After years of arguments, Microsoft has won a major victory in its legal fight over US access to information stored in a company data center in Ireland. In a decision filed today by the Second Circuit Court of Appeals, judges ruled that US investigators can’t use the Stored Communications Act to compel access to the data, as it is physically located outside of US borders. As a result, the court found that Microsoft has "no remaining lawful obligation to produce materials to the government."
"No remaining lawful obligation"
Microsoft argued that because the data was stored in Ireland, it was subject to Irish rather than US law, regardless of the company providing the infrastructure. That feature is central to Microsoft’s ambitions as a cloud provider, allowing the company to compete with local storage companies that are not otherwise subject to US requests. The nationality of the target of the investigation is still undisclosed.
The government’s case focused on Microsoft’s obligations as a company based in the United States. Since the data was easily accessibly to Microsoft and the company itself could be compelled by the CDA, prosecutors argued the company was legally in possession of the data, regardless of international borders. Ultimately, the judges found those arguments unpersuasive.
The question of the physical location of data centers remains a difficult one, as governments look to impose national borders on fundamentally international information networks. In recent years, a number of governments have passed data localization laws, a response to those issues as well as covert access efforts by US intelligence services revealed in the Snowden documents. Germany, Brazil, and Russia have all taken up measures requiring companies to store citizens’ data within national borders, both limiting foreign access to the data and putting it within easier reach of national law enforcement agencies. Some experts are concerned that the trend toward localization could ultimately fracture the internet along national lines, making it harder for individual services to share data and products across borders.
"Privacy... is an abstract concept with no obvious territorial locus."
It’s unclear how long Microsoft’s victory will hold up. The appeals court ruling can still be overturned by the Supreme Court, and more aggressive legislation could supersede both. Law enforcement agencies have also increasingly looked toward diplomatic methods for obtaining data stored overseas. The UK and US are currently discussing a Mutual Legal Assistance Treaty (or MLAT) which would allow each nation to serve warrants directly to companies without navigating foreign courts.
In a concurring ruling, one of the appeals court judges openly pleaded for legislative action to revise the existing law. "Although I believe that we have reached the correct result as a matter of interpreting the statute before us, I believe even more strongly that the statute should be revised," Judge Gerard Lynch wrote in his concurrence. "I concur in the result, but without any illusion that the result should even be regarded as a rational policy outcome, let alone celebrated as a milestone in protecting privacy."
"Privacy... is an abstract concept with no obvious territorial locus," Lynch continued. "It seems at least equally persuasive that the invasion of privacy occurs where the person whose privacy is invaded customarily resides."
Microsoft general counsel Brad Smith applauded the ruling in a statement posted after the news broke. "As a global company we’ve long recognized that if people around the world are to trust the technology they use, they need to have confidence that their personal information will be protected by the laws of their own country," Smith wrote. "Today’s decision means it is even more important for Congress and the executive branch to come together to modernize the law."
Update 6:13PM ET: Updated with Microsoft statement.