Microsoft defeats DOJ appeal in cloud data privacy case

Microsoft notches another win in its battle to protect cloud data privacy, as an appeals court quashes the DOJ appeal over a warrant for data stored in an Ireland data center.

Microsoft notched another win in its battle to protect cloud data privacy for data stored outside of the United States when an appeals court declined to reconsider its decision preventing the U.S. government from forcing Microsoft to turn over cloud data.

The legal battle began when the U.S. Department of Justice (DOJ) issued a warrant in December 2013, ordering Microsoft to disclose contents of emails stored on a server in Ireland that were connected with an unnamed suspected drug dealer.

"The theme running through the government's petition and the dissents is the concern that, by virtue of the result the panel reached, U.S. law enforcement will less easily be able to access electronic data that a magistrate judge in the United States has determined is probably connected to criminal activity," U.S. Circuit Judge Susan Carney wrote in the decision for Microsoft v. U.S., 2nd U.S. Circuit Court of Appeals, No. 14-2985.

There was no question the Stored Communications Act (SCA) -- the 1986 law under which the original warrant was issued -- does not apply to searches for data residing outside the U.S., according to Carney. "We recognize at the same time that, in many ways, the SCA has been left behind by technology," she wrote in the decision. "It is overdue for a congressional revision that would continue to protect privacy, but would more effectively balance concerns of international comity with law enforcement needs and service provider obligations in the global context in which this case arose."

Microsoft opposed the original warrant to access the cloud data in the case because the emails were held in Microsoft's Dublin data center. The software giant argued the data center was outside the jurisdiction of U.S. law enforcement, so the DOJ should go through established channels with the Irish government to obtain the data.

The court affirmed last year's ruling to overturn a 2014 decision by U.S. Magistrate Judge James Francis that would have forced Microsoft to violate cloud data privacy and turn over emails of a suspected drug dealer under investigation by the DOJ.

In July 2016, the original appeal request was heard by a three-judge panel of the appellate court, which turned down the government's request to appeal the 2014 decision. The government requested the court to hear the appeal "en banc," meaning all of the court's judges -- excepting only those who have been recused from the case -- heard the appeal. The eight judges were split evenly, so without a majority of the court voting to allow the appeal, the DOJ has to reconsider its options.

Next Steps

Find out more about how the Microsoft privacy case and the adoption of the EU-U.S. Privacy Shield framework are affecting privacy rights

Learn about why -- and how -- Microsoft is advocating for privacy and strong encryption

Read about how conflict between the FBI and Apple over unlocking phones could affect enterprise mobility management

Dig Deeper on Compliance