The legal battle between Microsoft and the US government over access to digital information stored in data centers outside US borders has quietly come to a close — for now.
On Thursday, the U.S. Court of Appeals for the Second Circuit reversed the original lower court’s decision and upheld the principal that email stored outside the US cannot be searched by US authorities. Although the US government said it is considering an appeal, the case has quieted for now.
US Court Protects Privacy
The case involved email from a suspected narcotics trafficker. The email originated in the US but was stored in a data center in Dublin, Ireland. In 2013, US authorities filed suit to force Microsoft to provide access to those communications.
Microsoft fought a court order to produce the email, arguing that a US court lacked jurisdiction over email stored abroad. And now it looks like the appeals court agreed.
Reacting to the decision Brad Smith, president and Chief Legal Officer for Microsoft, said the decision is significant because it:
- Ensures privacy rights are protected by the laws of the customers' own countries
- Ensures the legal protections of the physical world apply in the digital domain
- Paves the way for better solutions to address both privacy and law enforcement
He also pointed out that this goes beyond Microsoft, and impacts an entire digital industry that works and uses data as a primary resource. Multiple entities — 28 technology and media companies, 23 trade associations and advocacy groups, 35 of the nation’s leading computer scientists and the government of Ireland itself — all filed amicus briefs in support of Microsoft.
“The enormous breadth of this support has been vital to the issue, and it remains so as we look to the future,” he wrote in a statement following the decision.
Citing Apple's iPhone encryption battle with the US Dept. of Justice, he noted that digital companies are constrained by antiquated laws.
“The needs of law enforcement require new legal solutions that reflect the world that exists today — rather than technologies that existed three decades ago when current law was enacted,” he wrote.
Vendor Reaction to the Microsoft Case
Barry Jinks, CEO and co-founder of Colligo, an email management vendor, told CMSWire that the ruling is important not just for US enterprises, but for foreign firms looking to do business in the US.
“We host our configuration and analytics data in Microsoft’s Azure cloud. Because of the ability of the US government to compel U.S. corporations to turn over customer information stored on their servers, data sovereignty is a big issue for several of our enterprise customers outside the US,” Jinks told us
"It’s not only because of security concerns, but because they need to comply with privacy laws of their home country. To address this, we’ve been working to port our applications to Microsoft servers in regional data centers such as Canada, Australia and Germany. This ruling is significant because it provides Microsoft’s (and our) customers around the World assurance that their data will be protected from the US government if it’s located on servers outside the US."
Had the ruling gone in the opposite direction, it would have put US companies at a considerable commercial disadvantage in the global economy, he contended.
Global Data Standard?
It also rises the questions of the creation of a global data privacy standard that can be applied to enterprises globally so that data exchanges between geographies are standardized to protect digital information.
“I have to agree with the decision handed down by the Second District Court of Appeals. The person in question is not US based, nor the data. Most important in this is how this case highlights the need for global standards that address privacy, or at least more consistent standards among countries. Today, there is quite an unnecessary burden for industry to comply with so many rules of various jurisdictions,” said Scott Burt, president and co-founder of Integro, a Scottish information governance and content security solution vendor.
Even before last Thursday’s ruling, the European Union was making steps in this direction. In April, the European Commission launched a public consultation to given vendors and other interested groups the chance to offer their input on pending legislation. The review is intended to establish:
- Consistency between the e-privacy rules and the future General Data Protection Regulation
- Updating the scope of the e-privacy directive in light of the new market and technological reality
- Enhancing security and confidentiality of communications
- Addressing inconsistent enforcement across the EU
For the moment, there is considerable difference between jurisdiction in the US and in Europe. While the EU has an all-encompassing data protection framework (the Data Protection Directive) that applies across every member state, sectors and types of data, the US has no directly analogous federal equivalent.
Bob Larrivee, vice president and chief analyst at AIIM, provided this example of working with a French IT company:
“The policy was no personal emails on company systems. Under French law, even if you were suspected of breaking the policy, by law, the company could not open your emails as it was considered an invasion of your privacy. Here in the United States, the local entity of that company did have the right to open and examine anything — emails included — on the company servers,” he told CMSWire.
“It all came down to regulatory compliance and adhering to those guidelines with those regions of operation."
Far Reaching Privacy Implications
Last week's ruling will have far reaching implications for enterprises and one that will have been watched closed by other big cloud players that are trying to push their services into the enterprises space. It should also reassure cloud users about the safety of their data.
"Since Microsoft servers are located all around the world, it would make no sense to let the US government access all their data whenever they want to. I think this decision is a victory because it protects people’s privacy rights. Organizations are already wary enough of the cloud as it stands. To rule otherwise will also make them fear that the US government could dig up their data whenever they feel like it,” Simon de Baene, CEO and co-founder of data migration specialist vendor Sharegate, said.