Microsoft Fix for MiTM Security Patch Reveals Need for Thoughtful Patching Procedures Most organizations understand the importance of timely implementing software updates and patches.  However, open platforms have permitted a level of customization such that a patch in one application may have unintended consequences in other parts of the overall system architecture, including customization of the software being updated.  A good example is the recent Microsoft security… Continue Reading
Second Circuit Holds That U.S. Cannot Compel By Warrant Microsoft’s Production of Emails Stored Outside of U.S., Citing The Stored Communications Act’s Privacy Protections and Lack of Extraterritorial Effect

A three-judge panel of the U.S. Court of Appeals for the Second Circuit today unanimously reversed a lower court’s denial of Microsoft’s motion to quash a warrant seeking the content of emails for a customer of its Outlook.com email service.  The decision is surprising in that that U.S. courts, including the Second Circuit, have traditionally enforced government process seeking documents … Continue Reading

Microsoft contempt ruling overturned for failing to produce emails in Ireland! In 1986 Congress passed the Stored Communications Act (SCA) to control telephone records long before the Internet we know today, but the SCA is the main law that Internet companies rely to protect users’ content and in 1986 in passing the SCA “Congress focused on providing basic safeguards for the privacy of domestic users.” Nonetheless… Continue Reading
2nd Circuit: Government Cannot Force Companies to Hand Over Communications Data Stored Overseas

The Second Circuit today issued a much-anticipated ruling holding that U.S. firms are not required to turn over user data stored overseas, even in the face of a government warrant.  This decision arose from Microsoft’s December 2014 appeal of a civil contempt ruling against the tech giant for refusing to turn over the personal data… Continue Reading

The post 2nd Circuit: Government Cannot Force Companies to Hand Over Communications Data Stored Overseas appeared first on Data Law Insights.

Microsoft wins landmark US appeal against search warrant for emails stored in Ireland

The US Second Circuit Court of Appeals, overturning an earlier court ruling from a lower court, has held that the US Government cannot compel Microsoft to hand over emails stored on a server in Dublin in a narcotics case. The decision is a milestone victory for privacy rights and will be greatly welcomed by US technology companies storing data abroad. It should also provide reassurance to European citizens that their data will be protected by European data protection laws and the US legal system will respect their privacy rights.

A previous decision from the Southern District court of New York had denied Microsoft's motion to quash a search warrant issued under the Stored Communications Act (the SCA), and held Microsoft in contempt of court for refusing to execute the warrant on the Government's behalf. Microsoft had challenged the order on the basis that it would need to obtain customer consent in order to import the data into the US for delivery to the federal authorities.

The Court, finding in favour of Microsoft, held that Congress did not intend the SCA's warrant provisions to apply extraterritorially, citing a presumption against extraterritorial application of US statutes absent a clear contrary intent. It emphasised that "the SCA’s focus lies primarily on the need to protect users’ privacy interests."   

Microsoft's Chief Legal Officer, Brad Smith described the judgment as "a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments".

Support for Microsoft's legal challenge

Over 80 amicus curiae briefs supporting Microsoft's appeal had been filed by leading technology and media companies, trade associations, advocacy groups, computer scientists, and the Irish Government itself.

The significance of the judgment notably turns on the rising concerns amidst the technology sector of a "free for all", giving law enforcement authorities extensive powers to seize data stored outside their jurisdiction. The decision secures privacy protections for companies moving the data they hold to cloud systems outside the US. It remains to be seen whether the US government will appeal the decision to the Second Circuit en banc or the Supreme Court.

A push to modernise a 30 year-old law

Judge Lynch, concurring with the judgment, recognised the many problems of Internet privacy that the SCA does not address, and called for Congress to clarify and revise the "badly outdated statute". In underlining the prosecution's argument that the law as it stands allows companies like Microsoft to impede law enforcement efforts, he said that it was Congress's role "to strike a balance between privacy interests and law enforcement needs".

This case is of particular significance for companies holding data in Ireland as it provides some level of assurance that the US courts will not for now assist US authorities to circumvent the existing Mutual Legal Assistance Treaty (MLAT) process. MLTA provides for bilateral mutual legal assistance between EU and the US authorities in relation to the provision of information necessary for public security and criminal investigation and has inbuilt procedural safeguards.

Second Circuit Holds That U.S. Cannot Compel By Warrant Microsoft’s Production of Emails Stored Outside of U.S. A three-judge panel of the U.S. Court of Appeals for the Second Circuit today unanimously reversed a lower court’s denial of Microsoft’s motion to quash a warrant seeking the content of emails for a customer of its Outlook.com email service. The decision is surprising in that that U.S. courts, including the Second Circuit, have traditionally enforced government process seeking documents or data stored abroad from entities that have control over the information under the test of “control, not location.” This case could have a significant impact on cloud providers’ decisions to store information abroad. It also serves, in the midst of debates about the newly enacted Privacy Shield and the recent challenge to Standard Contractual Clauses now before the Court of Justice of the European Union, as a counterbalance to arguments that some make about the U.S. legal system not respecting personal privacy.