Microsoft Wins Major Privacy Victory for Data Held Overseas

An appellate court ruled that the U.S. government could not obtain personal data held overseas by issuing a domestic warrant.

Photo: Johannes Eisele/AFP/Getty Images

In a landmark decision, an appellate court ruled Thursday that the U.S. government could not obtain personal data held overseas by issuing a domestic warrant.

Microsoft appealed an earlier ruling in the Southern District of New York that held the company in contempt of court because it refused to hand over data stored in Dublin, Ireland, during a narcotics investigation. The target’s citizenship wasn’t disclosed to the court.

The New York-based 2nd Circuit Court of Appeals reversed that decision in what digital rights advocates are celebrating as a victory for privacy in an increasingly connected digital age — though it’s expected the government will appeal.

“Microsoft’s victory over the U.S. government is a resounding affirmation of the endurance of privacy in an age marked by constant data transfers in the cloud, Internet of Things, and big data applications,” Omer Tene, vice president of research and education at the International Association of Privacy Professionals, said in a statement to The Intercept.

“When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user’s interaction with a service provider,” wrote Judge Susan L. Carney in the decision.

Just because companies routinely conduct business across international borders doesn’t mean a warrant is any more or less powerful, argued the unanimous panel of three judges. “Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas.”

To access data across borders, there are other structures in place, called Mutual Legal Assistance Treaties, the court argued. Those agreements allow law enforcement to exchange information in criminal investigations — and the U.S. has an arrangement in place with Ireland. (The U.S. government described that process as “cumbersome.”)

The U.S. and Britain are already negotiating an agreement where both partners could directly serve companies with wiretap orders and warrants — to intercept real-time communications and collect stored communications. But neither country has announced a formal agreement yet.

In response to the appellate decision, many are calling for legal reforms to better address the needs of law enforcement to access data overseas and to protect the privacy of citizens worldwide.

“The decision underlines the need for reform to address legitimate law enforcement demands for data stored abroad,” Greg Nojeim, the director of the Center for Democracy and Technology’s Freedom, Security, and Technology Project, said in a statement. “It should spur Congress to act by finally updating the Electronic Communications Privacy Act of 1986 and advancing legislation that would reform the mutual legal assistance treaty (MLAT) process.”

Join The Conversation