News

U.S. Supreme Court To Review Microsoft's Dublin Datacenter Case

• By Kurt Mackie
• October 16, 2017

The years-long dispute over whether Microsoft must submit to government requests for data stored in an offshore datacenter is going to the U.S. Supreme Court.

The case goes back to 2013, when Microsoft was ordered to turn over e-mails stored in its datacenter in Dublin, Ireland by U.S. authorities pursuing an unnamed person suspected of illegal drug activities. Lower courts had consistently told Microsoft to hand over the data, though Microsoft appealed those rulings with the backing of other cloud service providers, including Apple, AT&T, Cisco and Verizon.

On July 2016, the Court of Appeals for the Second Circuit determined that Microsoft did not have to turn over the e-mails. On Monday, the Supreme Court ordered a review of that ruling.

Microsoft's current stance is that "U.S. federal or state law enforcement cannot use traditional search warrants to seize emails of citizens of foreign countries that are located in data centers outside the United States," according to Brad Smith, president and chief legal officer at Microsoft, in an announcement Monday.

Microsoft also doesn't agree with the government's view that the service provider owns the e-mail data, "which would cause people to lose their rights when they go online," Smith noted.

Current U.S. laws associated with the 1986 Electronic Communications Privacy Act are outdated and inadequate in the cloud computing world, and weren't intended for use outside the United States, Smith contended. For its part, Microsoft is backing a congressional effort to address "cross-border data access" issues. The effort, International Communications Privacy Act of 2017 (S.2986), sponsored in the Senate by Orrin Hatch, defines how such warrants should be processed. It permits search warrants "only if the foreign government does not have a Law Enforcement Cooperation Agreement with the United States or, if it does have such a Law Enforcement Cooperation Agreement, the foreign government does not object to disclosure."

A Law Enforcement Cooperation Agreement means a mutual agreement or treaty, or it can be an executive agreement between the United States and "one or more countries," according to S.2986.

The bill was introduced last year and was referred to the Senate Judiciary Committee. There's also an identical bill in the House (H.R.5323).

Microsoft, being a U.S.-based company, has to follow U.S. laws, but the bill, if passed, would free service providers in general, including Microsoft, from having to side with one government over another in cases where the data are stored abroad, an important consideration for cloud service providers. The bill mostly seems to be a clarifying measure. It seems to streamline search warrants even when the U.S. government doesn't have a Law Enforcement Cooperation Agreement in place with a foreign government, although it's unclear how such warrants would be enforced.

Microsoft regularly complies with U.S. law enforcement requests for domestic data, with some challenges. However, this case could prove important for Microsoft and other service providers to gain trust internationally, especially in Europe, where data sovereignty and privacy issues are more greatly pursued than in the United States.

The case is known as United States v. Microsoft Corp., 17-2.