The US government has vigorously argued otherwise. During an investigation of a drug case, in December 2013 the government had pressed Microsoft to turn over emails stored in the Irish server. Microsoft refused, claiming the government had no power to ask for data stored in another country and well outside of its jurisdiction. In April 2014, a federal judge ordered Microsoft to cough up those records. Microsoft again refused and was found in contempt of court. The case has been sitting in the Second Circuit ever since.
Thursday's ruling tempers government reach and will have important implications for privacy.
“The ruling is a striking victory for privacy over the threat of government access and overreach,” Omer Tene, vice president of research and education at at the International Association of Privacy Professionals (IAPP), told SC via email. “It recognises that national borders exist even in cyber-space and the cloud. It places an emphasis on the location of data and servers in deciding which legal regime applies.”
The Second Circuit Court's ruling comes just days after the EU-US Privacy Shield was approved by the 28 members of the EU and the European Commission (EC).
Privacy Shield had hit some glitches on its way to approval as European privacy advocates and regulators expressed concern that it didn't adequately address the chief issue that got its predecessor, Safe Harbour, tossed by a European Court of Justice – mass surveillance of private citizens.
“The [Second Circuit] decision limits the power of the [US government] to access data stored in Europe,” said Tene. Although it doesn't address bulk data collection for national security reasons, the core concern of privacy advocates and regulators in Europe, both Tene and Falcone noted, the ruling will likely be referenced going forward.
“It will definitely figure in judicial challenges to Privacy Shield, though I'm not sure it will make a difference at the end of the day in a European court,” said Tene.
The Justice Department has had little success recently in its attempts to cajole customer data from tech companies. Two cases against Apple for access into locked iPhones ended with third parties coming forward to help the government get what it needed.
It is unclear at the time of writing whether the Justice Department will challenge the ruling, but law enforcement officials have bristled before at efforts by tech companies to spurn their data requests, contending that it would hamper their investigations. What Thursday's ruling means for national security depends on how the relationship between the two factions evolves.
“For national security, we will have to see how tech companies cooperate with law enforcement moving forward,” said Schwartz. “There has been an effort to build US-UK relations that should help in a case like this, but law enforcement will need to come to the table to work with companies to come up with a broader agreement.”
While the Second Circuit's decision puts a finer point on privacy, it may face challenges in the future.
“I don't know if this is the last word,” said Falcone.