I don't get it. Why don't they just drop the clause that they exercised in their privacy policy such that they need a real court order to get at the data just like any external email address?
I'm having trouble even conceiving of how you could structure that. You can't sue yourself, so to even make the case arguable in the US, you'd have to set up the contract such that Microsoft would initiate legal process against the customer, requesting a declaratory judgement that they would not be liable for damages for searching the customer's data.
I don't think there's any case law on this, so the first thing the courts would have to do is figure out if they even have jurisdiction to handle such a novel claim. The answer to that could vary between different states' courts and between state and federal courts. (And might even vary between federal courts, since federal cases borrow a lot from state laws, both from the state they sit in, and from other relevant states, like the state in which an entity is incorporated, or the state a contract was executed in.)
(And even if you get past all that, you haven't actually stopped Microsoft from doing anything at all. They can still search your data without going to court in the first place if they're willing to risk being held liable for damages for breach of contract. Those damages would not likely amount to much.)
They searched the account of a French blogger, so that adds another layer of insane complications (I'd guess both France and EU would come down pretty hard on Microsoft, but for the wrong reasons)
If you read the Ars article [1], they specify in the second statement that "Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed."
