In a remarkable decision addressing the reach of search warrants aimed at personal data stored by a third party in the cloud, a court ruled last week that an internet service provider (“ISP”) can be compelled to produce personal information located outside of the U.S. The decision by Magistrate Judge James Francis (S.D.N.Y.) denied Microsoft Corporation’s motion to quash a warrant requiring production of customer email content and related data stored on a server located in Dublin, Ireland. If adopted by other courts, the ruling could have far-reaching implications not only in the context of overseas cloud storage, but the privacy of personal data stored on third- party servers generally.
The specific issue addressed by the court concerns application of the infamously antiquated Stored Communications Act (“SCA”) of 1986, which allows the U.S. government to obtain information by subpoena, court order, or warrant from third parties such as ISPs. On December 4, 2013, the court approved the government’s request for a SCA search warrant to Microsoft seeking virtually all content and data associated with a particular email account. Microsoft produced all relevant information stored on its domestic servers, but moved to quash the warrant to the extent it sought information stored at its datacenter located in Dublin, arguing that U.S. courts are not authorized to issue extraterritorial search warrants. Notably, it is not clear from the decision whether the owner of the subject email account is a U.S. resident.