In last week’s post, we looked at the recent involvement of the Irish Government in the case of Microsoft Corporation v United States. Now, with Microsoft having been unsuccessful in the first two Courts, it now faces a third round, this time in the US Court of Appeals. As explained in our original post, the case concerns the refusal by Microsoft to hand over emails sought by the US authorities in an on-going narcotics investigation. Microsoft’s refusal stems from the location of the emails, which are held in its Dublin-based data centre. In their appeal submissions, both Microsoft and the US have set out extensive reasoning supporting their arguments.
Since Ireland’s submission, both Microsoft and the US have submitted further briefs in preparation for Microsoft’s appeal to the US Court of Appeals this summer. Microsoft has reiterated its view that it should not be compelled to hand over emails stored in a foreign country. Much of Microsoft’s arguments have focused on the intention of Congress in drafting the relevant laws, and that those laws should only apply domestically unless Congress has clearly indicated otherwise. In contrast, the US suggests that Microsoft’s arguments are tenuous and cannot be supported by the legislation and decades of case law. Let’s take a look at some of the core points made in these competing submissions:
- Marc Rich case
The arguments of the two parties primarily focus on the 1983 Marc Rich case and associated case law. In this line of case law, the US Courts found that they could order the disclosure of foreign-located records, so long as the Court had jurisdiction over the person or company in control of those records.
The US frames this whole issue as being a test of control and not location. In particular, the US suggests that Microsoft is digging up 50 years of settled case law on disclosures of company records, merely because these records are abroad. Microsoft, however, is strongly of the view that the rule applies only to accessing business records, leaving customers’ emails beyond the reach of the US government. It makes this distinction by likening the emails to the contents of a customer’s safety deposit box, as opposed to the bank’s own business records. Microsoft suggests that the US is stretching this rule and that the location of where the communications are stored is central to determining the applicable law. The relevant section of the law at the centre of the dispute - the Electronic Communications Privacy Act 1986 (“ECPA”) - does not use words of possession, custody or control but rather refers to the “place”.
Microsoft adds that records are not defined as including the content of communications and the purpose of the ECPA is to ensure that emails are not to be treated like a business’s records. The Marc Rich case cannot account for the practical realities of executing a warrant for a customer’s private emails.
- Worldwide location
According to the US, Microsoft retains full control and discretion over the assignment of email accounts to data centres around the world. Microsoft refutes this allegation, pointing out that customer communications are stored at the data centre closest to the customer to minimise response times (latency). The US points out, however, that the email records remain “readily available” to US-based Microsoft employees.
As mentioned above, the relevant Part of the ECPA - the Stored Communications Act - unsurprisingly focuses on stored electronic communications, meaning, according to Microsoft, the focus is on where they are stored. While the US argues that nothing indicates that compelled production of records is limited to those stored domestically, Microsoft highlights the fact that any extraterritorial nature of the law is only applicable where it is specifically envisaged by Congress.
- Revision of laws
The ECPA was drafted in a time when the digital sphere was not near as advanced as it is today. Most people still used typewriters and there was no concept of the cloud. Consequently, Microsoft argues that Congress had no intention of the laws being used to access an email account in another jurisdiction nearly three decades later. Microsoft underlines the fact that Congress alone has the power to decide whether to modify the law and it is Congress that needs to revisit the issue in light of today’s technologies.
What is coming?
In addition to the decision in this case, due later in the summer, stakeholders are pushing for the adoption of the draft Law Enforcement Access to Data Stored Abroad (LEADS) Act of 2015. This is aimed at updating the current out-of-date laws, in particular dealing with some of the issues in this case. The LEADS Act provides a strict requirement to get a warrant to obtain electronic information stored by a US person. This would also require a court ordered modification if the information was stored abroad and the warrant was likely to breach foreign law. It will be interesting to see if the Court of Appeals recognises a need for such changes in light of the decision it is tasked with.