US Court of Appeals will not re-hear case on scope of data warrant served on Microsoft

Out-Law News | 27 Jan 2017 | 10:38 am | 2 min. read

The US Court of Appeals has rejected an application by the US government to re-hear a case it ruled on last year which concerned the scope of a warrant issued to Microsoft for the disclosure of customer data.

At the time, the Court of Appeals ruled that Microsoft did not have to disclose the data it held on the basis that the warrant issued under the US Stored Communications Act did not apply to data held outside the US. The data sought by the US authorities was stored on Microsoft's servers in Ireland. Those authorities were looking for the information as part of a criminal investigation.

The Court of Appeals ruling overturned an earlier US district court judgment which Microsoft had challenged on privacy grounds.

The US government asked the Court of Appeals to reconsider the case. It warned the ruling would allow "electronic communication service providers" to "thwart legitimate and important criminal and national security investigations, while providing no offsetting, principled privacy protections".

However, at the time of the July 2016 ruling, Microsoft president and chief legal officer Brad Smith said: "If people around the world are to trust the technology they use, they need to have confidence that their personal information will be protected by the laws of their own country."

Despite dissenting views from four of the Court of Appeals judges, there was not a required majority of judges in favour of a rehearing, and so the US government's application was rejected (60-page / 439KB PDF). An appeal could still be lodged before the US Supreme Court.

Court of Appeals judge Susan Carney, who voted to reject the application for a rehearing, nevertheless said that there is a case for the Stored Communications Act (SCA) to be reformed.

"The theme running through the government’s petition and the dissents is the concern that, by virtue of the result the panel reached, US law enforcement will less easily be able to access electronic data that a magistrate judge in the United States has determined is probably connected to criminal activity," Carney said. "My panel colleagues and I readily acknowledge the gravity of this concern. But the SCA governs this case, and so we have applied it, looking to the statute’s text and following the extraterritoriality analysis of [case law]."

"We recognise at the same time that in many ways the SCA has been left behind by technology. It is overdue for a congressional revision that would continue to protect privacy but would more effectively balance concerns of international comity with law enforcement needs and service provider obligations in the global context in which this case arose," she said.

Carney suggested how the US law could be updated to make it easier to "reach a result that better reconciles the interests of law enforcement, privacy, and international comity".

"In an analytic regime, for example, that invited a review of the totality of the relevant circumstances when assessing a statute’s potential extraterritorial impact, we might be entitled to consider the residency or citizenship of the client whose data is sought, the nationality and operations of the service provider, the storage practices and conditions on disclosure adopted by the provider, and other related factors," Carney said.

"And we can expect that a statute designed afresh to address today’s data realities would take an approach different from the SCA’s, and would be cognisant of the mobility of data and the varying privacy regimes of concerned sovereigns, as well as the potentially conflicting obligations placed on global service providers like Microsoft," she said.