Technology, Media and Telecommunications (TMT)

Has international data storage become a strategic choice following the Microsoft judgment?

Published on 22nd September 2016

A US court has recently ruled that Microsoft does not have to allow the US
government access to personal data (in the form of a Microsoft Hotmail user’s
emails) stored on an overseas server. The case is significant because it has
provided US cloud service providers, which have invested heavily in setting up
data centers in the EU, with greater legal certainty regarding access to data
by US authorities. In refusing to hand over the data, Microsoft has publicly
drawn a line in the sand, demonstrating to its European customers that it is
prepared to challenge the US legislature in order to protect EU-based personal data and prevent its transfer to, or access by, the US government (the only exception to this perhaps being some cases related to criminal and terrorist investigations). Since the ruling Microsoft has also boosted its EU data center capacity by announcing that its first UK cloud computing data centers are up and running.

What happened?

Following an attempt by the US government to access e-mails (in relation to a narcotics case) from a personal email account held on a server in Ireland under the Stored Communications Act of 1986 (SCA), the U.S. government obtained a warrant to gain access to the emails of a Microsoft customer held by Microsoft on a server in Dublin.

Microsoft refused to hand over the data, arguing that such a warrant should not apply to data held outside of the United States. The US government, however, argued that the physical location of the files was irrelevant, as Microsoft (as a U.S. company), had full control over them.

Central to the case was the interpretation of the SCA in the context of international data storage. The SCA itself is part of the Electronic Communications Privacy Act (ECPA). The ECPA, being 30 years old, was (unsurprisingly) not drafted in a way which predicted the concept of data stored across multiple jurisdictions.

One of the key issues considered was whether US law should be applied
internationally. According to the US Supreme Court, this should not take place
unless Congress is clear during its development and enactment that any such law should apply beyond America’s borders. Microsoft argued that applying US search warrants outside the United States would set a dangerous precedent, and generate a “global free-for-all” in the use of such warrants which
would directly conflict with general data privacy principles.

The second circuit court agreed with Microsoft, holding that the SCA was not
drafted in a way which envisaged searches taking place outside its borders, and there was no evidence to demonstrate that international application had been anticipated by Congress in the SCA. It is worth noting, however, that the judge here also argued strongly that the SCA needs to be updated in order to take into account developments in relation to the storage of electronic personal data. It remains to be seen whether the decision will be appealed to the
Supreme Court.

Interestingly, the case turned on where the data was actually stored – a decision which was not taken by the Microsoft Hotmail user but by Microsoft itself as part of its international technology infrastructure (i.e. there was no active decision by the Hotmail account owner to store data outside of the US). It is also interesting that the judge noted that there was nothing in the record to
indicate whether the owner of the e-mails being sought by the U.S. government was a U.S. citizen or resident. By its nature, cloud storage means that the location of data storage is often largely irrelevant from a consumer
perspective, although in this case the physical location of Microsoft’s server
was pivotal in the decision to uphold its argument. Indeed, the nature of
contemporary data storage means that often different pieces of related data can be held in multiple jurisdictions, rather than on one server rack in a single
country.

For now, the case seems to strengthen the position of those technology companies wishing to store personal data across multiple jurisdictions and offer their customers relative confidence about the privacy of their information. However, it does not completely rule out access through other well-established, but more stringent and specific routes, such as international mutual assistance legal treaties, which are applicable in limited circumstances.

What about government access to data?

As well as providing US cloud service providers, which have their servers outside of the US, with greater legal certainty regarding the data protection law
compliance of their services offered in the EU, this judgment could pose a
serious question as to the relevance of the levels of data protection in the US
in cases where data is stored on EU servers, as the US government may no longer have access to data stored on servers outside of the US. Many cloud service providers (such as Amazon Web Services) now offer users the option to choose where their data is stored. If the rationale of the judgment is followed and a user consciously opted to store their data on an EU server, the US government would no longer have access to that data (as opposed to a situation where data was held on a US server), potentially creating a way to circumvent US government data access.

The bigger picture

This case also comes at a time when international data transfers and data privacy rules are under even more scrutiny as a result of the introduction of the EU – US Privacy Shield, challenges to EC approved Model Clauses for transferring data to the U.S. and the introduction of the new EU General Data Protection Regulation (GDPR) in May 2018.

These recent regulatory changes are generally perceived to be a step in the right direction for data privacy law, and it may be that the US legislature will face increasing pressure to update US law (in the form of the SCA) at a time when EU regulation is undergoing significant overhaul. If this is the case however, the challenge will be to ensure that any new legislation is flexible enough to remain relevant as technology continues to evolve at its seemingly exponential rate. As far as international data storage is concerned, until such change occurs the debate will continue and we will have to wait and see whether the Supreme Court will get to have the final say in the matter.

Related articles
The use of music on social media platforms: what businesses and creators need to know about usage licences
27/03/2026 6 mins
Ready for launch: commercial and customer-facing considerations for UK direct-to-device satellite services
01/09/2025 5 mins
How businesses can navigate UK regulatory and legal considerations for new direct-to-device satellite services
01/09/2025 7 mins
International video game law: what issues are IP owners facing when exploiting game IP in new ways?
18/08/2025 7 mins
Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up