Last week the United States Court of Appeals for the Second Circuit ruled that the FBI can’t force Microsoft to produce and turn over the emails of a suspected drug dealer stored in the company’s data centers in Ireland.
The court decision stated: “We conclude that § 2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers.”
The court also concluded that “the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States”
Why is this court decision so important? American cloud providers have been trying to reassure their European customers that their data is protected by European laws, and that US authorities can’t access it without going through European courts for approval. Until now that assurance was impossible to make as US law effectively allows US courts to issue a warrant for data stored by American companies anywhere — including overseas.
One of the main arguments used by European cloud providers to compete with US companies such as Amazon, Google, and Microsoft, has been the fact that, until now, those US companies could be forced by US law enforcement agencies and courts to turn over confidential data stored outside of the United States, without going through due process in European courts.
The Microsoft case decided by the Court of Appeals goes back to 2013 when the company refused to give the Department of Justice the emails of a suspected drug trafficker. The nationality of the suspected criminal has not been identified. Microsoft refused to comply and filed a motion to quash the warrant based on the extraterritorial application of the warrant, as the email server was located in Ireland. But in May 2014 a federal magistrate judge ruled against the tech giant and ordered the company to turn over the emails.
Based on Section 2703 of the Stored Communications Act [SCA], law enforcement agencies have the right to access emails that have been in storage for more than 180 days, since those emails are considered abandoned. When those emails are stored in servers outside of the United States, the government can request the US corporation that controls those servers to give access to them by producing a court order. The Microsoft case and the conditions of Section 2703 of the SCA put US firms at a clear disadvantage in Europe and other international markets.
On February 27, 2015, Reps. Tom Marino and Suzan DelBene introduced the Law Enforcement Access to Data Stored Abroad (LEADS) Act. The LEADS Act clarifies the procedures for the US government agencies to obtain any data stored in foreign servers. The bill would require U.S. law enforcement agencies to direct all data requests to the government of jurisdiction. American cloud providers could not be compelled to give up user data without the sign off of the customer’s home country. They would also be required to get a warrant from a judge. Unfortunately, at the time of writing this article, the bill has not been approved in Congress. Microsoft, Apple, Google, IBM, Amazon, and many other internet providers and software companies are fierce advocates of the Act.
That is why last week’s court decision is critical for US cloud providers doing business abroad. It gives Microsoft, Google, Amazon, IBM, and others stare decisis — precedent by case law — if faced with a similar case, and allows them to argue to their overseas customers that their data is protected by local laws and only available to US authorities through due process in international law.
“This decision provides a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments,” said Brad Smith, Microsoft’s president, in the company’s blog. “It makes clear that the US Congress did not give the US government the authority to use search warrants unilaterally to reach beyond US borders.”
“We hear from customers around the world that they want the traditional privacy protections they’ve enjoyed for information stored on paper to remain in place as data moves to the cloud. Today’s decision helps ensure this result,” Smith said.
American Cloud Providers Rejoice as Microsoft Wins Foreign Server Case