Data Protection: New York District Court orders Microsoft to release "European" Data

US companies may be required by US authorities to release data even when such data is exclusively stored in European data centers.

Background

The presently relevant case involved the e-mails of a Microsoft customer, which e-mails were stored in a data center of a Microsoft subsidiary in Ireland. The customer was being investigated on suspicion of drug trafficking, and the US government had demanded that Microsoft hand over the e-mails. To this end, a New York judge had issued a search warrant in December 2013 already.

The Judgment

The New York District Court confirmed the lower court's decision, pursuant to which Microsoft is compelled to hand over a user's data to the US authorities even when such data is saved on a server in another country. This judgment allows investigators to access emails or documents of European users without complying with European laws, thus avoiding the customary - and often laborious - path of co-operating with the local authorities and circumventing the stricter requirements in Europe for obtaining data. The New York District Court found that it is only relevant who has control of the data concerned, and not where same is actually located.

The District Court did, however, suspend the enforcement of its judgment until the case is finally decided on appeal. Microsoft has already announced that it will exhaust all possible legal remedies against the judgment.

Comment

Microsoft was – and is - being supported by almost all large American IT providers in this matter. This is hardly surprising, given that studies have shown that the NSA scandal alone has led to billions of dollars in damages for the American IT-industry. If the decision of the New York District Court should be upheld, Europeans' confidence in American IT providers, which is already known to be quite low, will be even more in jeopardy.

American IT providers have invested heavily in European data centers over the past few years. Many providers sell their services (particularly in the area of cloud computing) with the guarantee that the data will be stored solely in Europe and in accordance with the European rules of data protection - a commitment that US companies will hardly be able to keep following the New York District Court’s decision. It is therefore not surprising that Microsoft is so rigorously fighting this judgment: "The US government doesn’t have the power to search a home in another country, nor should it have the power to search the content of email stored overseas". In contrast, the US government argues that the case involves facts that are to be evaluated under US law alone.

For users of data services, the judgment means that the security of their data is not guaranteed to the extent that they may expect. This is particularly true of personal data, which is afforded special protection under the German Federal Data Protection Act (Bundesdatenschutzgesetz). Some data protection experts therefore believe that the US decision confirms their opinion that it is not legally permissible to entrust personal data of customers to US service providers. But also with respect to other sensitive data, companies should evaluate carefully whether their security is sufficiently guaranteed.

Ironically, the main argument against the decision of the New York District Court does not have regard to the personal rights of the affected individuals; instead, the concern is that other countries will also want to access data stored in the US, consequent to which US companies will be at a serious competitive disadvantage vis-à-vis foreign service providers. Some companies are therefore already calling for US Congress to enact legislation on this matter.

The decision shows very clearly that more than just commercial aspects must be taken into consideration when deciding whether to entrust data to a service provider, and if so, to which one. Not only the capability and scope of the services offered by a provider needs to be considered, but also issues of data security and protection.