A US judge has ordered Microsoft to hand over foreign data it stores back to the US, despite allegedly strong privacy protections in Europe to mitigate such processes.
The logic of the court is that because the US-headquartered software giant controls the data it stores overseas, its foreign subsidiary companies are just as applicable to US law.
US District Judge Loretta Preska in New York said the ruling will be stayed to allow Microsoft to appeal the decision to an appeals court.
"It is a question of control, not a question of the location of that information," Preska said in the ruling.
The ruling means that users in Europe and further afield of Microsoft's services — and others, including Apple, Google, Yahoo, Facebook, and Twitter, with a headquarters in the US — are not immune from having their data handed over to the US government for law enforcement or intelligence purposes.
Microsoft initially challenged the order, saying that local laws must apply in respect of each jurisdiction.
Microsoft's general counsel Brad Smith said in remarks following the ruling:
“The only issue that was certain this morning was that the District Court’s decision would not represent the final step in this process. We will appeal promptly and continue to advocate that people’s email deserves strong privacy protection in the U.S. and around the world.”
Smith argued in the Wall Street Journal on Tuesday that the US government "can't force American tech companies to turn over customer emails stored exclusively in company data centers in other countries."
"Microsoft believes you own emails stored in the cloud, and that they have the same privacy protection as paper letters sent by mail. This means, in our view, that the U.S. government can obtain emails only subject to the full legal protections of the Constitution's Fourth Amendment," he said.
But because the case rests on data stored by Microsoft in its Dublin, Ireland-based datacenter, that data should also fall under the purview of Irish and European data protection laws, of which Ireland is a member state.
Verizon came to a similar conclusion in a blog post by its general counsel Randall Milch in January. "The U.S. government cannot compel us to produce our customers' data stored in datacenters outside the U.S., and, if it attempts to do so, we would challenge that attempt in court," he said in a blog post.
Academics and legal experts strongly refuted the claims that US law already has provisions to allow the US government to demand foreign data held by American telecom and technology companies.
Verizon spokesperson Ed McFadden said at the time that Verizon would "let the report stand on its own," and did not comment further.
A month later, US Magistrate Judge James Francis ruled against Microsoft, putting every US technology giant in the country at risk of domestic data requests for foreign data.
Milch said not long after Microsoft's court ruling came out that Verizon believes the court's ruling was "wrong," but did not apologize for his incorrect and misleading statements.
The company also filed an amicus brief in support of Microsoft's case.
New proposals set to come into force following extensive scrutiny and voting later this, or next year, will reform Europe's data protection laws. These proposals seek to prevent a European subsidiary of a parent company, such as in the US, from handing over data to a third-country for law enforcement or intelligence purposes.
European authorities have repeatedly said, regardless of where a EU-based company's parent is headquartered, that subsidiary must abide by European law.
Falling foul of that could result in a breach of European law, and therefore international law, EU Justice Commissioner Viviane Reding previously told ZDNet.