BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

US Judge Insists Microsoft Break EU Law To Obey US Law Over Email In Ireland

This article is more than 9 years old.

Microsoft seems to have got itself involved at the start of an awful lot of legal pain here. A US judge has agreed that Microsoft should release under a US search warrant an email that is being stored on servers in Ireland. Yet European Union (and thus Irish) law on such matters says that only a court local to that jurisdiction can make such a decision. This is thus another example of the tendency of US law to try to apply itself extraterritorially, outside the actual physical jurisdiction of the US. And it's not really all that easy to see which way the case is going to go in the end:

Microsoft Corp must turn over a customer's emails and other account information stored in a data center in Ireland to the U.S. government, a judge ruled on Thursday, in a case that has drawn concern from privacy groups and major technology companies.

Microsoft and other U.S. companies had challenged the warrant, arguing it improperly extended the authority of federal prosecutors to seize customer information held in foreign countries.

Following a two-hour court hearing in New York, U.S. District Judge Loretta Preska said a search warrant approved by a federal magistrate judge required the company to hand over any data it controlled, regardless of where it was stored.

"It is a question of control, not a question of the location of that information," Preska said.

That's the nub of the American legal position. Sure, the email might be outside the US but the ultimate controlling company is inside the US so must submit to US law. But there's the other side of this very same point too:

New proposals set to come into force following extensive scrutiny and voting later this, or next year, will reform Europe's data protection laws. These proposals seek to prevent a European subsidiary of a parent company, such as in the US, from handing over data to a third-country for law enforcement or intelligence purposes.

European authorities have repeatedly said, regardless of where a EU-based company's parent is headquartered, that subsidiary must abide by European law.

Falling foul of that could result in a breach of European law, and therefore international law, EU Justice Commissioner Viviane Reding previously told ZDNet.

European Union law (and data protection is generally EU law, the individual nations simply encoding what is decided at that higher level) says that the law in the jurisdiction of where the information is takes priority. And thus it would need to be an Irish search warrant that made that email available to US prosecutors. All of which puts Microsoft in a very difficult position. If they obey the US order then they're in breach of EU law, if they stick to EU law then they're going to be in breach of this US order (for however long the order survives the appeals process).

And we do have a significant public policy problem here. Which is that the increasingly digital and global nature of the modern economy makes the traditional definitions of legal jurisdiction increasingly untenable. I've mentioned before that what is libelous depends upon which jurisdiction something is read in, not where it was produced nor where the producer or server is. And we can also see US law being slightly different in the BNP Paribas case.

There the US argued that a French bank breached US sanctions (on places like Sudan) by offering them banking services in US dollars. They did not say that dealing in US dollars for the Sudanese was in itself a crime: handling wodges of physical Benjamins would not have been a breach of sanctions. Rather, they argued that at some point ion the chain of transactions a US dollar bank transaction will be cleared through the US. Which is true and thus means that some part of the process happened on US soil. Well within the jurisdiction of the US legal system and so the bank was nicked, prosecuted and fined nearly $10 billion.

Here the US courts are going even further than that. The server is in Ireland, the email is in Ireland, no one at all is claiming that it has passed through the US or anything like it. But still legal jurisdiction is being claimed by the US over it. And as above, Microsoft has a problem here as to obey the US court order is to breach EU law.

At some point we're all going to have to get to grips with what this increased globalisation means for the traditional concepts of legal jurisdiction. Just as we're going to have to over the closely related problem of tax jurisdictions. The world's just changed since we set the parameters of the system as we currently operate it.