Microsoft must turn over a customer’s personal data stored at a Dublin, Ireland, data center to the US government, a federal magistrate judge ruled earlier this month.
Judge James Francis said companies like Microsoft and Google must comply with search warrants from US law enforcement agencies seeking customer data regardless of where that data is stored, Reuters reported.
Documents related to the warrant, approved by Francis in December, are sealed and it is unclear which agency is seeking the data. The request, however, includes the customer’s name, all emails they have sent and received, times they have spent online and credit card numbers and bank accounts they may have made payments with, according to news reports.
Microsoft challenged the warrant saying the government’s jurisdiction did not extend overseas. Francis struck the challenge down last week, saying that the burden of cooperating with foreign governments to secure such data would be too much of a burden on the US government and would impede law enforcement efforts.
Judge’s Decision Foreseen
This was an expected first step in the Redmond, Washington-based company’s effort to push the government to “follow the letter of the law when they seek our customers’ private data in the future,” David Howard, Microsoft’s corporate vice president and deputy general counsel, wrote in a blog post. “When we filed this challenge we knew the path would need to start with a magistrate judge, and that we’d eventually have the opportunity to bring the issue to a US district court judge and probably to a federal court of appeals.”
Just as the government cannot search a home outside US borders, it should not be able to search data stored overseas, Howard wrote.
Countering this argument, Francis referred to a law titled Stored Communications Act, which makes warrants that seek data more like subpoenas, and subpoenas for information must be complied with, regardless of where the information is stored.
Internet Ignorance Common
David Snead, an attorney and member of the Internet Infrastructure Coalition, said the judge’s ruling reflected a common misunderstanding of how the Internet works. “Too often, judges and other individuals believe that simply because a company is located in one country, they are not required to respect the laws of another,” he wrote in an email.
“This is particularly true when data is located in multiple jurisdictions. It is well-established law that courts in one country cannot compel companies to violate the laws of another country.”
Europe on Microsoft’s Side
The European government has sided with Microsoft on the issue. Mina Andreeva, a European Commission spokesperson, told the BBC that companies operating in Europe have to play by European rules, regardless of where they are headquartered.
“The European Parliament reinforced the principle that companies operating on the European market need to respect the European data protection rules – even if they are located in the US,” BBC quoted Andreeva as saying. “The commission’s position is that this data should not be directly accessed by or transferred to US law enforcement authorities outside formal channels of co-operation, such as the mutual legal assistance agreements or sectoral EU-US agreements authorizing such transfers.”
Access by other means should only be provided in “clearly defined, exceptional and judicially reviewable situations.”