The ruling Tuesday by the Court of Justice of the European Union declared invalid a “safe harbor” agreement that governs data transfers between the U.S. and the European Union as U.S. law and the actions of the country's government "inadequately respect European 'fundamental rights' of personal data privacy," Microsoft's lawyer E. Joshua Rosenkranz brought to the notice of the U.S. Court of Appeals for the Second Circuit.
"This opinion could subject U.S. companies to charges of violating European law any time they transfer personal data to the U.S., especially when U.S. law-enforcement agencies instigate the transfer," the Microsoft counsel wrote in a letter to the court clerk.
A dispute between Microsoft and the U.S. government over turning over emails stored in a data center in Ireland came up for oral arguments last month in the appeals court in New York.
The government has a warrant for access to emails held by Microsoft of a person involved in an investigation, but the company holds that nowhere did the U.S. Congress say that the Electronics Communications Privacy Act "should reach private emails stored on provider's computers in foreign countries." In response to the search warrant, Microsoft provided non-content information held on its U.S. servers but tried to quash the warrant when it concluded that the account was hosted in Dublin and the content was also stored there.
Lower courts have disagreed with Microsoft's point of view, hence the appeal to the Second Circuit. U.S. Magistrate Judge James C. Francis IV of the U.S. District Court for the Southern District of New York held that warrant under the Stored Communications Act, a part of the ECPA, was "a hybrid: part search warrant and part subpoena," as it is executed like a subpoena in that it is served on the Internet service provider, who is required to provide the information from its servers wherever located, but does not involve government officials entering the premises.
Microsoft has favored an inter-governmental resolution to the U.S. demand for access to the emails in Dublin, through the use of "mutual legal assistance" treaties the U.S. has with other countries including Ireland. The U.S. has held that the procedure takes time, even though Ireland volunteered to consider a request under the treaty. The company has also asked for Congress to take a decision on whether warrants under the ECPA can be executed abroad.
The European Court's decision "underscores that the subject of cross- border data transfers is fraught and easily gives rise to international discord," according to the filing Tuesday. "Accordingly, Congress must be permitted to decide whether the benefits to U.S. federal, state, and local law enforcement of extending ECPA abroad outweighs the risks to U.S. industry and U.S.-EU relations," it added.
The filing also brings to the notice of the court that Congress is considering those costs and benefits. At a Senate Judiciary Committee hearing on Sept. 16 on “Reforming the Electronic Communications Privacy Act,” senators questioned government officials on the risks involved in seizing communications from servers overseas, according to the filing.