A dispute between Microsoft and the U.S. government over a search warrant could have major repercussions for cloud service providers. Historically, European data privacy and protection standards have been stricter generally speaking than those in the U.S. The "Safe Harbor" arrangement pursuant to which U.S. companies, including cloud providers, agree to more robust protection for EU personal data, for the past several years, has offered a resolution of this conflict. However, when Edward Snowden’s revelations of NSA monitoring of communications emerged, European stakeholders called into question the continued efficacy of the Safe Harbor approach. Such discussions are still ongoing. In the meantime, as a further and additional part of a solution to stricter European standards, some U.S. cloud providers have agreed to store certain data only in European locales. Now, the efficacy of even that approach has been called into question.
Microsoft recently argued that federal courts are not authorized “to issue warrants for the search and seizure of property outside the territorial limits of the United States” and therefore, a warrant issued in New York is unauthorized to the extent it seeks data that Microsoft has stored in Ireland. Further, if the court had issued a subpoena rather than a warrant, which would have required production of data regardless of its storage location, the target of the investigation – Microsoft’s email customer – would need to be given prior notice of the subpoena, which was not the case here.
Back in December 2013, as part of an investigation into drug-trafficking, Federal prosecutors sought and obtained a search warrant for the emails of an individual who used one of Microsoft’s web-based email services. A magistrate judge in New York signed the warrant directing Microsoft to turn over its customer’s emails. Microsoft complied by turning over certain “non-content” data, such as a username, that is stored on servers located in the United States. However, Microsoft objected to the warrant to the extent it required the company to turn over the content of emails, which, for this particular account, are stored on Microsoft’s servers located in Ireland.
In April 2014 the magistrate who initially issued the warrant denied Microsoft’s challenge. The judge ruled that the Stored Communications Act (“SCA”), which is part of the Electronic Communications Privacy Act (“ECPA”), authorizes the court to issue a “unique” order that is a “hybrid: part search warrant and part subpoena” which avoids the extra-territoriality restrictions of a warrant and notice requirements of a subpoena. The court held that there is no extra-territorial search because, in the context of digital information, Microsoft had direct access to the data being sought from its computers in the United States, despite the data in fact being stored on servers overseas.
This month, Microsoft responded to that order by filing a motion to vacate the search warrant with the U.S. District Court in New York. Apple, Cisco, AT&T, Verizon, and the Electronic Frontier Foundation have all since filed briefs in support of Microsoft’s position, in the hope of limiting the U.S. government’s ability to reach into data centers anywhere in the world.