Privacy advocates, especially those outside the U.S., can rest a little easier now. A federal court has rebuked the U.S. government’s attempt to access emails stored on a Microsoft server in Ireland.
But the legal battle may be far from over. Thursday’s ruling could affect how the U.S. conducts surveillance over suspected criminals and terrorists overseas, so expect the government to appeal, said Roy Hadley, a lawyer at Thompson Hine who studies cybersecurity issues.
“There’s a fine line between privacy and national security,” he said. “And it’s a difficult line to walk.”
So far, the U.S. Department of Justice is remaining mum on what it might do. “We are disappointed with the court’s decision and are considering our options,” the department said on Thursday, without elaborating.
Hadley thinks the government will probably appeal the decision to another circuit court or the Supreme Court. It might also explore other legal means to force Microsoft to quickly hand over the emails.
“The U.S. government will always try to be in a position to gain access to that data,” he said.
Thursday’s ruling deals with a case that goes back to December 2013, when the U.S. government obtained a search warrant for emails belonging to Microsoft user who was under investigation. The subject’s identity hasn’t been revealed, but some news reports have said it was not a U.S. citizen.
The emails reside on a Microsoft server in Ireland. Microsoft objected to the search warrant and argued that the U.S. had no authority to conduct email searches in other countries.
On Thursday, Microsoft hailed the ruling as a win for privacy rights and said dozens of other tech and media companies have supported its legal battle.
The court’s decision “ensures that people’s privacy rights are protected by the laws of their own countries,” Microsoft said in a statement.
Craig Newman, a privacy attorney at Patterson Belknap Webb & Tyler, said the tech industry is no doubt breathing a sigh of relief. Many U.S. companies, including Microsoft, have data centers around the world and serve millions of foreign customers.
Handing over any of their data to U.S. authorities could violate the privacy laws of those countries and hurt business for the companies that store it, he said.
“The tech companies have really been put in an uncomfortable position,” he said.
Part of the problem is that some U.S. privacy laws may be outdated. At the center of Microsoft’s legal battle has been the Stored Communications Act, which the U.S. government argued gave it the authority to use a warrant to collect the emails.
The judges who ruled Thursday didn’t agree. The law was enacted in 1986, long before the mainstream Internet or any remote computing, wrote judge Gerard Lynch.
To avoid these legal disputes with the tech industry, Congress should modernize laws on data privacy and clearly define them, Newman said.
“You’re dealing with analog rules in a world that has totally changed,” he said. “Congress needs to roll up their sleeves and figure out the right balance.”