The U.S. Supreme Court on Oct. 16, 2017, announced it had granted the government’s petition for certiorari in United States v. Microsoft and will hear a case this Term that could have lasting implications for how technology companies interact with the U.S government and governments overseas. At issue is a consequential Second Circuit decision from last year that held that warrants issued under the Stored Communications Act (SCA) do not reach emails and other user data stored overseas by a U.S. provider.
While no federal appellate court besides the Second Circuit has squarely addressed the issue, multiple district courts outside the Second Circuit have declined to follow the Second Circuit’s reasoning in similar fact patterns involving other technology giants. The result is that U.S. law enforcement has different authority to access foreign-stored user data depending on where in the United States a warrant application is made. Google, for example, has expended significant resources to develop new tools to determine the geographic location of its users’ data so as to be in accord with the Second Circuit’s approach. Yet the company currently faces a hearing on sanctions for its alleged willful noncompliance with law enforcement requests in the Ninth Circuit based on a district court ruling that parted ways with the Second Circuit.
DOJ has gone to great lengths to challenge the Microsoft ruling since its issuance, including pushing for en banc review and seeking to distinguish it in other federal courts. In its petition for certiorari, DOJ contended that the Second Circuit’s decision puts at risk DOJ’s ability to access information that could be critical to uncovering and prosecuting serious crimes. DOJ further contended that the Second Circuit’s analysis rests on a misreading of the statute because the information sought in the warrant—far from requiring extraterritorial application of the statute—could be accessed by Microsoft’s U.S. employees with the click of a mouse. There is also a concern that the Second Circuit ruling will create incentives for “data localization” regimes in which countries insist that data pertaining to their nationals must be stored locally.
To Microsoft and other technology companies, on the other hand, the Second Circuit ruling represented the best reading of the SCA—a 1986 law that did not contemplate the current technology landscape—and afforded a measure of protection against the risk they would find themselves subject to conflicting directives under U.S. law and the law of the country where the data is stored. Microsoft’s victory below was embraced by privacy advocates. Microsoft also opposed certiorari on the grounds that to the extent revisions to the SCA were necessary to enable it to apply extraterritorially, the issue was better left to Congress than the courts.
Whatever the Supreme Court decides, the case bears close watching as the Second Circuit ruling continues to have serious implications not just for the government but for the U.S. companies that store data and interact with regulators overseas. The case will likely be argued in early 2018 and decided by the end of June.