Nick Rich considers one aspect of the recent controversial ruling affecting Microsoft servers in Dublin and suggests an approach to deal with it
The story so far
On 4 December 2013 the Hon James C. Francis IV, Magistrate Judge in the State District of New York, signed a search warrant for the seizure of e-mails and other records in a particular MSN e-mail account.
This e-mail account was stored on servers located in a data centre in Dublin, Ireland. The data centre was owned and operated by a local Microsoft subsidiary, which Microsoft's general counsel argued, in an article in the Wall Street Journal, put it out of reach of a US search warrant.
On 25 April 2014, the Magistrate published an opinion denying Microsoft's motion to quash the warrant. Then on 31 July, Chief US District Judge Loretta Preska ruled against Microsoft's appeal, finding that the location of the e-mail data was not relevant as Microsoft 'controlled it' from the USA. She did, however, stay execution of the order pending Microsoft's appeal to the Second Circuit. In her view, e-mails stored by Microsoft customers or users on Microsoft servers constitute Microsoft business records. On 29 August, Judge Preska lifted the stay of execution of the July order. Microsoft has said it will not comply with the order and will continue its appeal to the 2nd US Circuit Court of Appeals, maintaining the view set out in a statement issued by Brad Smith immediately after the July ruling. The case is therefore ongoing.
Potential impact of the decision
If this ruling stands up to the appeals procedure, the US government will have successfully asserted its right to obtain, by subpoena or warrant, information created and stored outside the USA, where such information is stored on servers belonging to US corporations. It follows that European corporations whose data is stored on Microsoft's cloud within European data centres could see that data become subject to investigation by US authorities without recourse to existing agreements between the US government and European sovereign governments.
This potential breach of data privacy/protection in the EU has huge implications:
· it could preclude European companies from keeping data on servers operated or owned by US based entities such servers, compelling potentially costly data migrations
· data left on such servers could be transferred to the US and used in US-based investigations, which could impose substantial legal costs on corporations as they are required to respond – and they could also incur fines for breach of EU laws
· fines arising from such investigations could cause significant financial and reputational damage to corporations.
How can UK/European in-house counsel mitigate the risk?
Understand your data and know where and how it is stored. Your data should arguably already be incorporated into a litigation/investigation readiness programme. To the extent that it isn't, consider the following questions:
· Is there a full report (data map) of what data is stored in Europe on servers belonging to US-based cloud providers?
· Is there a process defined and implemented to keep the data map up to date?
· Do the contracts in place with US-based cloud providers stipulate that the data must not move to the USA in the ordinary course of events? Have you been advised that this is enough to avoid US judicial enforcement?
· Is this data subject to the retention and disposition policies that have been agreed to within your organisation? Is there a process in place for deleting redundant data?
· Is there a plan in place for migrating the data rapidly should this become necessary?
If, at a minimum, these questions cannot all be answered affirmatively, a corporation could be at risk of seeing its data seized by US authorities in the context of an investigation.
While Microsoft's appeals process may take months, be aware that its conclusion may have far-reaching consequences for European entities with data stored by US cloud providers. Regardless of the case outcome, savvy legal practitioners should consider creating an action plan to meet these requirements as it is much better to have a plan than run the risks that arise from not having one.
Nick Rich is Lead Solutions Advisor at Epiq Systems
 (13 MAG 2814)