"The US employee wouldn't be breaking any US law if they complied but might be breaking US law if they refused."
Consider that employee's liability under Irish law. I expect Ireland has legislation broadly similar to the UK Computer Misuse Act. A US-based employee accessing a server on Irish soil to commit an act illegal in Ireland might well be guilty of breaking such a law even if the server is ultimately owned by his employer under whose instructions he does this. If so then Ireland ought to be able to expect that employee to be extradited in exactly the same way that the US expects European citizens to be extradited for hacking US computers.
There are all sorts of other fun possibilities coming down the line. If this case runs out until GDPR becomes operative anyone who suspects that they might be the data subject, or anyone else whose email is held by Microsoft in the EU can invoke their "right to be forgotten". As the US have neglected to put in an official request to Ireland (and assuming they continue to do so) then I can't see how the various exclusions in the GDPR can come into play and Microsoft would be obliged to comply. Although the terms of the regulations don't oblige them to delete the data from backups I also can't see how they'd be able to legally restore them. There would also be the situation that Microsoft could be penalised under GDPR at up to 4% of global turnover if they complied with the US courts.
Biting the hand that feeds IT
