Second Circuit Eases Tension Between U.S. Discovery Requirements and EU Privacy Laws

Microsoft scored an important victory when the Second Circuit ruled that the government is not authorized to issue warrants for customer data stored overseas.  In re Warrant to Search a Certain E-mail Account Controlled & Maintained by Microsoft Corp. should offer a level of comfort for the cloud computing industry as a whole and for U.S. companies that have an international storage footprint.

Key Takeaways 

• This case limits the government’s right to access information stored internationally.
• If a company is issued a warrant, the key question is not where the warrant is executed, but where the data is stored.  The government cannot compel companies to produce data if the data sought is stored completely on foreign soil.
• This ruling should also reduce the apprehension some EU residents have regarding U.S. companies’ ability to protect their data.
• This case eliminates a situation where companies would have to choose between complying with EU law or cooperating with the U.S. government.  Prior to this decision, it would be very difficult for a company receiving a warrant for data stored in the EU to comply with U.S. and EU law. 

It is unclear what the ultimate outcome will be.  The Second Circuit did not address how this ruling would apply to an SCA subpoena served with the requisite notices.  In his concurrence, Judge Gerard Lynch noted that U.S. online privacy laws implemented in 1986 are woefully inadequate to address the issues of today and urged Congress to take action on modernizing U.S. data protection statutes.

The government will likely seek an en banc hearing or appeal to the Supreme Court.  Companies should continue to monitor developments in this area going forward.

Chris Koa, James Mason and the Data Privacy & Security team at Dorsey & Whitney would be delighted to discuss implications for your company.