On February 27, 2018, the U.S. Supreme Court heard oral arguments in United States v. Microsoft, No. 17-2. The case presents the question whether a U.S.-based entity (Microsoft) must comply with a judicially-authorized search warrant that was issued under Section 2703 of the Stored Communications Act by providing overseas data to the U.S. Department of Justice (“DOJ”).

Background

This case arises in connection with Microsoft’s role as an operator of a web-based email service, which stored a user’s emails in a data center located overseas (in Ireland). In December 2013, the federal Government obtained a judicially-authorized search warrant for email content and additional information associated with a Microsoft email account. In response to the warrant, Microsoft provided the DOJ with customer account information that was stored in Redmond, Washington, but refused to disclose the content of the emails, which were stored in a data center in Ireland. The Government moved to compel Microsoft’s disclosure of overseas email data, and the district court granted the Government’s motion, finding that the warrant obligated Microsoft to turn over the overseas materials. In July 2016, the U.S. Court of Appeals for the Second Circuit reversed the district court’s ruling. Citing the Supreme Court’s decision in Morrison v. National Australia Bank Ltd., 561 U.S. 247 (2010), the Second Circuit reasoned that Congress did not intend the SCA’s warrant provisions to apply extraterritorially. Microsoft Corp. v. United States 829 F.3d 197 (2d Cir. 2016).

We previously wrote about the Second Circuit’s ruling in Microsoft here: https://www.shearman.com/-/media/Files/NewsInsights/Publications/2016/07/In-the-Matter-of-Microsoft--Why-It-Matters-LT-071916.pdf

The Supreme Court Agrees To Decide The Issue

The U.S. Supreme Court granted certiorari on October 16, 2017. Specifically, the Court agreed to hear the following issue: “Whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. § 2703 by making disclosure in the United States of electronic communications within that provider’s control, even if the provider has decided to store that material abroad.” Merits briefing was completed on February 12, 2018. The Government conceded in its opening brief that the SCA does not apply extraterritorially in light of the Supreme Court’s decision in Morrison and RJR Nabisco, 136 S.Ct. 2090 (2016). In those cases, the Supreme Court established a strong presumption against the extraterritorial application of federal statutes, unless Congress expressed a clear intent for the law to apply outside the U.S.

The Government instead argued that Microsoft’s compliance with the warrant did not involve an extraterritorial application of the SCA. The Government advocated that the key question was whether the conduct relevant to the SCA occurred in the United States. As the Government noted in its opening brief, “Section 2703 focuses on a provider’s disclosure of electronic communications to the government, and that disclosure occurs in the United States.” Accordingly, the Government reasoned, Microsoft’s compliance with the warrant was a domestic —not an extraterritorial—act, and Morrison should not preclude Microsoft’s compliance. The Government also argued that the Court should focus on whether Microsoft had “control” over this overseas data, and cited precedents in which the Government successfully enforced subpoenas to domestic entities for production of overseas records. In addition, the Government noted the “parade of horribles” that could ensure if domestic ISPs could choose to store certain customer’s data overseas, and thereby potentially insulate those customers’ data from disclosure.

Microsoft, by contrast, argued that this clearly was the Government’s attempt to apply a domestic statute extraterritorially since the Government was seeking to execute search warrants overseas, that the presumption articulated in Morrison had not been rebutted, and that the Government’s reasoning would interfere with user privacy and potentially lead to conflicts between domestic and international privacy laws. On the user privacy point, the Government responded that any ostensible incursion on a user’s privacy would occur not when Microsoft collects materials already in its possession, but rather when it turns over those materials to law enforcement personnel in the United States.

Oral argument was held on February 27, 2018.

Both sides opened with the core arguments referenced above—the Government explained that this case did not trigger Morrison’s presumption since there was no extraterritorial application of the SCA, and Microsoft countered that the whole purpose of the SCA was ensuring that the “electronic communications in electronic storage are protected.” (Tr. 56:14–18.) Microsoft also argued that Ireland’s sovereignty would be affected if the United States were permitted to “reach into a foreign land to search for, copy, and import private customer correspondence physically stored in a digital lockbox…where it's protected by foreign law.” (Tr. 32: 20–25.)

As is often the case, the Justices did not provide clear signals on how the Court would resolve the case. A number of the Justices asked questions about the processes and procedures that were used to collect information from an overseas data center, wondering for example if people in the United States pulled the data. Chief Justice Roberts asked Microsoft if it was—in effect—advocating for a rule that could create a market for services that would deliberately store data outside of the U.S., and potentially insulate such data from disclosure in legitimate investigations. Microsoft responded that it maintains data close to customers, which helped to reduce latency times. Microsoft also pointed to the panoply of tools that cyber-criminals have at their disposal to evade law enforcement detection (such as sophisticated forms of encryption). There was also discussion on whether the Court’s ruling could create international conflicts with other countries’ laws and, as a result, lead to possible foreign-relations issues. Justice Breyer proposed a possible “practical solution” suggesting that federal judges could issue warrants for foreign-held data so long as they take account of comity concerns—i.e. whether another state has a legitimate interest in the data’s disclosure. Finally, the Justices also asked whether the case should be decided at all, given that Congress is currently considering legislation to address this issue. The Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 was proposed to address the collection and overseas storage of data.

The Supreme Court’s decision potentially could have significant and wide-ranging implications, especially in today’s age of digital and cloud storage. The SCA was drafted and passed to account in part for the unique nature of electronically stored data, but advances in technology—and this case in particular—highlight the need to account for gaps in the text of the statute. The Court’s ruling could impact where corporations store their data in the future, and could hamper the Government’s ability to collect potentially important evidence that is located overseas. While the Government can continue to rely on Mutual Legal Assistance Treaties to obtain foreign-held data, that process is far more time-consuming that obtaining judicially-authorized search warrants. In time-sensitive investigations, the Government’s investigative efforts could be seriously hampered in the event a target’s overseas, email data could not be collected via a search warrant.

The decision also has the potential to implicate privacy laws of other jurisdictions. In addition, it has been reported that this case has been an impetus for Congress to consider legislation to address the collection and overseas storage of data. The proposed Cloud Act would specify that an order under the SCA (including judicially-authorized search warrants) applies to all data that is in the possession or control of the ISP, regardless of where the data is stored. The act would also allow providers to apply for a motion to quash or modify legal process if the provider believes the subscriber is not a U.S. person, and that the required disclosure would create a material risk of a violation of the laws of a qualifying foreign government. The bill has been introduced in the Senate but has not been voted on.

The Court’s decision is expected to be issued before the current term ends in June.

United States v. Microsoft 

Brief for Respondent, United States v. Microsoft 

Brief of Petitioner, United States v. Microsoft 

Petitioner’s Reply Brief, United States v. Microsoft