Clouds, data centres and the location of data: a victory for Microsoft

The judgment of the 2nd US Circuit Court of Appeals in New York in Microsoft Corporation v USA (Case 14-2985), handed down on 14 July 2016, has been hailed as an important victory not only for the technology giant, but for privacy rights as well.

In brief, the case concerned a warrant issued under the Stored Communications Act (dating from 1986), ordering Microsoft to seize and produce to the US government the contents of a customer’s email account, on the grounds that there was cause to believe the email account was being used for the purposes of drugs trafficking. Microsoft refused to comply in full, on the grounds that the contents of the email account were stored on a server in Dublin. A court held Microsoft to be in contempt. Microsoft appealed. It won.

The Court held that the Stored Communications Act did not provide for the setting aside of the presumption against the extra-territorial application of US law. That Act had in fact aimed “to protect user privacy in the context of new technology that required a user’s interaction with a service provider”. That legislation was crafted in a pre-internet world. Congress could not have intended the warrant provisions to apply beyond the territorial limitations of the legislation. A warrant under that Act could not extend to information held in Dublin.

If you or your business are based in the EU, why should you pay any attention to this judgment? Assuming you are not trying to use your email account for drug trafficking, why is the Microsoft case of the remotest interest to you?

Here is one answer. Microsoft’s Outlook email service works – like many such services – roughly as follows.

There is a US parent company with a number of global subsidiaries. Its customers use Outlook all over the world. Their data is processed through a public cloud. That data – specifically, the contents of an email – is automatically directed so that it is housed on servers in data centres nearest to the customer’s location. Apart from some elemental information, the actual content of the email is not held by Microsoft anywhere else. It is only held on the server in the customer’s region. A Microsoft employee in the US can still access the contents of a Microsoft server in, say, Dublin. But the information is only held in Dublin.

That description underpinned the Court’s judgment in Microsoft. If the ability to access the Dublin server from the US sufficed to bring the Dublin drugs emails within the jurisdiction, then Microsoft would not have won.

This judgment, then, is interesting not only because it clamped down on the jurisdictional reach of policing search warrants in respect of personal email accounts. It also sheds light on increasingly relevant jurisdictional questions about data protection and privacy rights more broadly.

Robin Hopkins @hopkinsrobin