Edward Naughton and Mark Lubbock summarize the issues arising and background to United States v Microsoft Corporation, which is currently being heard before the US Supreme Court.
As this high profile case unwinds, we feel it is useful to stand back and review its history and also look at the legislative proposals currently being made in the US Congress which may impact on the efficacy of the decision in the future.
On 27 February 2018, the US Supreme Court heard arguments in United States v Microsoft Corporation, Case No. 17-2, in which the Justices are wrestling with the question whether the US government can force Microsoft to hand over a user’s email messages and other data that are stored outside of the USA. The Justices appear to be divided, with some seemingly inclined to allow the US authorities to obtain data in this manner, while others are concerned that this question is not one to be determined by a court but should instead wait until the US Congress has legislated on the subject.
The key issue in the case
The issue at the heart of this case is whether the Microsoft as a provider of email services must comply with a criminal search warrant issued by a magistrate judge under the Stored Communications Act, 18 USC. § 2703 (the SCA), in a situation where the warrant requires disclosure in the US of electronic communications that are within Microsoft’s control but that Microsoft has chosen to store outside the USA.
Federal law enforcement obtained a search warrant for the contents of an email account owned by one of Microsoft’s customers. The warrant was issued under the SCA, which comprises Title II of the Electronic Communications Privacy Act of 1986 (the EPCA). The EPCA was enacted to protect the privacy of customers of electronic communications providers (back in 1986, these would have been primarily those utilities which were known as telephone companies). The SCA prohibits those providers from disclosing the content of electronic communications unless the government obtained a court order that is based upon a showing of probable cause (called a ‘§2703(d) order’).
To obtain such an order, the U. S. Government has to present ‘specific and articulable facts showing . . . reasonable grounds to believe that the contents or records . . . are relevant and material to an ongoing criminal investigation.’ (See §2703(c)(2), (d)).
The SCA doesn’t specify its territorial reach, but US courts generally apply a presumption against the extraterritorial application of US laws, a principle most recently re-stated and emphasized by the Supreme Court in RJR Nabisco, Inc. v European Community, 579 US __ (June 20, 2016). Moreover, the rules of criminal procedure provide that warrants can be executed only in a judicial district in the US or its possessions, and outside the USA, only in various diplomatic and consular missions or residences. (See Fed. R. Crim. P. 41(b)(5)).
In December 2013, a magistrate judge in the Southern District of New York, based in Manhattan, issued a search warrant that commanded Microsoft to search for and provide to the US government the contents of all of the emails stored in a particular @msn.com email account. After being served with the warrant in the USA, Microsoft determined that the email contents of the account were stored in its datacenter in Dublin, Ireland. Microsoft refused to provide the requested information because it was located outside of the USA and filed a motion with the issuing magistrate to quash the subpoena. The magistrate judge denied Microsoft’s motion to quash. The chief judge of the Southern District of New York affirmed that denial.
Microsoft still refused to produce the requested information and stipulated that it was in civil contempt of the order. It took an appeal to the US Court of Appeals for the Second Circuit, which covers New York. The Irish government filed an amicus brief in support of Microsoft’s position; it maintains that the emails should be disclosed only on request to the Irish government in accordance with the mutual legal assistance treaty between the US and Ireland.
In July 2016, the Court of Appeals ruled unanimously in favour of Microsoft, quashing the warrant and vacating the civil contempt ruling (the opinion is available here). The three-judge panel held that the SCA does not apply extraterritorially, and that US courts are not authorized to issue and enforce an SCA warrant for the contents of a customer’s electronic communications stored outside the US
The US government petitioned the US Supreme Court to hear the case. The Court granted the petition in October 2017 and heard arguments on 27 February. The nine Justices appear divided. Chief Justice John Roberts and others expressed concern that email providers could attract customers by assuring them that their email messages would be stored overseas, beyond the reach of the US government. Justices Ruth Bader Ginsburg and Neil Gorsuch questioned how the US government had the power to force a party to take action in a foreign country.
Policy Issues and Proposed Legislative Developments
There are good policy arguments on both sides, but at the end of the day, this case is about statutory interpretation. Microsoft emphasized in its arguments that the SCA uses the word ‘warrant,’ which is generally understood to apply only in the USA. Further, the SCA authorizes state and local law enforcement agents (not just federal agents) to obtain SCA warrants, and it seems ‘particularly unlikely,’ according to Microsoft, that Congress would have intended to empower local law-enforcement officials to seize evidence located in foreign countries. The US government emphasizes that the warrant was served upon Microsoft, a US corporation, and that it seeks information that is fully within Microsoft’s control.
It is agreed by almost all commentators — including the judges giving the majority and concurring opinions in the US Court of Appeals for the Second Circuit — that the US Congress resolve this complex policy issue through legislation, rather than having the Court make a policy determination, with potentially serious foreign-relations consequences, in response to the facts of a particular case.
The argument is of course that the US would be better off with legislation that fairly and fully reflects the views of all stakeholders involved. And, in fact, several US Senators recently announced a bipartisan bill, the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 (you can thank the Senate for the name), that might pre-empt the Court’s decision. (The bill is available here.) If enacted, the Cloud Act would address two issues. First, it would specify that an order under the SCA applies to all data that is in the ‘possession, custody, or control’ of the service provider, regardless of where that data is stored. Second, it would authorize executive agreements, such as the contemplated US-UK agreement, to allow non-US governments to request content directly from US service providers, and vice-versa.
It is worth noting that the Microsoft Ireland case arises because the data at issue is not Microsoft’s own data, but its user’s data. There isn’t any serious doubt in the minds of most US lawyers that if a company is subject to the jurisdiction of the United States, a US court can order it to produce its own data, even if it is stored outside the US, so long as that data is under the company’s possession, custody or control.’ (See US v Bank of Nova Scotia, 740 F.2d 817 (11th Cir. 1984)).
We cannot predict with any confidence how the US Supreme Court will decide the Microsoft Ireland case, but it seems likely that the US government will, one way or another, be entitled to get its hands on a third party's data stored by a US entity outside the USA in connection with a criminal investigation. There has been a lot of commentary about what effect this would have on the rights and freedoms of individuals who reside outside US jurisdiction and the follow-on impact not only on the business models of the likes of US digital giants such as Microsoft, Google, Facebook and Twitter but also the relationship between the USA and other states and also with super states like the EU. This may in turn affect global trade – for example, consider how the issues raised by the Schrems cases question the efficacy of the EU/US Privacy Shield and the EC's standard contractual clauses and the impact that their demise would have on the financial markets. The indications are that this decision will not only prompt intervention from the US Congress but also require action from governments around the globe to agree upon sensible mechanisms for balancing privacy rights with the legitimate needs of law enforcement.
Edward J. Naughton is a partner in the offices of Brown Rudnick LLP in Boston, Massachusetts and Mark Lubbock is a partner in the offices of Brown Rudnick LLP in London.