Privacy and data protection in the cloud suffered a setback on Thursday as the US federal court ruled that Microsoft must comply with the US warrant and hand over customer email data stored in its Dublin cloud datacentre.
District Judge Loretta Preska from the US Court for the Southern District of New York upheld a US magistrate judge’s ruling on Microsoft customer data held overseas.
Microsoft’s general counsel and executive vice-president, Brad Smith, said: “The District Court’s decision would not represent the final step in this process.
“We will appeal promptly and continue to advocate that people’s email deserves strong privacy protection in the US and around the world.”
It is believed that this is the first time an American enterprise is fighting the domestic search warrant for customer data stored outside the US. Other cloud providers including Verizon, Apple and Cisco are all backing Microsoft’s challenge against the court ruling around cloud customer data.
Just a day ahead of the ruling, Smith wrote a column on the Wall Street Journal explaining why Microsoft is opposing the US government’s demand for a customer’s email stored in Dublin, Ireland.
Smith wrote, “This dispute should be important to you if you use email, because it could well turn on who owns your email – you or the company that stores it in the cloud.
More on Microsoft
“Microsoft believes you own emails stored in the cloud, and that they have the same privacy protection as paper letters sent by email.”
The federal judge ruling comes three months after a US magistrate judge ordered Microsoft to give the District Court access to the contents of one of its customer’s emails stored on a server located in Dublin.
At that time, Microsoft challenged the ruling. It said: “The US government doesn’t have the power to search a home in another country, nor should it have the power to search the content of email stored overseas.”
But on Thursday, Judge Preska upheld the ruling saying the physical location of the data is irrelevant. According to the US Court, law authorises the American government to seek information – including content of an email – by way of subpoena, court order or warrant.
“Microsoft’s argument is simple, perhaps deceptively so,” Judge Francis had said in an official document in April when Microsoft challenged the ruling.
But Microsoft has argued that, just like a US search warrant in the physical world can only be used to obtain materials that are within the territory of the US, the same rules should apply in the online world. According to the Azure cloud provider, the data privacy provisions in the Electronic Communications Privacy Act (ECPA) do not apply outside of US territory.
The first US warrant for data was issued back in December 2013 when the US judges wanted access to a Microsoft customer’s email data stored in Ireland in connection with a narcotics investigation. Microsoft has continuously challenged the ruling.
Microsoft's €480m European datacentre in Dublin, catering to its Azure cloud users, opened in 2009.
Microsoft can appeal the district judge’s decision to the second US Circuit Court of Appeals. But the ruling may reinforce the data protection and privacy concerns in cloud services prevalent among European customers.
Read more on Datacentre disaster recovery and security
GCHQ bulk interception programme breached privacy rights, Strasbourg court rules
Facebook: US government does not engage in mass and indiscriminate surveillance
Privacy International warns of global risk to citizens if Microsoft loses US data access appeal
Irish High Court asks European court to rule on legality of EU-US data transfers