Microsoft wins appeal to protect overseas data
San Francisco: Microsoft on Thursday scored a big victory on a keenly watched privacy battlefront, with a US appeals court exonerating the company for refusing to give police user data stored overseas.
A three-judge panel in a US court of appeals in New York City ordered that a finding of contempt against Microsoft be tossed out along with the warrant in the case.
The December 2013 warrant directed Microsoft to turn over the contents of an email account used by a suspected drug trafficker.
Redmond, Washington-based Microsoft handed over account information it kept on US soil, but said the content of emails was off-limits because it was stored on servers in Ireland, according to a summary of the case.
The citizenship and location of the suspected drug trafficker were not revealed.
The warrant had been issued under provisions of Stored Communications Act (SCA) legislation enacted as part of the Electronic Communications Privacy Act of 1986.
Judge Susan Carney of the appeals court said that the SCA does not give US courts authority to force internet companies in the United States to seize customer email contents stored on foreign servers.
‘We conclude that Congress did not intend the SCA's warrant provisions to apply extraterritorially,’ the judges said.
‘The focus of those provisions is protection of a user's privacy interests.’
Local law rules
Microsoft welcomed the decision, saying it helped insure people's privacy rights are protected by laws in their own countries.
The case had been closely watched by those who feared that a ruling against Microsoft would pave the way for countries to force internet firms to disclose user data no matter where in the world it was kept.
‘This decision provides a major victory for the protection of people's privacy rights under their own laws rather than the reach of foreign governments,’ Microsoft chief legal officer Brad Smith said in an email.
‘It makes clear that the US Congress did not give the US Government the authority to use search warrants unilaterally to reach beyond US borders.’
Knowing personal information will be protected by local law is also imperative for people to trust technology companies, Smith reasoned.
The long-running case has been a key point of concern for online service providers and their users.
If the Department of Justice had triumphed over Microsoft in the case, other countries would have easily seen it as a green light to use their own laws to demand data stored in the US, said Greg Nojeim, a project director at Washington-based nonprofit Center for Democracy and Technology.
‘It would have been like the Wild West and disaster for privacy,’ Nojeim said.
Matter of how
The Information Technology and Innovation Foundation, a Washington-based tech policy think tank which supported Microsoft's case, said data stored in other countries should be sought under auspices of a Mutual Legal Assistance Treaty designed to let police agencies around the world to help one another.
‘The question here isn't whether the US government can gain lawful access to this data, but rather the process it should use to do so,’ said ITIF vice president Daniel Castro.
The US has such mutual assistance treaties with more than 50 countries, including Ireland, according to Castro.
Microsoft's legal win came with the risk that foreign governments would begin forcing tech companies to rely on local servers to keep information away from US authorities, the ITIF warned.
The group was among several urging US political leaders to speed efforts to improve the MLAT process and create a global framework for governments to legally access data stored in the cloud.