A federal appeals court on Thursday said the U.S. government cannot force Microsoft Corp and other companies to turn over customer emails stored on servers outside the United States.
The 3-0 decision by the 2nd U.S. Circuit Court of Appeals in Manhattan is a defeat for the U.S. Department of Justice and a victory for privacy advocates and for technology companies offering cloud computing and other services around the world.
Circuit Judge Susan Carney said communications held by U.S. service providers on servers outside the United States are beyond the reach of domestic search warrants issued under the Stored Communications Act, a 1986 federal law.
"Congress did not intend the SCA's warrant provisions to apply extraterritorially," she wrote. "The focus of those provisions is protection of a user's privacy interests."
Microsoft had been challenging a warrant seeking emails stored on a server in Dublin, Ireland, in a narcotics case.
It was believed to be the first U.S. company to challenge a domestic search warrant seeking data held outside the country.
Thursday's decision reversed a July 2014 ruling by then-Chief Judge Loretta Preska of U.S. district court in Manhattan requiring Microsoft to turn over the emails. It also voided a contempt finding against the company.
"We obviously welcome today's decision," Brad Smith, Microsoft's president and chief legal officer, said in a statement.
He said the decision gives people more confidence to rely on their own countries' laws to protect their privacy, rather than worry about foreign interference, and helps ensure that "legal protections of the physical world apply in the digital domain."
Peter Carr, a Justice Department spokesman, said the agency was disappointed by the decision and reviewing its legal options.
"Free-for-all" was feared
The case has attracted strong interest from the technology and media sectors, amid concern that giving prosecutors expansive power to collect data outside the country could make it harder for U.S. companies to compete there.
Dozens of companies, organizations and individuals filed briefs supporting Microsoft's appeal, including the U.S. Chamber of Commerce, Amazon.com Inc, Apple Inc, Cisco Systems Inc, CNN, Fox News Network, Gannett Co and Verizon Communications Inc.
Had the court gone the other way, "it would have been like the Wild West, with no clear, stable legal rules applying," Greg Nojeim, senior counsel with the nonprofit Center for Democracy & Technology in Washington, D.C., said in an interview.
Microsoft had said the warrant could not reach emails on the Dublin server because U.S. law did not apply there.
The Redmond, Washington-based company also said enforcing the warrant could spark a global "free-for-all," where law enforcement authorities elsewhere might seize emails belonging to Americans and stored in the United States.
Modernizing a 30-year-old law
Federal prosecutors countered that quashing warrants such as Microsoft's would impede their own law enforcement efforts.
But Judge Carney said limiting the reach of warrants serves "the interest of comity" that normally governs cross-border criminal investigations.
She said that comity is also reflected in treaties between the United States and all European Union countries, including Ireland, to assist each other in such probes.
Some law enforcement officials have said obtaining such assistance can, nonetheless, be cumbersome and time-consuming.
The Justice Department is working on a bilateral plan to streamline how U.S. and British authorities request data from companies in each other's country.
A bipartisan bill was introduced in the U.S. Senate in May to clarify when and where law enforcement may access electronic communications of U.S. citizens.
Circuit Judge Gerard Lynch, who concurred in the judgment, urged Congress to modernize the "badly outdated" 1986 law to strike a better balance between law enforcement needs and users' privacy interests and expectations.
Lynch said the law, as it stands now, lets Microsoft thwart an otherwise justified demand to turn over emails by the "simple expedient" of choosing to store them outside the United States.
"I concur in the result, but without any illusion that the result should even be regarded as a rational policy outcome, let alone celebrated as a milestone in protecting privacy," he wrote.