Yesterday, the Supreme Court granted the Department of Justice’s petition for a writ of certiorari in its dispute with Microsoft over access to private emails stored at Microsoft’s Dublin, Ireland data center. At issue is whether the warrant provisions of the Stored Communications Act (SCA) apply extraterritorially, such that they compel Microsoft, an electronic service provider to produce private electronic communications stored on servers in Ireland for the United States government.
Background
In December 2013, the Justice Department served a warrant to Microsoft, compelling the company to disclose information pertaining to a user’s email account. The government asserted that it had probable cause to believe that the account was being used to facilitate criminal drug activity.
The Stored Communications Act (SCA) – which is part of the broader Electronic Communications Privacy Act (ECPA) of 1986 – allows the government to require that an electronic communications provider disclose information about a particular communication upon being served a probable-cause-based warrant. A federal magistrate judge issued such a warrant in this case.
In response to the warrant, Microsoft turned over the information pertaining to the account stored on its U.S. servers, such as the user’s address book. The company refused, however, to turn over the information stored in Dublin. Microsoft assigns accounts to particular data centers based on their proximity to users’ country of residence. The account in question had been assigned to Microsoft’s Dublin center, and thus all of the account’s email content – the subject lines as well as content of emails – was stored solely in Dublin, not in the United States.
Microsoft argued that the U.S. government could not invoke the Stored Communications Act to compel the production of data stored in a foreign country. Instead, the company stated that the U.S. government had to obtain the consent of the Irish government first, by utilizing an alternate channel established for obtaining such communications: the United States’ Mutual Legal Assistance Treaty (MLAT) with Ireland.
A district court, however, affirmed the magistrate judge’s ruling on de novo review, and held Microsoft in contempt for failing to comply with the warrant.
The case then came before the Second Circuit Court of Appeals. In a unanimous decision, the Second Circuit reversed the district court’s ruling, reasoning that the lower court “lacked authority to enforce the Warrant against Microsoft,” on the grounds that “[n]either explicitly nor explicitly does the statue envision the application of its warrant provisions overseas.”
Now, the case is set to go before the Supreme Court during its 2017-2018 term.
Modernizing Data Privacy Protections: The Role of Congress or the Courts?
In a blog post posted on October 16, 2017, Microsoft’s President and Chief Legal Officer, Brad Smith, argued data privacy laws in the United States should be modernized. “The current law, ECPA, was enacted in 1986 when the World Wide Web was still a few years away from being invented and no one conceived of conducting most work and personal business online,” Smith writes. “A world connected by cloud services simply didn’t exist. The ways in which we communicate have radically changed over the past three decades — but the laws governing those communications haven’t. Current laws don’t adequately support the needs of law enforcement anywhere in the world or protect our rights.”
Smith stresses, however, that it is Congress, not the courts, who should take the helm in this effort. “We believe that rather than arguing over an old law in court, it is time for Congress to act by passing new legislation, such as the International Communications Privacy Act (ICPA) of 2017.”
Smith’s argument here – that data privacy laws should be modernized by passing new legislation in Congress, rather than by challenging existing statutes in the courts – echoes the argument put forth in Microsoft’s opposition brief. “Congress alone has the authority and the institutional competence to craft a new legislative scheme for a world not anticipated in 1986,” Microsoft’s counsel writes. “And it has remedial options simply not available to this Court.” Microsoft argues that the courts, in interpreting the Stored Communications Act, have traditionally employed an “all-or-nothing” approach with regards to the question of extraterritoriality–either law enforcement may compel production of all communications stored abroad, or it may demand none of it. This approach thus risks disrupting “the ‘harmony’ between nations that is ‘particularly needed in today’s highly interdependent commercial world.’”
Interestingly, the digital privacy groups that submitted a joint amicus curiae brief in support of Microsoft’s petition before the Second Circuit veered away from Microsoft’s choice-of-forum argument. Rather than supporting Microsoft’s assertion that it is the job of Congress, not the Court, to modernize the SCA, the privacy groups – namely, the Brennan Center for Justice, the American Civil Liberties Union, the Constitution Project, and the Electronic Frontier Foundation – make a different argument altogether. They state in their brief:
Modern technology has dramatically expanded the reach of the doctrine far beyond records of bank transactions and telephone calls. The Supreme Court recognized this problem in Riley, reasoning that Fourth Amendment privacy protection must account for this new technological reality. There, in holding that cell phones may not be searched under the search-incident-to -arrest warrant exception, the court noted that modern cell phones—just like cloud-based email—are capable of storing a vast amount of personal information and thus deserve the highest privacy protections.
Here, the amici curiae apply a Fourth Amendment analysis – an amendment that Microsoft does not even mention in its brief — to the question of whether the SCA applies extraterritorially. It remains to be seen whether the Supreme Court will be sympathetic to Microsoft’s and the supporting amici curiae’s arguments. Whether or not the Justices side with Microsoft, the line of reasoning they choose to privilege in their opinions –either the choice-of-forum or the Fourth Amendment analysis – will have implications for how similar legal quandaries are framed in the future.
Take a look at the case filings here.
[…] stored abroad. For further background on this case, see our past coverage on the IELR Blog here and […]