On 31 July, New York judge NY Loretta Preska ruled that a US search warrant demanding access to the European customer's email in relation to a drugs investigation was legal.
Microsoft appealed, in an effort to prove to customers it wants to preserve their privacy, after the damaging Snowden revelations showed US tech companies apparently helping the US secret service gain wide-scale access to their data.
Now, the European Commission (EC) has helped Microsoft's cause by telling the eWeek news wire that the court decision to disclose the data goes against Irish and European law. The Commission also says it has repeatedly raised its concerns about the case with the US Government.
An EC spokesperson confirmed to SCMagazineUK.com that the forthcoming EC data protection law will also support Microsoft's stance: “The European Commission has proposed a reform of EU data protection rules that will ensure that EU rules apply to all companies, even those not established in the EU, whenever they handle personal data of individuals in the EU. This principle has received strong backing both from the European Parliament and member states.”
The result, says cyber industry expert Alan Woodward, an adviser to Europol and visiting professor at Surrey University's Computing Department, is that the stage is set for a privacy legal fight that will leave high-tech firms caught in the crossfire between the US and Europe.
Woodward told SC: “There's going to be this battle of the jurisdictions basically - over whose court takes precedence. And it's difficult to see how it's going to be resolved. Every court is going to say it takes precedence and there's no international body to arbitrate on these things.
“What is slightly more concerning is that it's coming down to the big tech companies getting caught in the middle. In effect they're the ones that are going to decide, because they're going to decide which court to obey. And in many ways it's a no-win situation for them, because whichever court they listen to they'll end up upsetting the other one - and I think they'll end up getting fined by the other one.
“It's very difficult to see how it's going to be resolved and I don't think this is the last incident. I think we're going to see many more of these as we go forward.”
At Microsoft, chief lawyer Brad Smith has warned that the case directly impinges on the UK's recent DRIP (Data Retention and Investigatory Powers) law – saying that Judge Preska's ruling allows the US to snoop on customers overseas, just as DRIP allows the UK Government to snoop on American citizens.
Under DRIP, the UK security services can access metadata held by the internet service providers on all phone and IP calls, emails and social media interactions.
The EC wants the US to request any access to personal data through existing governmental ‘mutual assistance' agreements, and leave the tech companies out of it.
Its spokesperson confirmed: "The case is an example of the complex legal issues faced by companies operating on both sides of the Atlantic. The Commission has raised this issue with the US Government on a number of occasions. The Commission remains of the view that where governments need to request personal data held by private companies and located in the EU, requests should not be directly addressed to the companies but should proceed via agreed formal channels of cooperation between public authorities, such as the mutual legal assistance agreements."
The spokesperson told SC by email: “The European Union is currently negotiating a 'data protection umbrella agreement' with the US in order to protect personal data transferred between the EU and the US for law enforcement purposes and judicial co-operation.”