heard submissions in September 2015, the Second Circuit then reserved judgment, pending the handing down of which the warrant remain intact, albeit it could not be executed unless and until a further verdict was delivered in favour of the DoJ.
In the event, the appeal court in fact ruled in Microsoft’s favour. This finding has been championed as upholding the sovereignty of nation states’ own domestic privacy laws (or those of the European Union (EU) in the EU Member States) over the purported extra-territorial reach of the powers granted under US federal law to its law enforcement agencies (particularly since the introduction of the PATRIOT Act). This, in turn, would then protect the right of citizens to proceed safely in the knowledge that their data will be protected in accordance with national laws, whose provisions will not be overreached by the powers of US agencies.
Importantly, as noted by judge Susan Carney, ensuring that the scope of a search warrant is not extended excessively across foreign jurisdictions promotes the concept of “comity”, whereby instead of asserting unilateral powers to access documents held in non-US territories, the US authorities work with their counterparts overseas to assist one another and cooperate on international investigations. These forms of cooperation have been accused of causing delay and inconvenience for investigators, but the Microsoft ruling appears to convey a clear message that pursuing bilateral or multilateral agreements between nations in the interests of facilitating access to data for cross-border enforcement activities must be favoured over any unilateral global reach of powers under US federal law.