Microsoft 'must release' data held on Dublin server
A judge in the US has ordered Microsoft to hand over a customer's emails, even though the data is held in Ireland.
The company had attempted to challenge the search warrant on the basis that the information was stored exclusively on computer servers outside the US.
Microsoft previously said it planned to offer business and government clients control over where their data resided.
This followed concerns about data privacy raised by whistleblower Edward Snowden's leaks about US spying.
But the ruling potentially undermines that pledge.
The judge said warrants for online data were different to other warrants.
The search warrant, which was issued to Microsoft by US authorities, sought information associated with a member of the public's email account including their name, credit card details and contents of all messages.
Microsoft said it would continue to oppose the release of the Dublin-stored data.
"This is the first step toward getting this issue in front of courts that have the authority to correct the government's longstanding views on the application of search warrants to content stored digitally outside the United States," it said.'Government disagrees'
Judge James Francis in New York said that this was true for "traditional" warrants but not for those seeking online content, which are governed by federal law under the Stored Communications Act.
He said the warrant should be treated more like a subpoena for documents. Anyone issued with a subpoena by the US must provide the information sought, no matter where it was held, he said.
Law enforcement efforts would be seriously impeded and the burden on the government would be substantial if they had to co-ordinate with foreign governments to obtain this sort of information from internet service providers such as Microsoft and Google, Judge Francis said.
In a blog post, Microsoft's deputy general counsel, David Howard, said: "A US prosecutor cannot obtain a US warrant to search someone's home located in another country, just as another country's prosecutor cannot obtain a court order in her home country to conduct a search in the United States.
"We think the same rules should apply in the online world, but the government disagrees."
A new data-protection law, currently being drafted by the European Union, aims to make sure companies no longer share European citizens' data with authorities of another country, unless explicitly allowed by EU law or an international treaty.
In response to the ruling in the US, Mina Andreeva, European Commission spokeswoman for justice, fundamental rights and citizenship, told the BBC: "The commission's position is that this data should not be directly accessed by or transferred to US law enforcement authorities outside formal channels of co-operation, such as the mutual legal assistance agreements or sectoral EU-US agreements authorising such transfers.
"Access by other means should be excluded, unless it takes place in clearly defined, exceptional and judicially reviewable situations."
Ms Andreeva also said that "the European Parliament reinforced the principle that companies operating on the European market need to respect the European data protection rules - even if they are located in the US."
Earlier this year German Chancellor Angela Merkel proposed building up a European communications network to help improve data protection and avoid emails and other data automatically passing through the United States.
Both of these actions were prompted by allegations of mass surveillance by the US National Security Agency.
Microsoft is hoping for a review of the decision from a federal district judge.