Recently, the U.S. Court of Appeals for the Second Circuit sided with Microsoft Corporation and global privacy advocates in the case of In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, No. 14-2985, 2006 WL 3770056 (July 14, 2016), by holding that the issuance of a warrant to obtain private emails stored on a Microsoft server in Dublin, Ireland, constituted an impermissible extraterritorial application of the Stored Communications Act, 18 U.S. Code §§ 2701 et seq. (“SCA”).
The Microsoft decision coincides with a rise of international tension over the data privacy interests of foreign customers of U.S. electronic communications providers. This tension was heightened by the Snowden revelations in 2013, sparking EU concerns about “unfettered” U.S. government surveillance, reaching a crescendo last October, when the Court of Justice of the EU, invalidated the fifteen year-old U.S.-EU Safe Harbor as not providing an “adequate” level of data protection. Thereafter, the U.S. and EU Commission rushed to develop a new EU-U.S. Privacy Shield Framework to replace Safe Harbor.
As some commentators have noted the Second Circuit’s ruling may incidentally help EU/U.S. data transfer mechanisms, including model contract clauses and the Privacy Shield program to survive this scrutiny. See Kenneth Withers, M. James Daley, and Taylor Hoffman, In Re Microsoft: U.S. Law Enforcement Not Entitled to Email Stored in Ireland (Aug. 28, 2016). While the Second Circuit’s ruling temporarily defused an explosive issue in EU/U.S. data protection relations, it left unresolved a number of practical issues regarding cross-border government investigations under the outdated SCA.