Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

European Commission intervenes in US dispute with Microsoft over access to data stored in Ireland

The European Commission has intervened in a long-running legal dispute between the US government and Microsoft over the rights of US law enforcement agencies to access data on technology companies' customers held on servers overseas under US law.08 Dec 2017

The Commission said the case, which is before the US Supreme Court, concerns the application of EU data protection laws. It has therefore decided to submit an 'amicus brief' to the court. It said the papers "will not be in support of either one of the parties".

"This case raises the question whether, under the US Stored Communications Act, US courts can require a US-based service provider to produce the contents of a customer's email account stored on a server located outside the United States, in this case Ireland," the Commission said in a statement.

"Given that the transfer of personal data by Microsoft from the EU to the US would fall under the EU data protection rules, the Commission considered it to be in the interest of the EU to make sure that EU data protection rules on international transfers are correctly understood and taken into account by the US Supreme Court," it said.

In October, Microsoft confirmed that the US Supreme Court had decided to hear an appeal from the US government in the case. The US Court of Appeals rejected an application by the US government to re-hear the case earlier this year, despite the US government arguing that the ruling would allow "electronic communication service providers" to "thwart legitimate and important criminal and national security investigations, while providing no offsetting, principled privacy protections".

The Court of Appeals ruled last year that Microsoft did not have to disclose data on a customer it held on the basis that the warrant issued under the 1986 US Stored Communications Act did not apply to data held outside the US. The data sought by the US authorities was stored on Microsoft's servers in Ireland. The authorities were looking for the information as part of a criminal investigation.

"This is an important case that people around the world will watch," said Microsoft president and chief legal officer Brad Smith in October.

"If US law enforcement can obtain the emails of foreigners stored outside the United States, what’s to stop the government of another country from getting your emails even though they are located in the United States?" Smith said in a blog. "We believe that people’s privacy rights should be protected by the laws of their own countries and we believe that information stored in the cloud should have the same protections as paper stored in your desk. Therefore, Congress needs to modernise the law and address these fundamental issues."

A proposed new International Communications Privacy Act (ICPA) was introduced before Congress earlier this summer. Smith said Microsoft backed the draft legislation.

"ICPA provides sensible ways for cross-border data access, including a robust legal process to access the email of Americans and notification of foreign countries, when required under international law," Smith said. "Without these important clarifications, technology companies, law enforcement and the courts will continue to interpret and apply a law to technologies and circumstances far beyond what Congressional leaders envisioned in 1986."

However, in written submissions to the Supreme Court, the US government said Microsoft could comply with the warrant it has been issued "by undertaking acts entirely within the United States".

The US Department of Justice (DoJ) said (76-page / 573KB PDF): "At most, Microsoft need only take the initial step of 'collect[ing]' data stored abroad by inputting commands at its facility in the United States… Because [the US Stored Communications Act] focuses on the domestic disclosure of information to the government, this case involves a permissible domestic application of the statute."