Microsoft Can Collect and Bring Data Stored on Any of Its Servers Globally Into the US

BACKGROUND - I. Microsoft’s Web‐Based E‐mail Service

The factual setting in which this dispute arose is largely undisputed and is established primarily by affidavits submitted by or on behalf of the parties.

Microsoft Corporation is a United States business incorporated and headquartered in Washington State.  Since 1997, Microsoft has operated a “web‐based e‐mail” service available for public use without charge. Joint Appendix (“J.A.”) at 35.  It calls the most recent iteration of this service Outlook.com.[1]  The service allows Microsoft customers to send and receive correspondence using e‐mail accounts hosted by the company.  In a protocol now broadly familiar to the ordinary citizen, a customer uses a computer to navigate to the Outlook.com web address, and there, after logging in with username and password, conducts correspondence electronically.

Microsoft explains that, when it provides customers with web‐based access to e‐mail accounts, it stores the contents of each user’s e‐mails, along with a variety of non‐content information related to the account and to the account’s e‐mail traffic, on a network of servers.[2]  The company’s servers are housed in datacenters operated by it and its subsidiaries.[3]

Microsoft currently makes “enterprise cloud service offerings” available to customers in over 100 countries through Microsoft’s “public cloud.”[4]  The service offerings are “segmented into regions, and most customer data (e.g. email, calendar entries, and documents) is generally contained entirely within one or more data centers in the region in which the customer is located.” J.A. at 109.  Microsoft generally stores a customer’s e‐mail information and content at datacenters located near the physical location identified by the user as its own when subscribing to the service.  Microsoft does so, it explains, “in part to reduce ‘network latency’” [5]—i.e., delay—inherent in web‐based computing services and thereby to improve the user’s experience of its service.  J.A. at 36–37.  As of 2014, Microsoft “manage[d] over one million server computers in [its] datacenters worldwide, in over 100 discrete leased and owned datacenter facilities, spread over 40 countries.” Id. at 109. These facilities, it avers, “host more than 200 online services, used by over 1 billion customers and over 20 million businesses worldwide.”  Id. at 109.

One of Microsoft’s datacenters is located in Dublin, Ireland, where it is operated by a wholly owned Microsoft subsidiary. According to Microsoft, when its system automatically determines, “based on [the user’s] country code,” that storage for an e‐mail account “should be migrated to the Dublin datacenter,” it transfers the data associated with the account to that location.  Id. at 37.  Before making the transfer, it does not verify user identity or location; it simply takes the user‐provided information at face value, and its systems migrate the data according to company protocol.

Under practices in place at the time of these proceedings, once the transfer is complete, Microsoft deletes from its U.S.‐based servers “all content and non‐content information associated with the account in the United States,” retaining only three data sets in its U.S. facilities.  Id. at 37.  First, Microsoft stores some non‐content e‐mail information in a U.S.‐located “data warehouse” that it operates “for testing and quality control purposes.”  Id.  Second, it may store some information about the user’s online address book in a central “address book clearing house” that it maintains in the United States.  Third, it may store some basic account information, including the user’s name and country, in a U.S.‐sited database.  Id. at 37–38.

Microsoft asserts that, after the migration is complete, the “only way to access” user data stored in Dublin and associated with one of its customer’s web‐based e‐mail accounts is “from the Dublin datacenter.” Id. at 37.  Although the assertion might be read to imply that a Microsoft employee must be physically present in Ireland to access the user data stored there, this is not so.  Microsoft acknowledges that, by using a database management program that can be accessed at some of its offices in the United States, it can “collect” account data that is stored on any of its servers globally and bring that data into the United States.  Id. at 39–40.

[1] The company inaugurated Outlook.com in 2013 as a successor to Microsoft’s earlier Hotmail.com and MSN.com services.

[2] A “server” is “a shared computer on a network that provides services to clients. . . . An Internet‐connected web server is [a] common example of a server. ” Harry Newton & Steve Schoen, Newton’s Telecom Dictionary 1084 (28th ed. 2014) (“Newton’s Telecom Dictionary”).

[3] A “datacenter” is “[a] centralized location where computing resources (e.g. host computers, servers, peripherals, applications, databases, and network access) critical to an organization are maintained in a highly controlled physical environment (temperature, humidity, etc.).”

Newton’s Telecom Dictionary at 373.

[4] The Supreme Court has recently described “[c]loud computing” as “the capacity of Internet‐ connected devices to display data stored on remote servers rather than on the device itself.” Riley v. California, 134 S. Ct. 2473, 2491 (2014).

[5] Microsoft explains network latency as “the principle of network architecture that the greater the geographical distance between a user and the datacenter where the user’s data is stored, the slower the service.” J.A. at 36.