18 July 2016

The US appeals court said Microsoft does not have to provide mail account details held on its servers in Dublin.

A US court decision that previously ordered Microsoft to hand over emails stored at one of its data centres in Ireland has been overturned.

Court of appeals circuit judge Susan Carney has ruled that communications held by US service providers on servers outside the United States are beyond the reach of domestic search warrants.

The victory for Microsoft follows a long running legal dispuate that began at the end of 2013. 

This was when a New York district court issued a warrant asking the company to produce all emails and private information associated with a certain account that it hosted at one of its servers in Dublin.

Microsoft said the court had no authority to issue a warrant for information stored abroad and therefore refused to comply.

In May 2014, a federal magistrate judge upheld the district court’s decision and ordered the company to turn over the emails. Microsoft’s appeal to the District Court for the Southern District of New York was rejected and so the company then took its case to the Second Circuit.

The corporation gained the support of 28 technology and media companies, 23 trade associations and advocacy groups, and 35 leading computer scientists from the US. 

In an amicus brief filed at the end of 2014, the Government of Ireland also added its support. It said the emails should be disclosed only on request to the Irish government as per the long standing mutual legal assistance treaty between the US and Ireland.

Microsoft said the appeal court’s decision provides a “major victory” for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments.

Writing in a blog posted last Thursday, Microsoft’s president and chief legal officer Brad Smith said: “It makes clear that the US Congress did not give the US government the authority to use search warrants unilaterally to reach beyond US borders. 

“As a global company we’ve long recognised that if people around the world are to trust the technology they use, they need to have confidence that their personal information will be protected by the laws of their own country.”

Smith said the case shows that new legal solutions for protection and privacy that reflect today’s world are needed, rather than technologies that existed three decades ago when current law was enacted. 

He added: “We’re encouraged by the recent bipartisan support that has emerged in Congress to consider a new International Communications Privacy Act. We’re also encouraged by the work of the US Justice Department in pursuing a new bilateral treaty approach with the government of the United Kingdom.”

"We all owe Microsoft"

Other companies have breathed a sigh of relief now that the case has been settled in Microsoft’s favour.

Bromium CTO Simon Crosby: “chilling” consequences for the industry have now been averted.

For example, Simon Crosby, CTO and co-founder of endpoint security specialist Bromium, said: “This is an excellent outcome and we all owe Microsoft our gratitude for preventing the US Government from overreaching its authority. 

“If it had succeeded here, there would be negative effects on the tech industry, in particular cloud and SaaS providers – in effect a chilling consequence on the computing industry.”

Malware protection firm Lastline agree. Jamie Moles, its principle security consultant, said: “The effect internationally had this ruling been upheld would have been a massive chilling of relations with American businesses across the globe and the American judiciary would have been lining itself up for a significant fight with the European Union over data privacy laws.

“Additionally it would likely have meant significant corporate re-structuring as American-owned businesses would have rushed to change their corporate structures so that their European subsidiaries ownership was moved to non-USA parentage.”