Recently, the U.S. Court of Appeals for the Second Circuit sided with Microsoft Corporation and global privacy advocates in the case of In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, No. 14-2985, 2006 WL 3770056 (July 14, 2016), by holding that the issuance of a warrant to obtain private emails stored on a Microsoft server in Dublin, Ireland, constituted an impermissible extraterritorial application of the Stored Communications Act, 18 U.S. Code §§ 2701 et seq. (“SCA”).
The Microsoft decision coincides with a rise of international tension over the data privacy interests of foreign customers of U.S. electronic communications providers. This tension was heightened by the Snowden revelations in 2013, sparking EU concerns about “unfettered” U.S. government surveillance, reaching a crescendo last October, when the Court of Justice of the EU, invalidated the fifteen year-old U.S.-EU Safe Harbor as not providing an “adequate” level of data protection. Thereafter, the U.S. and EU Commission rushed to develop a new EU-U.S. Privacy Shield Framework to replace Safe Harbor.
As some commentators have noted the Second Circuit’s ruling may incidentally help EU/U.S. data transfer mechanisms, including model contract clauses and the Privacy Shield program to survive this scrutiny. See Kenneth Withers, M. James Daley, and Taylor Hoffman, In Re Microsoft: U.S. Law Enforcement Not Entitled to Email Stored in Ireland (Aug. 28, 2016). While the Second Circuit’s ruling temporarily defused an explosive issue in EU/U.S. data protection relations, it left unresolved a number of practical issues regarding cross-border government investigations under the outdated SCA.
The Microsoft case concerned a warrant requested by U.S. law enforcement authorities, ordering U.S.-based Microsoft to disclose all email from a certain individual’s account, in connection with an ongoing drug investigation. Microsoft disclosed certain non-content account data stored in the U.S., but declined to produce the emails themselves, which were stored only in Dublin, Ireland, the data center closest to the country indicated on the account holder’s registration. Instead, Microsoft moved to quash the warrant as it applied to the email content, on the ground that it was an impermissible extraterritorial search and seizure. The United States District Court for the Southern District of New York denied Microsoft’s motion to quash, and held Microsoft in contempt for failure to comply with the warrant.
Microsoft appealed the contempt ruling to the Second Circuit. The crux of Microsoft’s argument was that the SCA does not expand the territorial limitations of traditional “warrants” and that the government’s authority does not extend beyond the United States-controlled areas. The government, on the other hand, argued that it was simply compelling disclosure of documents, regardless of how the instrument was labeled, and that its SCA warrant could be construed as a subpoena, which would require a recipient to produce information, regardless of where that information is located, so long as it was within the recipient’s “possession, custody, or control.”
The Second Circuit held that the SCA, enacted three decades ago as part of the broader Electronic Communications Privacy Act (the “ECPA”), did not contemplate extra-territorial application of its warrant provisions. Instead, the Second Circuit found that the focus of those provisions is protection of a user’s privacy interests. The Second Circuit held that the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States-based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.
In his concurring opinion, Judge Gerard Lynch expressed his skepticism that the mere location abroad of a server on which the service provider has chosen to store communications should be controlling, but agreed that this may be the default position to which a court must revert in the absence of guidance from Congress.
Our decision today is thus ultimately the application of a default rule of statutory interpretation to a statute that does not provide an explicit answer to the question before us. It does not purport to decide what the answer should be, let alone to impose constitutional limitations on the range of solutions Congress could consider.
[Lynch Op. 17-18]
Likewise, commenting on the win, Brad Smith, Microsoft’s President and Chief Legal Officer, indicated that the time has come for Congress and the executive branch to modernize the law in line with the current state of technology. Few would argue with this need. Indeed, some legislative changes are already in the works. For instance, the Email Privacy Act of 2016, H. R. 699, 114th Cong. § 3 (passed by House Apr. 27, 2016), would amend the ECPA to prohibit cloud-services providers from disclosing contents of communications of their customers without a traditional probable-cause warrant. In addition, one day after the appellate decision, the Obama administration released a legislative proposal intended to provide foreign governments with a streamlined MLAT process for requesting U.S. tech companies to share electronic content and conduct wiretaps for criminal investigations. This proposal, likewise, would require amendments to the ECPA.
U.S. companies doing business internationally and engaged in cross-border transfers should continue to closely monitor the upcoming legislative and judicial developments in this area.