In a 3-0 decision that should give those concerned about the protection of online privacy some comfort, the U.S. Court of Appeals for the Second Circuit has ruled that courts are not authorized to issue warrants on U.S. service providers for the seizure of emails stored on foreign servers.
The decision also comes the same week the U.S. and EU have launched a privacy shield agreement for protecting the privacy of cross-border data flows.
The court decision reverses a lower court finding against Microsoft.
Microsoft had appealed a decision by a New York U.S. district court not to quash such a warrant issued by the government under the Stored Communications Act for content stored on a server in Ireland. Microsoft had refused to comply with the warrant.
The government said the warrant entitled it to the material no matter where it was stored. The court disagreed: "Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas....We therefore decide that District Court lacked authority to enforce the Warrant against Microsoft."
Microsoft did provide non-content information residing on its domestic servers.
"We are pleased to see that the Court has recognized that the Stored Communications Act does not allow the government to compel a service provider, such as Microsoft, to produce the private data of its customers when that information is located abroad," said Daniel Castro, VP of the Information Technology & Innovation Foundation. "As we argued almost two years ago, 'the question here isn't whether the U.S. government can gain lawful access to this data, but rather the process it should use to do so. Instead of using a search warrant, the U.S. government agency in question could have sought access to this account information using a Mutual Legal Assistance Treaty [MLAT]. MLATs are agreements designed for law enforcement agencies to receive and provide assistance to their counterparts in other countries. The U.S. has MLATs with more than 50 countries, including Ireland.'"
“This ruling is a major affirmation that the rights we enjoy in the physical world continue to apply in the digital world. By declaring that a US warrant cannot reach communications content stored abroad, the court ruled strongly in favor of privacy and national rule of law,” said Greg Nojeim, director of the Freedom, Security and Technology Project at the Center for Democracy and Technology.
“As Congress considers reforming the Electronic Communications Privacy Act and Stored Communications Act, this ruling demonstrates the importance of clear statutory language that anticipates and facilitates cloud privacy and security," said Computer & Communications Industry Association presdient Ed Black. “The decision in Microsoft v. United States makes evident that the government’s position does not reflect the statutory status quo or Constitutional bounds, but also suggests that the status quo does not adequately reflect the function of modern online platforms.
“We encourage Congress to support legislation like the International Communications Privacy Act, which reaffirms a nationwide warrant-for-content standard, offers a nationality-based solution to cross-border law enforcement requests, and provides needed reforms to the MLAT process.”