Second Circuit rules in Microsoft’s favor in regards to data sovereignty

Posted on by Norm Messenger

One of the biggest debates of the last few years when it comes to computing and information technology in general is data sovereignty. Who should have access to data when it’s stored in offshore data centers? What happens when the government – either the U.S. government or the governing body of wherever the data is stored – tries to retrieve this information?

It looks like we might finally have an answer to these questions, thanks to a recent ruling by the Second Circuit Court of Appeals in New York. In mid July, the Circuit ruled that the U.S. government can’t force tech companies to give public entities like the FBI or other federal authorities to their non-U.S. customers’ data when that data is stored on servers outside the country.

Background

In 2014, Microsoft appealed a warrant issued by the U.S. Department of Justice seeking information on some of its servers located in Ireland. The DOJ requested the information in order to assist with a potential drug trafficking case – but Microsoft didn’t want to simply hand over the info that was stored in the offshore data center.

Part of the issue at hand was that there were existing treaties that the FBI could have used to work with the Irish government to get the desired information. However, the U.S. agency didn’t go through the Irish government – it chose to deal with Microsoft itself, citing law enforcement efficiency as one of the main reasons.

“We conclude that Congress didn’t intend the [Stored Communications Act]’s warrant provisions to apply extraterritorially,” the decision stated. “The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s email account stored exclusively in Ireland.”

Essentially, the ruling made it so that the Stored Communications Act, which allows data to be retrieved via search warrant by the government when it’s on domestic servers, doesn’t apply to data held on servers located abroad. According to JD Supra Business Advisor, this decision is great news for proponents of internet privacy.

Data sovereignty is an important thing to consider.Data sovereignty is an important thing to consider.

What’s the big deal?

Why is this ruling important for global organizations? The idea of data sovereignty is that wherever data is stored, it should be subjected to the laws and regulations of the governing body of that specific country. However, cloud computing in all of its forms has disrupted the concept of data sovereignty because of the fact that data stored in one country could be accessed by parties based in another region. A different ruling on the SCA could have made doing business in other countries a little tricker for companies with global supply chains.

At Inspirage, we can help you find the right strategy for geo-locating data that best complies with your legal and business requirements. Contact us for more information today.

Norm Messenger | Key Contributor

Norm is the Chief Security Officer For Inspirage. He is also an experienced aerospace and defense professional with more than 30 years of experience in federal and commercial program management, integrated logistics support, IT systems development, financial management, and operations research. He has been a Solution Director for Oracle and Inspirage focusing on service lifecycle management and supply chain management solutions for large enterprise customers. Norm blogs on a variety of topics across these domains.