On July 14, 2016, the United States Court of Appeals for the Second Circuit held that a U.S. court cannot issue a warrant under § 2703 of the Stored Communications Act, 18 U.S.C. §§ 2701 et seq.(the “SCA”), against a United States-based service provider for the contents of customer’s electronic communications stored on servers located outside the United States. In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., No. 14-2985 (2d Cir. July 14, 2016). While the immediate impact of this decision is limited to SCA warrants, it suggests continued judicial scrutiny over the extraterritorial application of United States law.
On July 4, 2013, the district court issued a warrant compelling Microsoft to produce e-mails contained in an account hosted on a server in Ireland. Id. at 9. Specifically, the warrant directed Microsoft to disclose to the government information such as: (1) the “contents of all e-mails stored in the account, including copies of e-mails sent from the account”; (2) “[a]ll records or other information regarding the identification of the account,” (3) “[a]ll records or other information stored by an individual using the account, including address books, contact and buddy lists, pictures, and files”; and (4) “[a]ll records pertaining to communications between MSN [redacted] and any person regarding the account . . Id. at 10
Microsoft disclosed all responsive information kept within the United States but declined to disclose e-mail stored in its Dublin datacenter. The trial court denied Microsoft’s motion to quash holding that the SCA authorized the court to issue a warrant for “information that is stored on servers abroad,” reasoning that a warrant “is executed like a subpoena in that it . . . does not involve government agents entering the premises of the ISP to search its servers and seize the e-mail account in question.” Id. at 11. Accordingly, the trial court held that Congress intended in the SCA’s warrant provisions to import obligations similar to those associated with a subpoena to “produce information in its possession, custody, or control regardless of the location of that information.” Id. The fact that Microsoft’s datacenter was located outside the United States was “of no moment” to the trial court. Id. at 20.
The Second Circuit unanimously reversed the trial court’s denial of Microsoft’s motion to quash. According to the court:
- An SCA warrant is issued using the procedures described in Rule 41 of the Federal Rules of Criminal Procedure, which generally restricts the geographical reach of a warrant’s execution to “a United States territory, possession, or commonwealth,” and various diplomatic or consular missions or residences of the United States located in a foreign state. Id. at 19.
- The SCA’s warrant provisions (§ 2703), as conceded by the government at oral argument, have no extraterritorial application. Id. at 22. Moreover, Congress’s use of the term of art “warrant” also emphasizes the domestic boundaries of the SCA, and amendments to the SCA are fully consistent with the historical role of warrants to protect U.S. citizens’ privacy interests. Id. at 25-26.
- Unlike a situation where a “subpoena could reach documents located abroad where the subpoenaed foreign defendant was compelled to turn over its own records regarding potential illegal conduct, the effects of which were felt in the United States,” Marc Rich & Co., A.G. v. United States, 707 F.2d 663 (2d Cir. 1983), the Second Circuit has “never upheld the use of a subpoena to compel a recipient to produce an item under its control and located overseas when the recipient is merely a caretaker for another individual or entity and that individual, not the subpoena recipient, has a protectable privacy interest in the item.” Id. at 31.
- The invasion of the customer’s privacy takes place under the SCA where the customer’s protected content is accessed – here, where it is seized by Microsoft, acting as an agent of the government. Because the content subject to the warrant is located in the Dublin datacenter, the conduct that falls within the focus of the SCA would occur outside the United States, regardless of the customer’s location and regardless of Microsoft’s home in the United States. Id. at 39.
- The interests of comity govern the conduct of cross-boundary criminal investigations. When a United States judge issues an order requiring a service provider to “collect” from servers located overseas and “import” into the United States data, possibly belonging to a foreign citizen, simply because the service provider has a base of operations within the United States, this impacts obligations that the laws of the relevant foreign sovereign may place on a service provider storing digital data or otherwise conducting business within its territory. Id. at 42.
Judge Lynch, in his concurring opinion, emphasized that “the dispute here is not about privacy, but the international reach of American law.” He viewed the government’s attempt to obtain the emails through a warrant as justified but thwarted by Microsoft’s choice of storage, and urged Congress to take action to clarify, among others, the extraterritorial reach of the SCA.