Microsoft wins appeal over access to Irish emails

Customer's mail is stored on an Irish server

A US court reversed a 2014 ruling ordering the company to hand over emails.

A US court reversed a 2014 ruling ordering the company to hand over emails.


Microsoft will not be forced to turn over emails stored in Ireland to the US government for a drug investigation, an appeals court said in a decision that may affect data security throughout the US technology industry.

In a ruling yesterdy, which will be closely studied by the technology industry in Ireland, the court overturned a 2014 decision ordering Microsoft to hand over messages of a suspected drug trafficker. The company argued that would create a “global free-for-all” with foreign countries forcing companies to turn over evidence stored in the US.

The government said a ruling in favor of Microsoft would create legal loophole to be exploited by fraudsters, hackers and drug traffickers.The law doesn’t “authorise courts to issue and enforce against US-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers,” US circuit Judge Susan Carney wrote for the majority of the New York appeals court.

The US government is considering its options, Peter Carr, a spokesman for the US Department of Justice, said in a statement. "Lawfully accessing information stored by American providers outside the United States quickly enough to act on evolving criminal or national security threats that impact public safety is crucial to fulfilling our mission to protect citizens and obtain justice for victims of crime,” Carr said.

Microsoft said the ruling is a win for the protection of people’s privacy rights under their own laws, rather than the reach of foreign governments.

“As a global company we’ve long recognised that if people around the world are to trust the technology they use, they need to have confidence that their personal information will be protected by the laws of their own country,” Microsoft said.

Welcoming the judgment, Microsoft president and chief legal officer Brad Smith told The Irish Times the court had taken a “common sense” approach to the judgment and that there was no way Congress could have intended the law in question to reach outside the US.

Mr Smith said Microsoft was very grateful for the support of the Irish government in the case and that the amicus brief filed by the government was important, as were briefs filed by other parties, including other tech firms.

“I think it’s very good news for the US tech sector and our data centre and presence in Ireland. I think it’s good news for the people of Ireland and across Europe who will now have greater confidence that their privacy rights will be protected by their own laws and won’t be subject to the reach of the US government on a unilateral basis.”

“I also think it makes it more important for the US government to modernise the law. We’ve been encouraging Congress to pass a new law. We have been encouraging new bilateral treaty negotiations. We’ve always said that the law can’t stand still, it does need to move forward. And now we hope that we can work with the US government to do that but in a way that’s also more sensitive to the needs of people across Europe.”

Mr Smith said the law in question was written in 1986. “No one was talking about the Internet in 1986, so what we need is a law that’s grounded in the technology needs that exist today.”

The name and home country of the customer involved have not been made public.

While this case was somewhat overshadowed in recent months by the battle between Apple and the US government over access to a terrorist’s iPhone, it has been closely watched by the technology industry with more than two dozen companies, including Apple, Inc and Cisco Systems Inc – many also with significant Irish operations – backing Microsoft in court.

Cisco said the ruling is important for companies charged with protecting confidential data held outside the US.

“It reinforces appropriate safeguards on the US government, and focuses law enforcement on the appropriate use of accepted international agreements,” the company said.

The dispute centered on the Electronic Communications Privacy Act of 1986, a law passed before the widespread use of e-mail, instant messages and Internet-based social networks. Its aim was to protect user privacy and the law didn’t envision the application of warrant provisions overseas, the appeals court said.

As more technology companies sell customers the ability to process and store their data using Internet-based cloud services, information is increasingly being housed in massive data centers around the world, a situation that the relevant US law didn’t anticipate when it was written three years before the invention of the World Wide Web.