Microsoft Says Overseas Email Access Is Issue for Congress

Microsoft Corp., which has resisted U.S. law enforcement demands for emails stored in Ireland, told the U.S. Supreme Court that Congress should resolve the matter by updating privacy laws on digital data storage.

U.S. companies are the world leaders in cloud storage, and a decision forcing Microsoft to turn over emails stored on servers abroad could erode trust in U.S.-based providers, the company said in its most recent brief to the court, filed Jan. 11. The brief sets out how it will proceed at oral arguments scheduled for Feb. 27, Microsoft spokesman Sean O’Brien told Bloomberg Law Jan. 12.

The case against Microsoft involves a law enforcement Stored Communications Act request to turn over customer emails stored in Ireland allegedly related to a drug case. Microsoft didn’t turn over the information because it believed the government’s order was an improper extraterritorial application of the statute.

The U.S. Court of Appeals for the Second Circuit ruled in Microsoft’s favor in July 2016—the only federal appeals court to hold that records stored in data centers located abroad are out of reach.

The case gives the Supreme Court an opportunity to clarify the reach of SCA orders. Cloud computing companies and others that store data overseas will look to the case for guidance on how and when U.S. law enforcement can access that data. Congress could clear up such questions by updating the over 30-year-old Electronic Communication Privacy Act (ECPA) and its subset SCA. Microsoft and the government agree that Congress should update both provisions.

Microsoft reiterated in its brief that “only Congress has the authority and tools” to overhaul the SCA to balance law enforcement, corporate, and citizen interests in stored data.

Cross-Border Issues

The Redmond, Wash.-based computer giant argued in its brief that a pro-government ruling would cause upheaval for cross-border privacy protections. It could also limit how the U.S. interacts with other countries in gathering important intelligence for law enforcement agencies, it said.

A ruling against Microsoft may give the U.S. “no basis to object when other countries reciprocate and unilaterally demand the emails of U.S. citizens stored in the United States from providers’ offices abroad,” according to the brief.

The Department of Justice declined to comment.

European Industry Concerns

Some of the EU’s largest trade groups filed a friend-of-the-court brief Jan. 11, generally in favor of Microsoft’s arguments, that raised concerns over a potential pro-government ruling.

Such a ruling would force EU companies to choose between breaking U.S. law or violating European laws such as the EU Data Protection Directive, EU member country privacy laws, and the forthcoming EU General Data Protection Regulation (GDPR) taking effect May 25, 2018.

It could also result in more requirements to store data locally that would further limit access to data by law enforcement, according to the brief. Data localization laws require companies to store citizen data within a specific country.

These arguments echo a Dec. 13 EU friend-of-the-court brief filed by the EU Commission, the EU’s executive arm.

The case is U.S. v. Microsoft Corp. , U.S., No. 17-2, briefs filed 1/11/18 .

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com