Our search warrant case: Microsoft’s commitment to protecting your privacy

A few weeks ago, we won a major victory for our European customers in a lawsuit we brought against the US Department of Justice. A US court of appeals ruled that US search warrants do not reach our customers’ data stored abroad.

We brought this case because we believe that European citizens and organizations want their data protected by European privacy law, and they do not want their emails and documents at risk of being accessed by the US government pursuant to US law.

Microsoft continues to build new data centers in Europe to keep up with fast growing demand from our European customers. Keeping data close to our customers provides better and faster service. And it also helps increase trust in technology. For our European customers, the court ruling helps to address a salient concern about cloud solutions: which country’s laws govern access to the customer’s data. The court ruling confirms that US search warrants do not apply extraterritorially to customer data stored outside the United States, and supports the proposition that existing legal protections in the physical world apply equally in the digital domain.

July was a very good month for privacy protections in Europe. The Privacy Shield, which protects European’s data stored in the US, was adopted after extensive and rigorous debate and negotiations. And the European data protection authorities represented by the Article 29 Working Party said that they are willing to give the new EU-US data transfer framework time to prove itself. With the US court having ruled that US search warrants cannot reach data stored outside the United States, Europeans’ data stored in Europe is also better protected.

The warrant case is a good reminder that while legal frameworks differ, and many nuances exist, Europe and the US share common privacy values and goals. We therefore hope that the warrant case decision will help to make the Privacy Shield even more robust.

The imperative to protect the data of our European customers against unlawful access by governments led us at Microsoft to bring this case. At the time I led the law enforcement compliance work as Deputy General Counsel at our corporate headquarters in Redmond, Washington. With our colleagues across Microsoft’s legal department and our law firms, we brought this case to ensure that customer information would be provided to governments only in compliance with clear legal obligations. We believed that the statute relied upon by the US Department of Justice did not extend outside of the United States. And we believed that it was important to bring a lawsuit to protect the privacy interests of our customers around the world.

Armed with extensive legal research, we challenged a criminal search warrant for an email stored in our Irish data center issued by a US court pursuant to the US Electronic Communications and Privacy Act, and its Stored Communications Act provisions. We lost in the federal court that issued the search warrant, and in fact Microsoft was held in contempt of court. We appealed to the decision to the federal appeals court, and on July 14 we prevailed. The court ruling provides a robust legal analysis that relies strongly on a recent ruling by the US Supreme Court on the extraterritorial reach of US laws. We believe that US authorities should work within the international framework for obtaining customer data stored outside the United States, such as the US-Ireland Mutual Legal Assistance Treaty. We also believe that a multi-stakeholder dialogue can lead to a sustainable international legal framework for the Internet and data centers that protects the privacy and security of people and organizations, and continues to enable data to flow freely over the internet and across borders. Through democratic processes, governments can determine the protections and exceptions for stored communications and documents, but we believe legal rules should respect nation’s sovereignty in the digital age, and international cooperation and agreements provide the best path forward.

The lawsuit has drawn attention and support from a large number of European and US privacy advocates, computer scientists, trade associations and media and technology companies who filed amicus briefs with the court of appeals. MEP Jan Albrecht, the driver behind the EU’s upcoming new and strong privacy laws, and even the Irish government also filed amicus briefs.

The US Department of Justice will decide in the coming months whether to accept the ruling from the Court of Appeals, or whether to seek a further appeal of the ruling. If the case proceeds, I believe it will be especially important for European individuals, organizations and governments to provide their views to the US courts on these critical issues.

John Frank
Vice President for UN Affairs

John Frank is Vice President for UN Affairs at Microsoft. In this role, John and his team are focused on advancing multistakeholder solutions towards a more accessible and equitable digital environment and a healthier planet, and opportunities for computer and data sciences to help the UN and its agencies to achieve more.  The team works from New York, Geneva, and Seattle. Previously, John led Microsoft’s European government affairs teams in Brussels and European national capitals on EU issues, especially legal frameworks for cloud computing in areas such as cybersecurity, AI ethics, lawful access and privacy. From 2002 to 2015 he served as Deputy General Counsel and Chief of Staff for Microsoft President Brad Smith, based at Microsoft’s corporate headquarters in Redmond, Washington. In this role, he led the digital trust and security group, including the law enforcement and national security team, the digital crimes unit, the industry affairs group and the competition law, privacy and government contract compliance teams.  From 1996 to 2002, John led Microsoft’s legal and corporate affairs group for Europe, the Middle East and Africa, based in Paris. Prior to joining Microsoft, John practiced law in San Francisco with Skadden, Arps, Slate, Meagher & Flom. John received his AB degree from the Princeton University School of Public and International Affairs and his JD from Columbia Law School.