On September 9th, the Second Circuit Court of Appeals will hear a case with global business, technology, and legal implications. The case, United States v. Microsoft, presents a deceptively simple question: What’s a multinational company to do when it receives a U.S. court order to turn over customer emails that are stored on a server in a foreign country and that may be subject to different data privacy laws?
The case started as a drug trafficking investigation. In December 2013, federal agents served a search warrant on Microsoft Corp. at its U.S. headquarters in Redmond, Washington. The warrant sought emails associated with an unnamed user’s msn.com account. The user’s email records were stored on a Microsoft server in Dublin, Ireland. In other instances, the government has sought access to data stored in foreign countries through a mutual legal assistance treaty (or “MLAT”). An MLAT is an agreement between the U.S. and foreign governments to facilitate the formal and informal cooperation of law enforcement authorities worldwide including a process for the enforcement of both search warrants and court orders.
But instead, the Justice Department issued a warrant under the Stored Communications Act (or “SCA”). The SCA authorizes the government to serve a warrant requiring a provider hosting an email account to produce wire and electronic communications. Microsoft agreed to turn over the customer’s “address book” because it was stored on U.S. servers. However, Microsoft moved to quash the warrant with respect to the contents of the customer’s emails, which were stored on a server in Ireland. Microsoft argued that the government could not compel the seizure of information stored outside of the United States.
Magistrate Judge James A. Francis denied Microsoft’s motion. He reasoned that an SCA warrant is “not a conventional warrant,” but rather a hybrid of a search warrant and a subpoena, since it is served on the service provider and does not involve government agents actually executing a search or seizure. He then determined that the search compelled by the SCA warrant was not actually extraterritorial because the relevant test was the recipient’s control over the information rather than the information’s location. Here, since Microsoft could retrieve the information using a sophisticated computer program in the U.S., Judge Francis concluded that this use of an SCA warrant did not violate the presumption against extraterritorial application of U.S. law. Microsoft challenged Judge Francis’s ruling in the district court and lost, and then appealed to the Second Circuit.
More than two dozen technology companies have lined up behind Microsoft and filed amicus briefs on its behalf. Global companies like Microsoft worry that if the U.S. government can force the disclosure of personal information such as email traffic stored on servers in Europe—where many of the data protection laws are far more protective of personal information than in the U.S.—it will create an irreconcilable conflict between U.S. and foreign laws. Other concerns have been expressed as well. If the U.S. government is permitted to serve warrants on U.S. technology companies and obtain email that is stored in other countries, will it cause other countries to serve warrants on tech companies for the private communications of American citizens stored in U.S. data centers owned by foreign companies? Or, will American companies that store personal information abroad be exposing themselves to liability if they can no longer keep their promise to maintain the confidentiality of their customers’ information?
It will, no doubt, be telling to hear what questions the Second Circuit judges have for both the government and Microsoft. We’ll continue to report on this case in the weeks to come.