Stanford CIS

Microsoft just won a big privacy fight with the government. Here’s what that means.

By Henry Farrell on

Over the past couple of years, the U.S. government and Microsoft have been fighting a legal battle over whether Microsoft has to provide customers’ email that is stored on company servers located in Ireland. On Thursday, a federal appeals court ruled against the government, saying Microsoft was under no legal obligation to provide the data.

This case has been very closely watched, as it has very important implications for how the U.S. legal system deals with a world where data moves easily across borders.

Jennifer Daskal is an assistant professor at American University’s Washington College of Law. I asked her to explain the issues at stake in the case, and what is likely to happen next.

HF: A U.S. appeals court has just ruled that the government cannot compel Microsoft to provide customer data that was held offshore. This is a big defeat for the U.S. government. Why did the court rule this way?

JD: The question before the court was whether the government could compel, via warrant, the production of emails that were held by Microsoft in a data center in Ireland. This required an evaluation of the 30-year old Electronics Communications Privacy Act, written when the Internet was still in its infancy, to determine whether Congress intended for the relevant warrant authority to reach data held outside the United States’ borders. It turns out that Congress didn’t even contemplate, let alone intend, that possibility. Relying in large part on the presumption against extraterritoriality, the Second Circuit ruled in favor of Microsoft and concluded that the warrant authority does not reach the communications content stored abroad. If U.S. law enforcement agents want to access such data, they now need to make a diplomatic request to the foreign government where the data is located to get it.

HF: In your academic work, you’ve suggested that major problems arise when states try unilaterally to get access to data that is held outside their territory. Did these problems surface in the Microsoft case?

JD: This wasn’t directly an issue in the Microsoft case, since the U.S. government was proceeding by a warrant based on probable cause (a privacy-protective standard) and its actions did not directly conflict with Irish law. But one could easily imagine a situation in which governments around the world asserted the right to unilaterally access data, without regard to other states’ equities in the data.  This would yield an almost inevitable race to the bottom in terms of the privacy protections that would apply. It would, for example, be increasingly difficult for the United States to protect its citizens’ and residents’ data from the reach of foreign jurisdictions if at the same time it was unilaterally compelling production of data from foreign jurisdictions via the kind of broad-reaching warrant authority it claimed in this case.

Read the full interview at The Washington Post.