Updated Microsoft has won a landmark legal action against the US government over protecting the privacy of non-US citizens on non-US servers. The appeals court decision invalidates a key legal tool the US government uses to apply extraterritorially.

The software company voluntarily put itself in contempt of court by challenging Uncle Sam's ability to seize email messages on overseas servers under the 1986 Stored Communication Act. As much as 90 per cent of Europeans personal data is processed by US services and 82 per cent of Facebook’s European data passes through Ireland.

"The government is using power that Congress never gave it: the ability to go around the world and hoover up emails pursuant to a search warrant," Microsoft’s chief legal officer Brad Smith explained earlier this year. "It's in effect saying to the people of Ireland, their law doesn't matter ... that is not a recipe for the success of the US technology sector, and not a recipe that people have trust in technology."

Today, the Second Circuit Appeals Court agreed [PDF] that Microsoft didn’t have to hand over the data.

“We conclude that § 2703 of the Stored Communications Act does not authorize courts to issue and enforce against US‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers,” the court ruled, adding:

We conclude that Congress did not intend the SCA’s warrant provisions to apply extraterritorially. The focus of those provisions is protection of a user’s privacy interests. Accordingly, the SCA does not authorize a US court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States. The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s e‐mail account stored exclusively in Ireland.

The architect of Microsoft’s legal action, told us in January that cloud providers had to win the public’s trust.

“By design we tell customers it is yours, we’re not going to access your data,” he said. “We view the SCA as a very important shield but one that now has a big hole in it. We get demands all the time from governments that don’t embrace democratic principles asking for all kinds of information on their customers”.

Microsoft thinks International Communications Privacy Act (a successor to the LEADS, or Law Enforcement Access to Data Stored Abroad Act) would better protect non-US citizens’ data. ®

Updated to add

Microsoft's president and chief legal officer Brad Smith has been in touch with the following:

We obviously welcome today’s decision by the Second Circuit Court of Appeals. The decision is important for three reasons: it ensures that people’s privacy rights are protected by the laws of their own countries; it helps ensure that the legal protections of the physical world apply in the digital domain; and it paves the way for better solutions to address both privacy and law enforcement needs. First, this decision provides a major victory for the protection of people’s privacy rights under their own laws rather than the reach of foreign governments. It makes clear that the U.S. Congress did not give the U.S. Government the authority to use search warrants unilaterally to reach beyond U.S. borders. As a global company we’ve long recognized that if people around the world are to trust the technology they use, they need to have confidence that their personal information will be protected by the laws of their own country. While Microsoft filed and persisted with this case, we benefited every step of the way from the broad support of many others. We are grateful for this support, including the filing of amicus briefs in the case by 23 technology and media companies, 28 trade associations and advocacy groups, 35 of the nation’s leading computer scientists, and the Government of Ireland itself. The enormous breadth of this support has been vital to the issue, and it remains so as we look to the future. Second, since the day we filed this case, we’ve underscored our belief that technology needs to advance, but timeless values need to endure. Privacy and the proper rule of law stand among these timeless values. Finally, as we’ve recognized since we filed this case, the protection of privacy and the needs of law enforcement require new legal solutions that reflect the world that exists today – rather than technologies that existed three decades ago when current law was enacted. We’re encouraged by the recent bipartisan support that has emerged in Congress to consider a new International Communications Privacy Act. We’re also encouraged by the work of the U.S. Justice Department in pursuing a new bilateral treaty approach with the Government of the United Kingdom. Today’s decision means it is even more important for Congress and the Executive Branch to come together to modernize the law. This requires both new domestic legislation and new international treaties. We should not continue to wait. We’re confident that the technology sector will continue to roll up its sleeves to work with people in government in a constructive way. We hope that today’s decision will bring an impetus for faster government action so that both privacy and law enforcement needs can advance in a manner that respects people’s rights and laws around the world.