Microsoft does not have to release emails to U.S. authorities that are stored on EU servers


According to the January 24, 2017 order of the U.S. Court of Appeals for the Second Circuit in Manhattan, 14-2985, Microsoft Corp. v. United States (available online at, technology company Microsoft does not need to grant U.S. authorities access to email and user data stored abroad.

This upholds a July 14, 2016 judgment, which had already been considered an important milestone in defending the privacy rights of European cloud customers and U.S. providers of cloud services. Originally, a U.S. authority, referring to Section 2703(a) of the U.S. Electronic Communications Privacy Act (ECPA), had requested access to emails of a suspected drug trafficker who maintained an email account at Microsoft. In 2013, Microsoft had already denied the request for data access on grounds that the data was stored on a server in Ireland rather than in the U.S. The U.S. government as complainant had argued, however, that Microsoft continued to have access to the contents, which consequently had to be considered as remaining in the U.S.. The court ruled in favor of Microsoft.

The recently discussed “Executive Order: Enhancing Public Safety in the Interior of the United States Sec. 14. Privacy Act”, according to which personal data from non-U.S. citizens are not subject to the protection of the U.S. Privacy Act of 1974, does not trigger any re-evaluation of cloud offerings, either. As the European Commission confirmed in an email, this law has no relevance to the protection of EU citizens' privacy, since the matter is governed by the EU-US Privacy Shield, which entered into force at the beginning of 2016.


It is still recommended for European cloud computing customers to select established providers, which recognize and defend the protection of personal data, thus significantly reducing the risk of unauthorized access to their personal data by intelligence services. In terms of liability, compliance with the current general conditions of cross-border data transfer (EU standard contractual clauses, Privacy Shield) is always required.

Subject fields