As this high profile case unwinds, we feel it is useful to stand back
and review its history and also look at the legislative proposals currently being
made in the US Congress which may impact on the efficacy of the decision in the
future.
Background
On 27 February 2018, the US Supreme Court heard arguments in United States v Microsoft Corporation, Case No. 17-2, in
which the Justices are wrestling with the question whether the US government
can force Microsoft to hand over a user’s email messages and other data that
are stored outside of the USA. The Justices appear to be divided, with some
seemingly inclined to allow the US authorities to obtain data in this manner,
while others are concerned that this question is not one to be determined by a
court but should instead wait until the US Congress has legislated on the
subject.
The key issue in the case
The issue at the heart of this case is whether Microsoft as a provider of email services must comply with a criminal search warrant issued by a magistrate judge under
the Stored Communications Act, 18 USC. § 2703 (the SCA), in a situation where
the warrant requires disclosure in the US of electronic communications that are
within Microsoft’s control but that Microsoft has chosen to store outside the
USA.
Federal law enforcement obtained a search warrant for the contents of
an email account owned by one of Microsoft’s customers. The warrant was
issued under the SCA, which comprises Title II of the Electronic Communications
Privacy Act of 1986 (the EPCA). The EPCA was enacted to protect the privacy of
customers of electronic communications providers (back in 1986, these would
have been primarily those utilities which were known as telephone companies). The
SCA prohibits those providers from disclosing the content of electronic
communications unless the government obtained a court order that is based upon
a showing of probable cause (called a ‘§2703(d) order’).
To obtain such an order, the U. S. Government has to present ‘specific and articulable facts showing . . . reasonable grounds to
believe that the contents or records . . . are relevant and material to an
ongoing criminal investigation.’ (See §2703(c)(2), (d)).
The SCA doesn’t specify its territorial reach, but US courts generally
apply a presumption against the extraterritorial application of US laws, a
principle most recently re-stated and emphasized by the Supreme Court in RJR Nabisco, Inc. v European Community, 579 US __ (June 20,
2016). Moreover, the rules of criminal procedure provide that warrants can be
executed only in a judicial district in the USA or its possessions and, outside
the USA, only in various diplomatic and consular missions or residences (see Fed. R. Crim. P. 41(b)(5)).
In December 2013, a magistrate judge in the Southern District of New
York, based in Manhattan, issued a search warrant that commanded Microsoft to
search for and provide to the US government the contents of all of the emails
stored in a particular @msn.com email account. After being served with the
warrant in the USA, Microsoft determined that the email contents of the account
were stored in its datacenter in Dublin, Ireland. Microsoft refused to provide
the requested information because it was located outside of the USA and filed a
motion with the issuing magistrate to quash the subpoena. The magistrate judge
denied Microsoft’s motion to quash. The chief judge of the Southern District of
New York affirmed that denial.
Microsoft still refused to produce the requested information and
stipulated that it was in civil contempt of the order. It took an appeal to the
US Court of Appeals for the Second Circuit, which covers New York. The Irish
government filed an amicus brief in support of Microsoft’s position; it
maintains that the emails should be disclosed only on request to the Irish
government in accordance with the mutual legal assistance treaty between the US
and Ireland.
In July 2016, the Court of Appeals ruled unanimously in favour of
Microsoft, quashing the warrant and vacating the civil contempt ruling (the
opinion is available here).
The three-judge panel held that the SCA does not apply extraterritorially, and
that US courts are not authorized to issue and enforce an SCA warrant for the
contents of a customer’s electronic communications stored outside the USA.
The US government petitioned the US Supreme Court to hear the case. The
Court granted the petition in October 2017 and heard arguments on 27 February. The
nine Justices appear divided. Chief Justice John Roberts and others expressed
concern that email providers could attract customers by assuring them that
their email messages would be stored overseas, beyond the reach of the US
government. Justices Ruth Bader Ginsburg and Neil Gorsuch questioned how the US
government had the power to force a party to take action in a foreign country.
Policy Issues and Proposed Legislative Developments
There are good policy arguments on both sides, but at the end of the
day, this case is about statutory interpretation. Microsoft emphasized in its
arguments that the SCA uses the word ‘warrant,’ which is generally understood
to apply only in the USA. Further, the SCA authorizes state and local law
enforcement agents (not just federal agents) to obtain SCA warrants, and it
seems ‘particularly unlikely,’ according to Microsoft, that Congress would have
intended to empower local law-enforcement officials to seize evidence located
in foreign countries. The US government emphasizes that the warrant was served
upon Microsoft, a US corporation, and that it seeks information that is fully
within Microsoft’s control.
It is agreed by almost all commentators — including the judges giving
the majority and concurring opinions in the US Court of Appeals for the Second
Circuit — that the US Congress should resolve this complex policy issue through
legislation, rather than having the Court make a policy determination, with
potentially serious foreign-relations consequences, in response to the facts of
a particular case.
The argument is of course that the US would be better off with
legislation that fairly and fully reflects the views of all stakeholders
involved. And, in fact, several US Senators announced a bipartisan
bill, the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 (you can
thank the Senate for the name), that might pre-empt the Court’s decision. (The
bill is available here and you can read it about it here.)
If enacted, the Cloud Act would address two issues. First, it would specify that
an order under the SCA applies to all data that is in the ‘possession,
custody, or control’ of the service provider, regardless of where
that data is stored. Second, it would authorize executive agreements, such as
the contemplated
US-UK agreement, to allow non-US governments to request content directly
from US service providers, and vice-versa.
Upshot
It is worth noting that the Microsoft Ireland
case arises because the data at issue is not Microsoft’s own data, but its
user’s data. There isn’t any serious doubt in the minds of most US lawyers that, if a company is subject to the jurisdiction of the United States, a US court
can order it to produce its own data, even if it is stored outside the USA, so
long as that data is under the company’s possession, custody or control.’ (See US v Bank of Nova Scotia, 740
F.2d 817 (11th Cir. 1984)).
We cannot predict with any confidence how the US Supreme Court will
decide the Microsoft Ireland case, but it seems
likely that the US government will, one way or another, be entitled to get its
hands on a third party’s data stored by a US entity outside the USA in
connection with a criminal investigation. There has been a lot of commentary
about what effect this would have on the rights and freedoms of individuals who
reside outside US jurisdiction and the follow-on impact not only on the
business models of the likes of US digital giants such as Microsoft, Google,
Facebook and Twitter but also the relationship between the USA and other states
and also with super states like the EU. This may in turn affect global trade –
for example, consider how the issues raised by the Schrems
cases question the efficacy of the EU/US Privacy Shield and the EC’s standard
contractual clauses and the impact that their demise would have on the
financial markets. The indications are that this decision will not only prompt
intervention from the US Congress but also require action from governments
around the globe to agree upon sensible mechanisms for balancing privacy rights
with the legitimate needs of law enforcement.
Edward J. Naughton is a partner in the offices of Brown Rudnick LLP in
Boston, Massachusetts and Mark Lubbock is a partner in the offices of Brown
Rudnick LLP in London.
