A US judge has ordered Microsoft to hand over a customer’s emails – even though the data is held in a server based in Ireland.
The company had attempted to challenge the search warrant on the basis that the information was stored exclusively on computer servers outside the US, but the judge said warrants for online data were different to other warrants.
Microsoft previously said it planned to offer business and government clients control over where their data resided, following concerns about data privacy raised by whistleblower Edward Snowden’s leaks regarding US spying.
But the ruling potentially undermines that pledge.
The search warrant, which was issued to Microsoft by US authorities, sought information associated with a member of the public’s email account including their name, credit card details and contents of all messages.
Microsoft said it would continue to oppose the release of the Dublin-stored data.
“This is the first step toward getting this issue in front of courts that have the authority to correct the government’s longstanding views on the application of search warrants to content stored digitally outside the United States,” it said.
Judge James Francis in New York said that this was true for “traditional” warrants but not for those seeking online content, which are governed by federal law under the Stored Communications Act.
He said the warrant should be treated more like a subpoena for documents. Anyone issued with a subpoena by the US must provide the information sought, no matter where it was held, he said.
In a blog post, Microsoft’s deputy general counsel, David Howard, said: “A US prosecutor cannot obtain a US warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States.
“We think the same rules should apply in the online world, but the government disagrees.”
A new data-protection law, currently being drafted by the European Union, aims to make sure companies no longer share European citizen’s data with authorities of another country, unless explicitly allowed by EU law or an international treaty.