A few weeks ago, we won a major victory for our European customers in a lawsuit we brought against the US Department of Justice. A US court of appeals ruled that US search warrants do not reach our customers’ data stored abroad.
We brought this case because we believe that European citizens and organizations want their data protected by European privacy law, and they do not want their emails and documents at risk of being accessed by the US government pursuant to US law.
Microsoft continues to build new data centers in Europe to keep up with fast growing demand from our European customers. Keeping data close to our customers provides better and faster service. And it also helps increase trust in technology. For our European customers, the court ruling helps to address a salient concern about cloud solutions: which country’s laws govern access to the customer’s data. The court ruling confirms that US search warrants do not apply extraterritorially to customer data stored outside the United States, and supports the proposition that existing legal protections in the physical world apply equally in the digital domain.
July was a very good month for privacy protections in Europe. The Privacy Shield, which protects European’s data stored in the US, was adopted after extensive and rigorous debate and negotiations. And the European data protection authorities represented by the Article 29 Working Party said that they are willing to give the new EU-US data transfer framework time to prove itself. With the US court having ruled that US search warrants cannot reach data stored outside the United States, Europeans’ data stored in Europe is also better protected.
The warrant case is a good reminder that while legal frameworks differ, and many nuances exist, Europe and the US share common privacy values and goals. We therefore hope that the warrant case decision will help to make the Privacy Shield even more robust.
The imperative to protect the data of our European customers against unlawful access by governments led us at Microsoft to bring this case. At the time I led the law enforcement compliance work as Deputy General Counsel at our corporate headquarters in Redmond, Washington. With our colleagues across Microsoft’s legal department and our law firms, we brought this case to ensure that customer information would be provided to governments only in compliance with clear legal obligations. We believed that the statute relied upon by the US Department of Justice did not extend outside of the United States. And we believed that it was important to bring a lawsuit to protect the privacy interests of our customers around the world.
Armed with extensive legal research, we challenged a criminal search warrant for an email stored in our Irish data center issued by a US court pursuant to the US Electronic Communications and Privacy Act, and its Stored Communications Act provisions. We lost in the federal court that issued the search warrant, and in fact Microsoft was held in contempt of court. We appealed to the decision to the federal appeals court, and on July 14 we prevailed. The court ruling provides a robust legal analysis that relies strongly on a recent ruling by the US Supreme Court on the extraterritorial reach of US laws. We believe that US authorities should work within the international framework for obtaining customer data stored outside the United States, such as the US-Ireland Mutual Legal Assistance Treaty. We also believe that a multi-stakeholder dialogue can lead to a sustainable international legal framework for the Internet and data centers that protects the privacy and security of people and organizations, and continues to enable data to flow freely over the internet and across borders. Through democratic processes, governments can determine the protections and exceptions for stored communications and documents, but we believe legal rules should respect nation’s sovereignty in the digital age, and international cooperation and agreements provide the best path forward.
The lawsuit has drawn attention and support from a large number of European and US privacy advocates, computer scientists, trade associations and media and technology companies who filed amicus briefs with the court of appeals. MEP Jan Albrecht, the driver behind the EU’s upcoming new and strong privacy laws, and even the Irish government also filed amicus briefs.
The US Department of Justice will decide in the coming months whether to accept the ruling from the Court of Appeals, or whether to seek a further appeal of the ruling. If the case proceeds, I believe it will be especially important for European individuals, organizations and governments to provide their views to the US courts on these critical issues.