Microsoft wins big in warrant fight to protect privacy of user data

Microsoft scored a major victory for the privacy of its cloud computing users yesterday winning a closely watched case against U.S. Government. In Microsoft Corporation v USA (2nd.Cir. Jul. 14, 2016), the U.S. Second Circuit Court of Appeals held that a warrant issued under Section 2703 of the Stored Communications Act (ECA) did not have extra-territorial effect to require U.S. based Microsoft to access and provide the government with user data stored on servers operated by a subsidiary in Dublin Ireland.

The decision was based on a number of factors including the principle against the presumption of extra-territorial application of U.S law and the historical difference between a subpoena and a warrant, which in this case was held to apply only to Microsoft’s servers in the U.S.

According to the court:

These practical considerations cannot, however, overcome the powerful clues in the text of the statute, its other aspects, legislative history, and use of the term of art “warrant,” all of which lead us to conclude that an SCA warrant may reach only data “warrant,” all of which lead us to conclude that an SCA warrant may reach only data stored within United States boundaries.  Our conclusion today also serves the interests of comity that, as the MLAT process reflects, ordinarily govern the conduct of cross‐ boundary criminal investigations.  Admittedly, we cannot be certain of the scope of the obligations that the laws of a foreign sovereign—and in particular, here, of Ireland or the E.U.—place on a service provider storing digital data or otherwise conducting business within its territory.  But we find it difficult to dismiss those interests out of hand on the theory that the foreign sovereign’s interests are unaffected when a United States judge issues an order requiring a service provider to “collect” from servers located overseas and “import” into the United States data, possibly belonging to a foreign citizen, simply because the service provider has a base of operations within the United States.

Thus, to enforce the Warrant, insofar as it directs Microsoft to seize the contents of its customer’s communications stored in Ireland, constitutes an unlawful extraterritorial application of the Act.

We conclude that Congress did not intend the SCA’s warrant provisions to apply extraterritorially.  The focus of those provisions is protection of a user’s privacy interests.  Accordingly, the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.  The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s e‐mail account stored exclusively in Ireland.  Because Microsoft has otherwise complied with the Warrant, it has no remaining lawful obligation to produce materials to the government.

The decision vindicates the position Microsoft took to protect the privacy of its users located outside the U.S. However, the decision only relates to the particular form of investigative document used by law enforcement in the case and did not make any definitive findings on whether a subpoena would have had a broader territorial ambit.

For a good summary of the case, see U.S. Cannot Compel By Warrant Microsoft’s Production of Emails Stored Outside of U.S.

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

OPC drops transborder transfer of data consultationOPC drops transborder transfer of data consultation



Earlier this year the Privacy Commissioner launched and then relaunched a consultation that caused shockwaves among privacy lawyers, the tech community, and just about every organization that has third parties process data for them. The OPC sought to change its longstanding interpretation of Canada’s privacy law, PIPEDA, to require the ...

Developments in Computer, Internet and E-Commerce Law (2009-2010)Developments in Computer, Internet and E-Commerce Law (2009-2010)



Here are the slides used in my presentation to the Toronto Computer Lawyers Group earlier today,  The Year in Review: Developments in Computer, Internet and E-Commerce Law (2009-2010). It covers significant developements since my talk last spring. The slides include a summary of the following cases and statutory references: Tercon Contractors Ltd. ...

Alberta PIPA violates Charter says Supreme Court in IPC v United Food and Commercial WorkersAlberta PIPA violates Charter says Supreme Court in IPC v United Food and Commercial Workers



The Supreme Court released a landmark decision today in the  Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62 case. In short, the Court found that while Alberta’s privacy legislation PIPA plays a vital role in protecting privacy, it violated the Charter right ...

%d bloggers like this: