In what is being heralded as a win for privacy, a federal appeals court on Thursday ruled that Microsoft does not have to hand over to the U.S. government customer data held in another country.
According to Wired's senior writer Andy Greenberg, the ruling (pdf) by the 2nd U.S. Circuit Court of Appeals in Manhattan "just sent the American Justice Department a clear message about its ability to reach beyond U.S. borders to collect data with a search warrant: Keep your hands to yourself."
In its own statement welcoming the ruling, Microsoft calls it an "important decision for people everywhere."
"The decision is important for three reasons: it ensures that people's privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs," the statement adds.
TechDirt's Mike Masnick, meanwhile, writes that it "is a hugely important case concerning the privacy and security of our data."
Reuters summarizes the case thusly: "Microsoft had been challenging a warrant seeking emails stored on a server in Dublin, Ireland, in a narcotics case."
The Center for Democracy & Technology (CDT), which had filed an amicus brief in support of Microsoft in the case, has a backgrounder which explains the details more fully. It states, in part:
The animating question in this case is whether a U.S. law enforcement agency can compel a U.S. provider of communications service to disclose the content of digital information the provider stores outside the U.S. The Stored Communications Act (SCA), part of the Electronic Communications Privacy Act (ECPA) of 1986, does not explicitly address the issue. The SCA authorizes the Government to seek the contents of stored communications that are more than 180 days old, using a subpoena, a court order issued under 18 USC 2703(d), or a warrant. The Government takes the position that a subpoena can also compel disclosure of opened email no matter its age. However, Microsoft and most other large providers apply U.S. v. Warshak, 631 F.3d 266 (6th Cir. 2010) on a nationwide basis, and require warrants for all content. As a result, the stakes about resolution of this case are quite high: does a U.S. provider put content out of the reach of the U.S. government acting under the SCA by storing the data abroad?
The judges sided with Microsoft, writing in their decision:
We conclude that Congress did not intend the SCA's warrant provisions to apply extraterritorially. The focus of those provisions is protection of a user's privacy interests. Accordingly, the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer's electronic communications stored on servers located outside the United States. The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer's e‐mail account stored exclusively in Ireland. Because Microsoft has otherwise complied with the Warrant, it has no remaining lawful obligation to produce materials to the government.
"This ruling is a major affirmation that the rights we enjoy in the physical world continue to apply in the digital world," said Greg Nojeim, director of CDT's Freedom, Security, and Technology Project. "By declaring that a U.S. warrant cannot reach communications content stored abroad, the court ruled strongly in favor of privacy and national rule of law."
"Had the Department of Justice prevailed in this case," Nojeim continued, "other countries would follow the U.S. lead and start claiming access to data stored here in the U.S. based on their own laws. It would have been like the Wild West and disaster for privacy."
The appeals court rule may not be the end of the road. CNNMoney reports that "because of the significant implications about privacy and the limitations put on American law enforcement, it's a case that could make its way to the Supreme Court."