Why a federal court sided with Microsoft in email seizure case

Civil libertarians and tech companies hailed the decision as a victory for privacy, days after European regulators approved a more controversial data transfer pact.

A federal appeals court has handed Microsoft a victory in a closely watched privacy case, saying Thursday that the US government can’t force the tech giant and other companies to turn over their customers’ emails if they are stored on servers outside the United States.

The 3-0 decision by the 2nd Circuit Court of Appeals in Manhattan was hailed as a victory by civil liberties advocates and tech companies, who have expanded their use of data stored on “cloud” servers around the world.

"It definitely sets an important precedent," Tor Ekeland, a New York City attorney who specializes in computer, law told The Christian Science Monitor’s Passcode. "It's a victory for privacy rights across the board and, in my mind, it's proof that the ubiquity of computers is changing what the Fourth Amendment means."

The case involved a dispute over a warrant for emails stored on a server in Dublin, Ireland, that the government said involved drug smuggling. Microsoft had argued that a ruling in the government’s favor could vastly expand its power to secure people's communications outside US borders. 

In Thursday’s ruling, Circuit Judge Susan Carney said data held by US companies on servers outside the US is beyond the reach of a domestic search warrant issued under the Stored Communications Act, a 1986 federal law, Reuters reports.

"Congress did not intend the SCA's warrant provisions to apply extraterritorially," she wrote. "The focus of those provisions is protection of a user's privacy interests."

The ruling reversed an earlier US district court judge's ruling requiring Microsoft to turn over the emails, as well as a contempt charge against the company.

"This decision provides a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments," Brad Smith, Microsoft's president, said in a statement.

The Justice Department was "disappointed" with the ruling, spokesman Peter Carr said in a statement, adding that the department is considering its legal options.

But the court's decision comes days after another rule that governs how information is shared between companies doing business in the United States and Europe disappointed some privacy advocates and critics of government surveillance.

That rule, known as Privacy Shield, replaced the 15-year-old Safe Harbor data transfer pact, which was struck down by the European Court of Justice last year over concerns that it did not adequately protect European users' data from US government surveillance.

Max Schrems, the Austrian privacy activist who began a suit against Facebook that eventually led to the toppling of Safe Harbor, argues the new Privacy Shield could raise similar concerns.

"Not only does the final Privacy Shield use the exact same wording on mass surveillance laws as Safe Harbor, but the US now even admits that it will continue to collect personal data stemming from Europe in bulk," he wrote in a column in The Irish Times on Tuesday after European regulators approved the rule.

Privacy Shield was welcomed by tech companies, however, with an estimated 4,500 US firms affected by the pact that governs sharing data across the Atlantic.

The Microsoft ruling, on the other hand, was more broadly embraced by both tech firms and civil libertarians.

"Had the Department of Justice prevailed in this case, other countries would follow the US lead and start claiming access to data stored here in the US based on their own laws," Greg Nojeim, director of the Center for Democracy and Technology’s Freedom, Security and Technology Project, said in a statement. "It would have been like the Wild West and [a] disaster for privacy."

The group filed a friend of the court brief supporting Microsoft, along with 23 media and tech companies, the Irish government, and a slew of advocacy groups and computer scientists, Passcode reports.

But one judge’s opinion cast the ruling as a narrower issue.

In a separate concurring opinion, Circuit Judge Gerard Lynch said Congress should consider modernizing the "badly outdated" 1986 law to better balance law enforcement concerns with users' privacy.

Currently, he said, the law lets Microsoft thwart the government's "otherwise justified demand" for the emails by the "simple expedient" of storing the emails on a server outside the US.

"I concur in the result, but without any illusion that the result should even be regarded as a rational policy outcome, let alone celebrated as a milestone in protecting privacy," he wrote.