Microsoft ordered to hand over overseas email, throwing EU privacy rights in the fire

Microsoft ordered to hand over overseas email, throwing EU privacy rights in the fire

Summary: US law can apply anywhere in the world, so long as a technology company has control over foreign data, a court rules.

(Image: Microsoft, via CNET/CBS Interactive)

A US judge has ordered Microsoft to hand over foreign data it stores back to the US, despite allegedly strong privacy protections in Europe to mitigate such processes.

The logic of the court is that because the US-headquartered software giant controls the data it stores overseas, its foreign subsidiary companies are just as applicable to US law.

US District Judge Loretta Preska in New York said the ruling will be stayed to allow Microsoft to appeal the decision to an appeals court.

"It is a question of control, not a question of the location of that information," Preska said in the ruling.

The ruling means that users in Europe and further afield of Microsoft's services — and others, including Apple, Google, Yahoo, Facebook, and Twitter, with a headquarters in the US — are not immune from having their data handed over to the US government for law enforcement or intelligence purposes.

Microsoft initially challenged the order, saying that local laws must apply in respect of each jurisdiction.

Microsoft's general counsel Brad Smith said in remarks following the ruling:

“The only issue that was certain this morning was that the District Court’s decision would not represent the final step in this process. We will appeal promptly and continue to advocate that people’s email deserves strong privacy protection in the U.S. and around the world.”

Smith argued in the Wall Street Journal on Tuesday that the US government "can't force American tech companies to turn over customer emails stored exclusively in company data centers in other countries."

"Microsoft believes you own emails stored in the cloud, and that they have the same privacy protection as paper letters sent by mail. This means, in our view, that the U.S. government can obtain emails only subject to the full legal protections of the Constitution's Fourth Amendment," he said.

But because the case rests on data stored by Microsoft in its Dublin, Ireland-based datacenter, that data should also fall under the purview of Irish and European data protection laws, of which Ireland is a member state.

Verizon came to a similar conclusion in a blog post by its general counsel Randall Milch in January. "The U.S. government cannot compel us to produce our customers' data stored in datacenters outside the U.S., and, if it attempts to do so, we would challenge that attempt in court," he said in a blog post.

Academics and legal experts strongly refuted the claims that US law already has provisions to allow the US government to demand foreign data held by American telecom and technology companies.

Verizon spokesperson Ed McFadden said at the time that Verizon would "let the report stand on its own," and did not comment further.

A month later, US Magistrate Judge James Francis ruled against Microsoft, putting every US technology giant in the country at risk of domestic data requests for foreign data.

Milch said not long after Microsoft's court ruling came out that Verizon  believes the court's ruling was "wrong," but did not apologize for his incorrect and misleading statements.

The company also filed an amicus brief in support of Microsoft's case.

New proposals set to come into force following extensive scrutiny and voting later this, or next year, will reform Europe's data protection laws. These proposals seek to prevent a European subsidiary of a parent company, such as in the US, from handing over data to a third-country for law enforcement or intelligence purposes.

European authorities have repeatedly said, regardless of where a EU-based company's parent is headquartered, that subsidiary must abide by European law.

Falling foul of that could result in a breach of European law, and therefore international law, EU Justice Commissioner Viviane Reding previously told ZDNet.

Topics: Microsoft, Privacy, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What possible reform?

    This is a US company subject to US law. What possible reform could the EU put in place? All they can probably do is boot all US companies from their jurisdiction.
    x I'm tc
    • You are mistaken

      The companies at issue are European companies under European law, merely wholly owned by a US parent
      • Who is mistaken here

        The EU makes nothing at all "behind doors". You don't mess with your "big brother" or your "best friend". But in front of the public, of course, they play the role of the so-called "protective parents".

        That's the reason I took off all my sensitive data from the clouds, Google, Microsoft, Dropbox & co.

        I advise all my clients to use a hybrid cloud - sensitive data must remain locally and other can be put in EU cloud.

        Enough from Snowden burnings!
        • The USA order is a loss-loss decision, no one will get benefits

          The loss of MS: restricting the expand of the company. Foreign users may choos not to use MS services. Also if MS follow USA order, it will cause the conflict with other countires' laws.
          The loss of USA: Less tax from MS.

          What is the gain? only the emails from normal people?
          • Where is the Gain?

            Agree that it is a loss-loss situation. But question how are email's from normal people gaining anything in this? I don't think they gain either??
          • That is the loss

            if MS have to hand over the data, the owner of the account is in breach of EU data protection laws and is liable to prosecution for 'handing the data over to a third party without getting written permission' from those he corresponded with or anybody mentioned in his emails.

            Only if MS Ireland handed it over in response to a court order from the Irish courts, made by the local authorities on behalf of the US authorities would everything be okay. There are longstanding treaties for gathering such evidence.

            Just because the US authorities see the opportunity to take a shortcut and let MS do the donkey work, they are threatening the continued existence of the Cloud.
          • The loss is a complete dump of what little trust is left..

            ... for US companies.
            This is saying if they can get their hooks in you, US considers its laws are the only ones that matter across the world, and we already know protections for our own citizens are not respected and the government practically holds the rights of others in complete contempt as nonexistent, so, basically, any company with a US home is made into a tool of the US secret spying regime by this... They are ignoring EU privacy laws altogether, as if they don't exist. That can't be good for business here.
          • We had to let a US company out of a $800k contract

            because our local government (non-US country) was advised that the US can do exactly what is happening here. So, the American firm could not guarantee that our "foreign data" could be kept safe even residing on data centres within our country. A win for local companies, but a loss for the US company, and a loss for the whole RFP system and selecting the best proponent for the job. Ridiculous.
          • But it's only data stored in the US

            So if in the UE, it is illegal to hand the data over to third parties, end MS (Europe) will be penalised if it is handed over, then this ruling gives them little alternative but to run the data centres for EU customers, in the EU.

            So once again, the US courts destroy US jobs.
            Henry 3 Dogg
          • Unfortunately, it is NOT just about data stored in the USA

            it specifically says that it is stored overseas but since Microsoft is an American company that the data falls under American jurisdiction. It is totally wrong of course, a data center is not an embassy and so the judge has no right to demand that data be turned over from them without going through proper international channels first.

            And if the ruling stands under international law and the datacenters are treated the same way as embassies then the reverse would be true, foreign owned data centers in the US would not be subject to US laws but rather the laws of the parent company's country.
          • Paragraph 2 is exactly right

            Corporations are fully subject to the laws of the state that issued its charter. Wholly owned subsidiaries are fully subject to the authority of their parent companies. Therefore the law *can* require a domestic company to order its foreign subsidiaries to do something, even if it conflicts with foreign law.

            MS is between a rock and a hard place and needs to work its way out of its predicament one way or another. Unfortunately, what I expect to happen is for MS and other US corporations to have to stop providing network services in the EU. It's stupid, but that's what happens when politicians pass bad laws.
            John L. Ries
          • Almost right

            Yes the USA judge can order the USA based company to provide the data located abroad at the subsidiary -- but it is unenforceable order. The foreign subsidiary may obey the parent only within the law of its foreign location. The Federal judge has an obligation to apply and take into account the foreign law applicable as well. The bottom line is the order may stand, but the court that issued it has no enforcement capability.
          • "The Federal judge has an obligation"

            No she doesn't. Her obligation is to apply US law as she understands it and let the chips fall where they may. No more, no less.

            Politicians can't be held accountable for their foolish decisions if the courts keep bailing them out. The only way a bad law can be proven to be bad is if it is consistently enforced, so everyone can see the bad consequences.

            And longstanding popular opinion to the contrary, it is very possible for a bad law to be constitutional.
            John L. Ries
          • Incorrect assumption regarding judicial duty

            No, a judge's duty is not to uphold U.S. Law and let the chips fall where they may.

            A judge's duty is to uphold the Constitution, then the laws passed pursuant to the Constitution, then administrative code pursuant to executive authority. The first job of the judge, however, is to determine "is this Constitutional?" Not, "is this the law?"

            Under our Constitution, in stating the duties of the government, alongside legislative law is mentioned that all treaties have the force and effect of law. This means that foreign laws under treaty provisions are to be treated as if the legislature had passed them. They are not of Constitutional authority - meaning that in conflict, the Constitutional Law rises above treaties and legislative law alike.

            Under this test, absent a clear and pressing need, the foreign law should be the ruling authority, in upholding the Constitutional directive of honoring the treaties held with those nations (and here, Ireland specifically) as valid law.

            However, since the Supreme Court prefers to use our Constitution as toilet paper, rather than our foundational document establishing the right of law to be the ruling authority, this treaty establishment clause has become as ignored as the "raise and support Armies, but no Appropriation of Money to that Use shall be for a longer Term than two Years...." implicit notion that the federal government should not have a standing army, or the 10th Amendment's restraint on the federal government's scope of activities (all powers are SPECIFIC and ENUMERATED).
            Malakkar Vohryzek
          • Not quite.

            The judicial branch's job is to decide whether or not a law was broken when a case is brought before it claiming said law was, in fact, broken. The judicial branch today has way more power than the founding fathers intended.
          • There is no Constitution as long you have lawyer $500. per

            A judge's duty is to uphold the Constitution, and then the laws passed pursuant to the Constitution, then administrative code pursuant to executive authority. The first job of the judge, however, is to determine "is this Constitutional?" Not, "is this the law?"
            You could not be more right; but that is not the way things are done. Each Judge understanding of constitution his/hers way and not the way it should be. For example in New Jersey; you are individual contractor, you did job for large corporation, and you have being issued purchase order which says we are user tax exempted with the state exempt number. Now you get audited by state; State say O no they are not exempted you will pay their tax??? So the victim gets penalized and pays the user tax for the Organization that committed fraud. Apparently New Jersey Treasury Dept. is run in my opinion by “MAFIA” In 2005 I have being penalized in some of $26,000.00+ Thanks to our Judicial system
            Might all rotting in hell!!!!!
          • Usually...

            ...judges only consider constitutionality only if one of the litigants alleges unconstitutionality, or if there is a question in their minds as to the constitutionality of the legislation. And if they conclude that the action in question does not violate the statute, then standard practice is to not inquire further.

            This is called judicial economy and saves judges time and brain cells, and gets cases resolved faster (and arbitrating disputes is their primary function).
            John L. Ries
          • In any case...

            ...there is absolutely nothing in the US Constitution that limits the effect of search warrants to the territory of the US (if there is, feel free to point out chapter and verse).
            John L. Ries
          • You are mistaken

            "...there is absolutely nothing in the US Constitution that limits the effect of search warrants to the territory of the US (if there is, feel free to point out chapter and verse)."

            The very fact that the Constitution itself only applies to the territory of the US limits the effect of its search warrants to that territory. Outside the US, the Constitution is nothing more than a sheet of paper with text on it and holds no authority to enact search warrants.

            Try barging into a house in Germany based on a US search warrant and you'll find yourself in a German jail yourself pretty quickly.
          • MS is a US corporation

            And the warrant was served at corporate headquarters in Redmond. This is more like the case of a US resident being ordered to make available data stored on his private server in Ireland.
            John L. Ries