Almost a year ago, the Second Circuit held that Microsoft had no obligation to produce to the government—in response to a court-issued warrant—customer emails that were stored on a server located in Ireland. In so ruling, the Second Circuit found that the Stored Communications Act (“SCA”), under which the warrant was issued, cannot be applied extraterritorially, and thus can only be relied on to authorize warrants to seize data stored in the United States. The opinion remains binding law in the Second Circuit, and has been the basis on which other service providers (including Google and Yahoo!) have refused to provide data to federal prosecutors not only in the Second Circuit, but throughout the United States as well.
Since the start of this year, however, a number of signs have emerged indicating that the Microsoft decision may well be in peril. Although it is not unheard of to see different courts reach different results around the country on novel legal issues, a number of factors suggest that the Microsoft decision in particular may be unlikely to survive. Parties on both sides of this issue should pay close attention to these factors as they are deciding on their next steps, and nonparties should likewise take note because of the far-reaching implications of these issues for both data privacy and criminal investigations.
To start, in January 2017, the Second Circuit denied the government’s request for rehearing en banc in Microsoft, but the decision was far from resounding. To the contrary, the Second Circuit divided 4-4, with the four judges who dissented from the denial each writing a separate opinion (joined by the other dissenters) explaining not only why en banc review would be appropriate, but also why the panel opinion got the case wrong. In particular, the dissenters all disagreed with the panel on a key issue relating to whether the relevant invasion of privacy that the seizure of emails brought about happened in the U.S. or abroad. The panel opinion had concluded that “the invasion of the customer’s privacy takes place under the SCA where the customer’s protected content is accessed—here where it is seized by Microsoft, acting as an agent of the government” at a “datacenter” in Dublin, Ireland. But the dissenters from the denial of en banc rehearing disagreed, explaining that the invasion of the customer’s privacy would actually have taken place in the United States, because that was where Microsoft would actually have accessed the emails and disclosed them to the government (regardless of the fact that the emails were stored on a server in Ireland). As Judge Dennis Jacobs wrote in one of the dissents, to access the data, Microsoft “need only touch some keys in Redmond, Washington.” This insight—that both the invasion of privacy and the execution of the warrant really take place in the United States, where the data is accessed and turned over to the government, as opposed to overseas, where the data is stored—has been key to subsequent decisions around the country.
In early February, a little more than a week after the Second Circuit’s less-than-overwhelming denial of en banc rehearing, a federal magistrate judge in the Eastern District of Pennsylvania took a polar opposite approach from that of the Second Circuit, and granted the government’s motions to compel Google to comply with search warrants seeking electronic data. After being served with the warrants, Google had initially produced to the government data that it had confirmed was stored on U.S.-based servers, but had declined to produce data stored overseas, relying on Microsoft. Echoing the en banc dissenters from the Second Circuit, the magistrate rejected Google’s position, holding that “[e]ven though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States.”
In late February, a federal magistrate judge in the Eastern District of Wisconsin reached the same conclusion as the court in the Eastern District of Pennsylvania. Specifically, in a case involving both Google and Yahoo!, the magistrate in Wisconsin ordered those service providers to comply with search warrants seeking electronic data. The court stated expressly that it found “persuasive the analysis of the four judges dissenting from the denial of en banc rehearing in Microsoft.” “It is immaterial where the service provider chooses to store its customer’s data,” the court explained. “[W]hat matters is the location of the service provider” in the U.S. because that is where the data is accessed and turned over to the government. In early April, a magistrate judge in the Middle District of Florida reached the same conclusion.
Perhaps most importantly, just two weeks ago, on April 19, 2017, a magistrate judge in San Francisco—Silicon Valley’s home court—ordered Google to comply with a search warrant, again writing that “[t]he court follows as persuasive the reasoning of the dissenters from the denial of rehearing en banc and concludes that the disclosure of information from Google’s headquarters in the United States is a domestic application of the SCA.”
In short, over the past four months, the Second Circuit’s Microsoft opinion has been emphatically rejected by magistrate judges in Pennsylvania, Florida, Wisconsin, and California, two of whom have adopted as persuasive the opinions of the dissenters from Second Circuit’s denial of en banc rehearing. Although, as noted, it is not uncommon for courts to reach different conclusions on novel legal issues, the speed and uniformity of the decisions on this particular issue are notable, and can be traced to three factors.
First, the closely divided 4-4 decision from the Second Circuit denying en banc review, with its strong dissenting opinions, provided the magistrate judges who issued the subsequent decisions with the necessary analytic framework for their opinions. Had the Second Circuit simply denied en banc review without comment, it is far from certain that the subsequent litigation would have played out as definitively and promptly as it has.
Why You Should Open A Roth IRA Today
Second, the cases since Microsoft have involved fact patterns that are less favorable for the service providers. In Microsoft, because the data at issue was stored in Ireland, the Second Circuit’s rejection of the warrant at issue meant only that the government would have to go through a treaty process with Ireland to obtain the data. By contrast, the cases described above all involve Google—which, according to the various opinions, stores data around the world in packets or component parts to enhance network efficiency. This data is not stored (for long, anyway) in any single identifiable location. As a result, as the magistrate judge in Pennsylvania observed, when “no one knows which country to ask” for data, “Google user data” that is stored in abroad—“even data that the government knows about, and writes about within a search warrant affidavit—is never accessible through compulsory legal process. Never.” In Microsoft, the government was left with at least an option (if an unappealing one) to continue its investigation through a treaty request; in the Google cases, by contrast, to allow Google to avoid the warrant would be to prevent the government from ever getting the data in question, by any means. (Perhaps anticipating this concern, Law Professor Orin Kerr wrote in a tweet, shortly after the Microsoft decision, “Want to stymie U.S. law enforcement? Store your data in the cloud fragmented over many locations outside U.S.”)
A third unique facet of the recent cases is that the judges issuing them—United States magistrate judges—as a general matter maintain a particular expertise in search and seizure law. On a daily basis, Assistant U.S. Attorneys present search warrant applications to magistrate judges, who must determine whether to authorize the warrants or not depending on the strength of the government’s showing of probable cause and, among other things, the warrant’s compliance with the other requirements of federal law. The Microsoft panel’s decision, however, effectively imposed an “absolute” bar so that the “government can never obtain a warrant that would require Microsoft,” or any service provider, to turn over data stored abroad. This absolute bar can be seen as stripping magistrate judges of the role that they play in enforcing the Fourth Amendment, so it is not surprising that service providers have found magistrate judges around the country unsympathetic to their arguments.
The combination of these circumstances—the strong dissents issued as part of the denial of en banc review, less favorable fact patterns that in the Microsoft case, and what could be perceived as an affront to the authority of the very judges making the search warrant determinations—have combined to result in an unusually swift rejection of the Second Circuit’s Microsoft opinion around the country.
The litigation in this area continues to unfold, and criminal law practitioners, privacy advocates, service providers, and others involved in cyber law issues should closely monitor the rapid-fire developments that continue to emerge. The Second Circuit’s panel decision, commentators, and Google itself have all called for a congressional fix. But the straightforward nature of the legal question that has crystallized over the past few months—does the relevant invasion of privacy happen where the data is accessed (in the U.S.) or where the data is stored (abroad)—may well be more readily resolved by the courts, including ultimately the Supreme Court.
From The Insider Blog: White Collar Defense & Securities Enforcement.