The Microsoft Ireland Warrant Case

In December 2013, a US magistrate judge in the Southern District of New York issued a search warrant under the Stored Communications Act (SCA), 18 U.S.C. Chapter 121, as part of a narcotics investigation. The warrant compelled Microsoft to produce the contents of an email account associated with a suspect. Microsoft complied with the portions of the warrant requesting metadata stored in the United States, but refused to produce the email content itself, which was stored on servers in Microsoft's data centre in Dublin, Ireland.

Microsoft's position was straightforward: the SCA is a domestic statute that does not contain any express authorisation for extraterritorial application. Under the Supreme Court's Morrison v. National Australia Bank (2010) presumption against extraterritoriality, a federal statute should not be interpreted to apply outside US territory unless Congress clearly expressed that intent. Since the emails were stored in Ireland and the SCA said nothing about overseas data, the warrant could not compel their production.

The US government argued that the warrant was not "extraterritorial" at all. Because Microsoft — a US company — could access and retrieve the Dublin-stored data from its headquarters in Redmond, Washington, the government contended that compliance would occur domestically, regardless of where the data physically sat. This framing treated the location of the data as irrelevant, focusing instead on the location and nationality of the provider.

After losing at the magistrate and district court levels, Microsoft appealed to the United States Court of Appeals for the Second Circuit. On 14 July 2016, a three-judge panel ruled in Microsoft's favour in In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197 (2d Cir. 2016). The court held that the SCA warrant was, in substance, a hybrid between a traditional warrant and a subpoena, and that applying it to data stored overseas constituted an impermissible extraterritorial application of the statute.

The ruling was significant beyond its immediate facts. It meant that — at least within the Second Circuit — US law enforcement could not use SCA warrants to compel US providers to produce customer content stored in foreign countries. The government would need to use Mutual Legal Assistance Treaties (MLATs) or other diplomatic channels to obtain such data, a process that could take months or years.

The decision was celebrated by privacy advocates and foreign governments alike. The European Commission, European Commission, several EU Member States, and digital rights organisations including the Electronic Frontier Foundation filed amicus briefs supporting Microsoft's position. Ireland's government submitted a brief emphasising that the warrant impinged on Irish sovereignty, as the data was located within Irish territory and subject to Irish and EU data-protection law.

The US government petitioned the Supreme Court for review. The Court granted certiorari and heard oral arguments on 27 February 2018 in United States v. Microsoft Corporation (No. 17-2). The case attracted enormous attention — 23 amicus briefs were filed, from technology companies, foreign governments, law enforcement organisations, and civil liberties groups.

But the case never received a ruling. While the Supreme Court was deliberating, Congress acted. The CLOUD Act (H.R. 4943) was introduced in the Senate on 6 February 2018 and was enacted on 23 March 2018 as a rider attached to the Consolidated Appropriations Act. The Act amended the SCA to explicitly state that providers must comply with legal process "regardless of whether such communication, record, or other information is located within or outside of the United States."

Following the CLOUD Act's passage, the Department of Justice obtained a new warrant under the amended statute. On 17 April 2018, the Supreme Court vacated the Second Circuit's judgment and remanded the case as moot. Microsoft's years-long legal battle had achieved a pyrrhic outcome: while it won in court, the legislative response ensured that US jurisdiction now explicitly reached overseas data held by US providers.

The Microsoft Ireland case carries several enduring lessons for European organisations evaluating cloud infrastructure:

• Data location is not jurisdiction: The case exposed the fundamental limitation of geographic data-residency strategies when using US providers. Storing data in Dublin did not prevent a US warrant from being issued. Under the CLOUD Act, it would not prevent the warrant from being enforced. The relevant jurisdictional nexus is the provider's nationality, not the server's location.
• Legal battles provide temporary, not structural, protection: Microsoft fought for four years and won a landmark appellate ruling. Congress negated that ruling in weeks. Any organisation relying on the goodwill of a US provider to resist government orders is betting on a protection that can be legislated away at any time.
• European and US legal frameworks are structurally incompatible: The case highlighted the direct conflict between US law enforcement's claimed authority over overseas data and the EU's data-protection framework, particularly GDPR Article 48. This conflict has only intensified with the CLOUD Act's enactment and remains unresolved absent a US-EU executive agreement.

The case was a pivotal moment in the European digital sovereignty debate. It demonstrated, in concrete and public terms, that data stored in Europe by a US company is reachable by US law. For the European public sector, critical infrastructure operators, and regulated industries, this reality has made the choice of provider nationality — not just provider capability — a first-order procurement consideration.