In what privacy advocates have hailed as a “big” privacy victory, a US appellate court recently ruled that the US government could not force Microsoft to provide customer emails stored on a server in Ireland. European privacy advocates should not be popping the champagne just yet. The Microsoft decision is less about privacy than it is about the reach of a particular US law and, as the Microsoft decision makes plain, the result could have been very different in a different context. To be sure, for decades, American courts have ordered private parties to secure data from locations outside of the US to provide it to third parties or the government. The Microsoft decision does nothing to change that law.
The Microsoft decision
In Microsoft, the US Court of Appeals for the Second Circuit considered whether a warrant issued under the Stored Communications Act (SCA) can compel the disclosure of an American customer’s information stored on Microsoft’s servers physically located in another country. The warrant was served on Microsoft following an investigation by the Department of Justice, which had identified an e-mail account on Microsoft’s Outlook.com platform with alleged connections to narcotics trafficking. Some of the customer’s data was stored on Microsoft’s servers located in the United States, but the emails that the government really wanted were stored on a server in Ireland. Microsoft challenged the warrant as it applied to information stored on its servers in Ireland. Despite two separate decisions by a magistrate judge and District Court siding with the government, the Second Circuit sided with Microsoft, reversing the lower courts’ orders.
The Second Circuit held that the SCA “does not authorize a U.S. court to issue and enforce an SCA warrant against a United States-based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.” The Court started from the premise—established in the landmark Morrison decision—that laws don’t apply outside the United States unless they clearly say that they do. The Stored Communications Act “neither explicitly nor implicitly . . . envision[s] the application of its warrant provisions overseas.” Quite to the contrary, Congress’s use of the term “warrant” suggests that the SCA is meant to apply domestically, since historically warrants authorize evidence-gathering only within territorial borders. (Although a “subpoena,” in contrast, “may require the production of communications stored overseas,” that’s not the term that Congress chose.) So the SCA applies domestically, not extraterritorially. That just raised the harder question: When a warrant is served on a domestic company for foreign evidence, is it “domestic” or “extraterritorial”? To answer that question, the Court looked to the SCA’s purpose: “to protect user privacy.” If the SCA’s aim is to protect user privacy, then the main show happens where the user’s data sits—where the privacy breach occurs—rather than where the warrant is delivered. Therefore, a warrant seeking evidence stored abroad constitutes an impermissible extraterritorial application of the SCA. The outcome: Microsoft doesn’t have to turn over data stored on its servers in Ireland.
Limits of the decision
The Second Circuit’s decision is sharply limited. The issue before the Court was not whether the privacy of the e-mail account holder should be respected. It was simply whether a particular law applied “extraterritorially.” And in reaching its decision, the court made three important limitations clear.
First, the court cared most about what server held the relevant data and where that server was located. That the data might move, or that it might have been on another server in the past, was of no moment. Nor was the citizenship of the owner of the e-mail account nor the citizenship of the data controller. The key fact was the location of the server that held the data. Had the data been stored in New Jersey, even if the owner of the email account was a citizen of an EU member state residing in the EU, Microsoft would have been compelled to turn it over.
Second, as the Court made plain, this ruling is relevant only for warrants issued under the SCA. Had the information been sought via a subpoena—which as discussed is a different creature entirely—the result would have been much different. Had the owner of the account been a defendant in a civil case for money damages, for instance, the plaintiff might have been able to force the defendant or even possibly a third party to turn over its e-mails, even if those e-mails were on an Irish server.
Third, as the Court also made plain, the law under which the government sought the Irish emails was drafted long ago, before the Internet as we know it now existed, and certainly before anyone had dreamt of the “cloud.” If Congress were to change the law, a US court could very well compel a US-based company like Microsoft to turn over emails, even when those emails are stored in a country with very different conceptions of privacy.
The conflicts to come
The Microsoft case is, perhaps, most notable as a harbinger of conflicts to come.
As an initial matter, the Microsoft decision is not necessarily the final word even about the extraterritorial application of the SCA. The Microsoft ruling is binding precedent in only three states—New York, Vermont and Connecticut—and is still subject to further appellate review. So it is entirely possible that other courts will see things differently in fights yet to come.
Furthermore, the US government is not alone in seeking data held abroad. Even though European data privacy regulators objected to the US government’s attempt to secure data from an Irish server, European law enforcement seeks the same sort of data that the US government saw in Microsoft. In 2014, for instance, UK law enforcement requested customer data for “at least 53,947 separate user accounts controlled by American technology companies.”
Perhaps more importantly, the European Union’s General Data Protection Regulation (GDPR) explicitly seeks to apply EU data privacy principles to data controllers processing the personal data of Europeans regardless of whether the processing itself takes place within the Union or not. In other words, the EU is quite happy to apply its data protection regime extraterritorially. This provision could well put EU data privacy ideals on a collision course with legal systems like the US that might disregard European data safeguards in some circumstances.
What is a European company to do?
A European company seeking to protect its data, consistent with the GDPR and local norms, should see Microsoft for what it is—both a help and a warning.
The Microsoft court’s focus on the location of the server on which the e-mails were stored provide European companies with a bright-line test that might be helpful. To take advantage of the Microsoft court’s reasoning, companies should pay particular attention to where their data servers are located.
However, European companies cannot believe that storing data on a server outside of the United States will shield that data from the reach of US courts and regulators. It frequently won’t. Imagine, for example, that a private litigant in a US lawsuit issues a subpoena under Rule 45 of the Federal Rules of Civil Procedure seeking to force a US-based company to turn over e-mails from that company’s European employees held on a European server. Would a US court see this as an impermissible extraterritorial application of US law? Probably not. US courts have enforced this type of subpoena repeatedly despite foreign data protection and secrecy laws, even when that risked putting the subpoena recipient in a foreign prosecutor’s crosshairs. Microsoft doesn’t change that law.
For a company wary of the US legal system and its sometimes onerous burdens on those from whom data is requested, the best course is to think holistically about where data is stored, and who has the practical ability to access that data in the normal course of business. It would also be wise to be watchful as to how the law that governs data evolves—companies must scan the horizon broadly to be sure that they are aware of all of the risks they might be facing.