Second Circuit Reverses S.D.N.Y. Decision, Holding That a Warrant Cannot Compel Microsoft to Disclose E-mails Stored Abroad
On July 14, 2016, the U.S. Court of Appeals for the Second Circuit held that a service provider is not obligated to comply with a warrant for electronic communications stored abroad. In In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, the Court held that the Stored Communications Act (“SCA”) does not “authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers.”1
As suggested by Judge Lynch’s concurrence, which invited Congress to reconsider the SCA in light of technological changes since its enactment, the decision may prompt calls for laws and regulations addressing the storage of electronic communications and other data outside the United States, particularly if it is generated or transmitted with a U.S. nexus. If proposed, such laws and regulations would likely raise concerns from, among others, privacy advocates and technology companies in the United States, and raise objections overseas about the extraterritorial application of U.S. laws and regulations.
A. THE STORED COMMUNICATIONS ACT
The Stored Communications Act,2 passed as part of the Electronic Communications Privacy Act of 1986, governs the procedural requirements for the release of individuals’ electronic communications stored by third-party service providers. The SCA applies to records held by third-party electronic communication service providers (“ECSs”) and remote computing service providers (“RCSs,” and collectively with ECSs, “Internet Service Providers” or “ISPs”), but not to local or “client-side” copies of those records held by the parties to the communications themselves.3 The SCA protects individuals’ privacy by generally prohibiting ISPs from voluntarily disclosing customer communications to the government or others, subject to certain exceptions, and by establishing procedures by which the government can compel ISPs to disclose customers’ communications or records.4
The government has three different methods to compel an ISP to disclose information about communications held in electronic storage, with more intrusive requests requiring more onerous procedural steps. Specifically, the government can compel disclosure (1) of basic subscriber and transaction information using only an administrative subpoena, which requires no court pre-approval, (2) of other non-content records (such as metadata) by obtaining a court order, which requires the government to show reasonable grounds to believe that the records or contents sought are “relevant and material to an ongoing criminal investigation,”5 or (3) of communications content that is in temporary electronic storage for 180 days or less by obtaining a warrant, which requires the “us[e] the procedures described in [Rule 41 of] the Federal Rules of Criminal Procedure” and is available only upon a showing of probable cause.6 The government may also get communications content through an administrative subpoena or a court order short of a warrant, but only if notice is provided to the subscriber or customer at issue.
B. FACTUAL BACKGROUND
In an investigation of allegedly criminal activity, the federal government sought a warrant to search and seize information associated with a customer e-mail account stored by Microsoft. The warrant sought both the account’s “content information,” meaning all messages and their subject lines, and “non-content information,” meaning metadata such as the sender’s e-mail address, the recipient’s e-mail address, and the date and time of the e-mail transmissions. On December 4, 2013, the government presented an affidavit establishing probable cause, and Magistrate Judge James C. Francis IV issued the warrant.
Microsoft disclosed domestically stored non-content account information to the government as directed, but when Microsoft realized that the content information associated with the account was located in Dublin, Ireland, however, it filed a motion to quash the warrant as it pertained to the information stored abroad.7
Microsoft’s motion to quash relied on four main arguments: (1) a search of electronic communications occurs where the communications are stored by an ISP, and not where the data may be remotely accessed; (2) absent specific congressional authorization, statutes are presumed to have no extraterritorial effect; (3) no such authorization for extraterritorial application of a warrant is found in Rule 41, the SCA, or elsewhere, and, therefore, the government cannot execute a search and seizure in Ireland; and (4) the government cannot circumvent the territorial restriction on its authority by forcing Microsoft to search for and disclose data located in Ireland.
C. S.D.N.Y. DECISION
Magistrate Judge Francis denied Microsoft’s motion to quash the warrant. The U.S. District Court for the Southern District of New York affirmed, ruling (1) an SCA warrant is executed like a subpoena and Congress intended to import obligations similar to those associated with a subpoena to produce information regardless of the location of the information, and (2) Microsoft’s position was undermined by the structure of the SCA, its legislative history, and the practical consequences that flow from adopting Microsoft’s position. The district court ruled that the “warrant” required by the SCA to compel disclosure of content information is not truly a warrant, but rather “a hybrid: part search warrant and part subpoena.”8 The SCA warrant, the district court reasoned, is obtained like a search warrant but executed like a subpoena, which compels the subpoenaed party to produce documents within its control without a physical intrusion by or the presence of government agents, whether on domestic or foreign soil. Relying on a test articulated in Marc Rich & Co., A.G. v. United States, 9 the district court held that the location of the e-mail contents in Ireland did not render the search extraterritorial because “the test for production of documents is control, not location.”10 Because the controlling entity, Microsoft, is located in the United States, Microsoft’s production of information merely located in Ireland did not constitute an extension of U.S. laws beyond U.S. borders. Finally, the district court’s opinion stated that a territorial restriction on the execution of SCA warrants would place an undue burden on law enforcement efforts and thus cannot be what the legislature intended. If SCA warrants were found not to reach electronic communications stored abroad, searches and seizures of these communications could only be executed pursuant to the “burdensome and uncertain”11 process dictated by a Mutual Legal Assistance Treaty (“MLAT”) between the United States and the country in which the communications are stored. The district court determined that subjecting SCA warrants to the MLAT process is likely inconsistent with congressional intent. As a result of Microsoft’s refusal to comply with the warrant, the district court held Microsoft in civil contempt.
MICROSOFT v. US
A. ARGUMENTS BEFORE THE COURT
On appeal, Microsoft argued that: (1) the plain language of the SCA indicates that an SCA warrant is a conventional warrant implicating the Federal Rules of Criminal Procedure, (2) the warrant compels Microsoft to act as an agent of law enforcement in conducting a search and seizure of information abroad, (3) the Marc Rich test is applicable to a company’s own records but not to customer information, and thus the search and seizure should be considered as being conducted where the information is located rather than from where it may be controlled, (4) U.S. laws are assumed not to apply extraterritorially, unless the law explicitly states otherwise, and (5) the district court inappropriately weighed policy considerations best left to the political branches.
The government argued that: (1) an SCA warrant requires the production of electronic communications regardless of their location, (2) an SCA warrant can compel production regardless of whether the company or the customer is said to own the electronic communications, (3) that the execution of the warrant is not a search and seizure because U.S. law enforcement is not required to enter and search premises abroad, (4) the text, structure, purpose, and legislative history of the SCA do not indicate that the Act was meant to be territorially limited, and (5) the MLAT process is often ineffective and impracticable.
B. THE COURT’S OPINION
The Court of Appeals sided with Microsoft, relying on the presumption against extraterritorial application of U.S. laws and the legislative history of the SCA. In 1986, when the SCA was passed, Congress’s focus was on safeguarding the privacy of domestic users, and Congress had no idea that U.S. ISPs might someday host large-scale data storage facilities in foreign countries. Thus, the Court interpreted the term “warrant” in the SCA to afford heightened privacy protection domestically, without crossing the instrument’s traditional territorial limitations and other constitutional requirements, and found that “[n]either explicitly nor implicitly does the statute envision the application of its warrant provisions overseas.”12 The application of the SCA proposed by the government, the Court reasoned, would be contrary to the presumption against extraterritoriality that the Supreme Court re-stated and emphasized in Morrison v. National Australian Bank Ltd., 13 and, again recently, in RJR Nabisco, Inc. v. European Cmty. 14 Following its conclusion that the SCA does not apply extraterritorially, the appeals court further ruled that the warrant in question was, in fact, an effort to apply the SCA extraterritorially, as the relevant situs for purposes of the Court’s analysis was where the data was held, not where it was accessed or where the relevant subscriber or customer resided. As such, the Court vacated the finding of civil contempt and reversed and remanded to the district court to quash the warrant insofar it required Microsoft to collect, import, and produce customer content stored outside the United States.
In a separate opinion concurring only in the judgment, Judge Gerard Lynch expressed the view that the government’s arguments were stronger than acknowledged in the Court’s opinion, that as a logical matter the citizenship of the subscriber or customer should be taken into account in addition to the location of the information, and that Congressional action was needed to modernize a badly outdated statute not designed for requests to U.S. companies for electronic communications held in foreign countries. Although Judge Lynch agreed with the Court’s statutory interpretation, he emphasized that the nature of how electronic communications and other data is stored has changed and there are good reasons for Congress to revisit the cost and benefits of such warrants and calibrate the proper procedural requirements in light of evolving technologies. In particular, Judge Lynch remarked that the location of electronic documents is merely virtual, corporate employees in the United States could review those records in the ordinary course of business without ever leaving their desks, and the nationality of the subject was unclear from the record before the Court, so it was unclear why the location of the electronic communications should be treated as controlling.