Skip to Content

U.S. Warrants for Overseas Data Trample Foreign Privacy Laws

Microsoft’s failed efforts to resist a U.S. warrant for data stored in Ireland show how American law enforcement policies conflict with foreign privacy laws.

U.S. Internet companies, and indeed all multinationals with a presence in the United States, appear to be trapped between the data access requirements of U.S. law enforcement agencies and foreign privacy laws.

Microsoft is involved in ongoing litigation against a search warrant issued in December 2013 by a U.S. magistrate, authorizing the search and seizure of e-mail accounts hosted by Microsoft. The company objected to the warrant with regard to data stored at its data center in Ireland, claiming that U.S. courts are not authorized to issue warrants for extraterritorial searches. Microsoft also argued that if it turned over data stored abroad to the U.S. government, it would be more difficult for the company to resist requests by foreign governments for data stored in the U.S. But on April 25, the magistrate judge who issued the warrant found in favor of the government. On July 28, Judge Loretta A. Preska of the U.S. District Court for the Southern District of New York affirmed that decision.

These two decisions turned on the question of whether the search warrant constitutes an extraterritorial search and seizure. Microsoft argues that it does, since it directs the company to produce information stored outside the United States. The government’s argument is that because Microsoft is subject to U.S. jurisdiction, it must turn over data it controls regardless of where the data is stored.

This may be the first case in which a company has formally opposed a U.S. search warrant concerning data stored abroad. But it is not surprising that other major companies (like Apple, AT&T, and Verizon) have publicly supported Microsoft’s position. The revelations of Edward Snowden have put them all under increasing pressure to resist U.S. requests for data access. The disclosures have also intensified their awareness of conflicts between foreign privacy legislation and the demands of U.S. law enforcement.

Dozens of countries around the world grant broad privacy protection to data processed for commercial purposes (the U.S. is one of the few that do not). They generally do not allow data to be transferred to foreign authorities without the approval of local regulators.

U.S. companies have already begun losing business with foreign customers because they are subject to U.S. data access requests. (For example, in June the German government cancelled a contract with Verizon for Internet services). Many more companies have a commercial incentive to contest these cross-border requests for data. The issues raised in the Microsoft case are relevant to all companies subject to U.S. jurisdiction, not just those in the Internet sector—including companies based abroad but active in the U.S. market.

Microsoft has stated that it will appeal Judge Preska’s decision, and sources in the U.S. legal community tell me that the case could eventually go all the way to the U.S. Supreme Court. But while Microsoft’s argument that the case has major policy implications is compelling, the U.S. government’s position may be difficult to overcome under the current state of the law.

What is disappointing about the discussion in this case so far is that it concentrates on the respective interests of companies and law enforcement. The privacy expectations of the Internet users whose data may be accessed have received little attention.

The best way to resolve this conflict would be to make changes to U.S. legislation that balance the interests of companies and law enforcement while taking the privacy expectations of individuals into account. However, the current gridlock in Washington seems to make that impossible. An international treaty being negotiated between the United States and the E.U., known as the “Umbrella Agreement,” might provide some relief by establishing formal rules about data sharing. But its final form and completion date remain unclear. I fear that the tension between the requirements of U.S. law enforcement and foreign privacy laws will get worse before it gets better. And the privacy of individuals whose data is held by companies with a U.S. presence will remain largely unconsidered.

Christopher Kuner is senior privacy counsel with Wilson Sonsini Goodrich & Rosati in Brussels and associate professor of data protection law at the University of Copenhagen.

Keep Reading

Most Popular

This new data poisoning tool lets artists fight back against generative AI

The tool, called Nightshade, messes up training data in ways that could cause serious damage to image-generating AI models. 

Rogue superintelligence and merging with machines: Inside the mind of OpenAI’s chief scientist

An exclusive conversation with Ilya Sutskever on his fears for the future of AI and why they’ve made him change the focus of his life’s work.

The Biggest Questions: What is death?

New neuroscience is challenging our understanding of the dying process—bringing opportunities for the living.

Driving companywide efficiencies with AI

Advanced AI and ML capabilities revolutionize how administrative and operations tasks are done.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.