A Stored Communications Act (SCA) search warrant case arising out of a New York federal  narcotics trafficking investigation is being closely watched by EU data protection authorities, privacy advocates, multinational internet service providers, and law enforcement, among others, as the  parties pursue an expedited appeal to the Second Circuit Court of Appeals. Captioned In re Search Warrant, No. 13 Mag. 2814, M9-150, the case involves  a U.S. law enforcement request for the contents of an Outlook.com email box, stored in Microsoft’s Dublin, Ireland data center. On September 8,  2014,  Microsoft elected to submit its opening brief on December 8, 2014, meaning that the case will likely be briefed and argued in early 2015, on an expedited schedule.

It has evolved into a test case under the SCA of whether a government can assert a right to digital content wherever in the world it is stored, based upon service of a warrant or other request on the internet service provider which hosts the data.  Diplomatic and competitive business tensions are already high in this area, following the Edward Snowden and other revelations about government interception and surveillance of electronic communications.  On the eve of the Labor Day holiday, Microsoft perhaps signaled another front in the dialogue with a series of advertisements more likely targeting legislative or other policymakers.

As a threshold matter, search warrants or other valid law enforcement requests for the contents of electronic communications are of course an unexceptional, accepted feature of narcotics trafficking and other criminal investigations in the United States and elsewhere.  In the United States, under the Stored Communications Act, in order to obtain the contents of an email, law enforcement must file an affidavit with a federal judge, demonstrating probable cause that a crime has been committed, and the federal  judge rules on the request.  This procedure was followed here, but the similar provisions of Irish law (requiring an Irish judge to review the factual basis of the request and order compliance) were not. 

The government’s election to press Microsoft directly for the emails, rather than following the (non-exclusive) bilateral process laid out in the Mutual Legal Assistance Treaty between the US and Ireland is at the root of the controversy.  The MLAT process would have triggered local Irish legal scrutiny of the legitimacy of the request.  Bypassing that (admittedly discretionary process) has now raised very difficult questions of who owns  the Outlook.com email contents, international comity and extraterritorial application of US law.  These are the issues that will now be briefed and decided by the Second Circuit or perhaps, ultimately be resolved through legislative action.

The case involves a December 2013 search warrant issued to Microsoft Corporation for data, including mailbox contents, associated with a free consumer Outlook.com email account, signed last April by a magistrate judge in the Southern District of New York.  While certain subscriber data was turned over immediately upon receipt of the warrant, the emails in question were not, because they are stored on Microsoft servers in Dublin.  Microsoft  refused to produce these, and ultimately moved to vacate that portion of search warrant effectively requiring its US personnel (acting as agents of the United States government)  to effect a search and seizure of data not physically located on servers in the US.  In support, Microsoft argued that the U.S. Congress had not intended the SCA to have extraterritorial effect, and therefore the search warrant as issued could not compel Microsoft to retrieve and produced the emails stored in Ireland. With the eventual  backing of AT&T, Cisco, Verizon, and others, Microsoft has continued to escalate its strong legal stance against the court-ordered production of the contents of this non-US-hosted email box.  To garner interest and manage perceptions among legislative and executive branch personnel, known to spend the last weekend of summer at the Delaware beaches,  on the eve of the Labor Day holiday weekend, Microsoft even placed full page advertisements in well-known beach resort news publications.

As it proceeds before the Second Circuit next month, and perhaps to the United States Supreme Court thereafter,  the Microsoft In Re Search Warrant case is likely to set important legal and procedural precedents for how cross-border (or as here, quasi cross-border) law enforcement requests for data are handled where US doctrines mandate production of documents within the “possession, custody, or control” of the US based entity on whom a government demand for assistance is lawfully served.

For its part, the Southern District of New York judges sided strongly with the government position that Microsoft has “control” over the e-mails stored on servers in Dublin and therefore has to produce the requested information.  For many decades, it has been settled law in the United States that where the U.S. entity has “control” of documents in the physical custody of a foreign subsidiary, the documents must be produced in response to valid legal process, whether a civil or criminal subpoena or search warrant.  In civil litigation, for example, courts routinely evaluated the degree of ownership and control over a foreign subsidiary, focusing upon matters such as commonality of ownership, intermingling of directors and management, ordinary course transfers of documents across borders, and the involvement of the non-party corporation in the matters in dispute.  U.S. courts have frequently addressed the conflict between these discovery obligations and E.U. blocking statutes for example, on a case by case, court by court basis.

Courts often look, as the judges and parties have in the Microsoft case, to the Restatement (Third) of Foreign Relations law of the United States, often prioritizing discovery over foreign law in practice.  The district judges both determined that Microsoft itself had elected to store the contents of the Outlook.com account on Irish servers, and therefore, it could just as easily retrieve the data from the US.  The magistrate and district court judges rejected Microsoft’s arguments that it was the end user’s data, not its own business records, at issue in the search warrant, arguing that the argument had been waived because it was not a part of the briefing in support of the original motion to vacate.

Both judges ultimately found that an SCA warrant does not, as Microsoft had asserted, violate the presumption against extraterritorial application of US law.

The dispute raises important economic and diplomatic issues for Microsoft and the amici.  As one amici counsel arguing against extraterritorial application stated at oral argument on July 31, one of the “very significant” policy issues is “the interest of companies in not losing billions of dollars in foreign business because of the impact overseas, because of foreign customers wanting to go to a German provider instead of an American one.  These are the sorts of policy considerations that need to be left to Congress.”  One can speculate that the well-timed vacation ads in the beach newspapers are harbingers of a public policy / lobbying campaign to seek a legislative “fix” to the conundrum presented by the New York federal district court’s extraterritorial application of the SCA.

In Europe, data protection authorities and policymakers voice concerns over the potential privacy law implications of the case. They argue that the due process considerations under Irish law should have compelled U.S. law enforcement to opt for the  procedures set forth in the Mutual Legal Assistance Treaty in Criminal Matters between Ireland and the US has been in force in place since 2001.  They also claim that otherwise the transfer of the data would infringe Irish privacy law.  However, the US-judges at the trial court level were persuaded by the government’s position that the MLAT process was slow and in any event, discretionary under the wording of the Treaty.  The potential breach of Irish privacy law has been not been considered.

Whether the Second Circuit will take a broader look and also consider limitations under Irish privacy law remains to be seen.  In any event, it would not be easy to argue that the production of the e-mails would infringe Irish privacy law.  As a Safe Harbor registered and certified participant, Microsoft has signed up for the Safe Harbor Principles (2000/520/EC) and in such principles, the European Commission explicitly approved government access under US law.  Furthermore, Microsoft's terms of use for Outlook.com explicitly reserve the right to provide user data in order to satisfy applicable law, regulation, legal process or governmental requests.  Therefore, this case focuses on the question whether Microsoft is obliged to provide the data from Ireland under US law or not.  The privacy rules in Europe may become more relevant in the future, because the European Court of Justice has been asked whether Safe Harbor is binding, the European Commission is rethinking Safe Harbor and  a new European privacy law is in the making  For the time being, however, it is unlikely that Irish privacy law will be decisive in the Microsoft case.