This article by partners Heather Sussman and Rohan Massey, counsel Kevin Angle and associates Michele Goldman and Patrick Reinikainen was published by Law360 on January 10, 2018.

Microsoft Corp.’s heated dispute with the U.S. Department of Justice over data stored on its servers abroad has more parties weighing in, this time offering international perspectives. On Dec. 13, 2017, the governments of Ireland and the United Kingdom, the New Zealand privacy commissioner, the United Nations special rapporteur on the right to privacy, and the European Commission filed amicus briefs before the U.S. Supreme Court. The briefs underscore the important implications of the U.S. Supreme Court’s decision for global data transfers and international users’ privacy.

Background: Microsoft’s Challenge to the Extraterritorial Application of the Government’s Warrant

In Microsoft, a U.S. federal court issued a Stored Communications Act warrant requiring Microsoft to produce information stored on Microsoft’s servers domestically and in Ireland. Microsoft moved to quash the warrant as to all material stored in Ireland on the ground that Section 2703 of the SCA lacks extraterritorial reach. After a federal judge denied Microsoft’s motion and held Microsoft in civil contempt for noncompliance, the Second Circuit agreed with Microsoft that the government’s attempt to apply the statute extraterritorially was impermissible. The U.S. Supreme Court granted the DOJ’s petition for writ of certiorari on Oct. 16, 2017. Oral arguments are scheduled for Feb. 27, 2018.

In its opposition brief, Microsoft contended that extending the SCA to data stored abroad could compel U.S. companies to “violate foreign privacy laws” and generate “international discord,” particularly when Article 48 of the General Data Protection Regulation is implemented. Microsoft reasoned that, under Article 48, court orders requiring data transfers may only be recognized if they are based on international agreements such as mutual legal assistance treaties, which facilitate cross-border evidence sharing. The DOJ argued that the GDPR does not necessarily prohibit disclosure of foreign-stored information and that, if any conflict of laws were to materialize, the U.S. “judicial system [would be] equipped to handle that scenario.” It also emphasized the superiority of SCA-based warrants to the MLAT process, which it characterized as “slow” and often “futile.”

Amicus Briefs Provide Varying International Perspectives

On Dec. 13, several foreign governments and other international authorities weighed in regarding potential implications of the U.S. Supreme Court’s decision.

Although purporting to take a neutral position, the Irish government urged the U.S. Supreme Court to affirm the judgment of the Second Circuit provided it had not made “any obvious error.” It emphasized the importance of respecting Irish sovereignty and declared that the MLAT process “represent[s] the most appropriate means to address requests” such as those at issue in Microsoft. It acknowledged that, “in certain circumstances, an Irish court [may] order the disclosure by an Irish corporation” of information that is “physically located in another jurisdiction, provided certain matters are demonstrated.” However, it explained that this would generally only occur in the “absence of alternative means.”

In contrast, the U.K. government’s brief was critical of the Second Circuit’s decision. While again claiming to be neutral, the U.K. emphasized that it did not consider a request for data stored overseas “but accessible to that [p]rovider from within the requesting country” to be inconsistent with international comity. It noted that the U.K., through the Investigatory Powers Act, possesses the same authority the DOJ asserts it has under the SCA. The U.K. also expressed its desire to negotiate a new bilateral agreement with the United States that avoids the pitfalls of the MLAT process, which it described as often too slow for responding to “modern criminal investigations.” It emphasized that the Second Circuit’s decision was a “serious impediment to … the viability of this type of agreement” because it would deprive the U.S. of its important domestic authority to obtain data stored abroad through a warrant.

The New Zealand privacy commissioner highlighted the principles of international comity and territoriality. He emphasized the value of “the presumption against extraterritoriality,” which “upholds the right of each jurisdiction to determine the content of its own law” and “ensures clarity as to the responsible jurisdiction.”

For the United Nations special rapporteur on the right to privacy, however, jurisdictional issues in the cyberspace realm are far from clear. He contended that, when data is stored in multiple jurisdictions at once and often moves automatically across jurisdictions, the unique “aspects of cloud data storage ... render inchoate the traditional doctrines of territoriality.” Given this complexity, he urged the U.S. Supreme Court to “exercise judicial restraint” and decide the case in the “narrowest possible manner,” which would facilitate efforts already underway to resolve these thorny jurisdictional questions. Furthermore, considering the “significant international repercussions” at stake, the special rapporteur “agree[d]” with the Second Circuit that “it [is] difficult to dismiss [foreign data protection] interests out of hand on the theory that the foreign sovereign’s interests are unaffected.”

The European Commission took a surprisingly neutral stance. Noting that both parties had made claims at the certiorari stage concerning whether Microsoft’s compliance with a SCA warrant would violate Article 48 of the GDPR, the commission expressed “an interest in ensuring that the Court proceeds based on a correct understanding of EU law.” The commission emphasized that Article 48 makes MLATs the “preferred option” for foreign court-ordered data transfers. Nevertheless, the commission rejected Microsoft’s argument that MLATs are the only appropriate method for data transfers in response to a court order, explaining that Article 48’s requirements are “without prejudice to other grounds for transfer.” The commission noted that a transfer to a foreign country could therefore still proceed outside the MLAT process if, for example, it was “necessary for important reasons of public interest” such as combating “serious crime.”

The International Impact of the U.S. Supreme Court’s Microsoft Decision

The decision of foreign governments and other international authorities to submit briefs in Microsoft demonstrates the global importance of the case on efforts to regulate data privacy and cross-border data flows.

As highlighted in the briefs of the European Commission and U.N. special rapporteur, the U.S. Supreme Court’s holding could create potential conflicts of laws, which would put companies facing law enforcement requests in a difficult position. For instance, the U.S. Supreme Court will likely decide Microsoft by early summer, on the heels of the GDPR’s implementation this May. The European Commission emphasized that the GDPR generally requires foreign governments to make information-access requests pursuant to MLATs — the procedure the United States government sought to avoid in Microsoft. As the commission explained, the GDPR does contain carveouts for particular data transfers, including those “necessary for important reasons of public interest,” but those interests are ill-defined. In light of such uncertainties, companies could face conflicting demands from U.S. and European authorities, with the potential for financial penalties if deemed noncompliant.

The U.S. Supreme Court’s decision will also likely come at a time of increased international scrutiny concerning the reach of U.S. law enforcement and surveillance. The Article 29 Working Party, an advisory body composed of representatives from the data protection authorities of each EU member state, recently referenced Microsoft in a statement warning that “[t]he circumvention of existing MLATs or other applicable legal basis under EU law by a third country’s law enforcement authority” constituted “an interference with the territorial sovereignty of an EU member state.” That same body also expressed “significant concerns” about U.S. privacy protections in its first annual review of the EU-U.S. Privacy Shield, a framework that more than 2,400 organizations have used to transfer personal data from the European Union to the United States. A reversal of the Second Circuit’s decision could heighten such international concerns.

As a practical matter, the U.S. Supreme Court’s Microsoft holding may also spur companies to make significant enterprise-level decisions, such as migrating user information to data centers abroad or storing data within a single jurisdiction. Companies are already spending millions of dollars to relocate data centers overseas, which often entails erecting new data storage centers, employing information technology management, and training staff in compliance with foreign laws, rules and regulations.

Conclusion

There is little doubt that government information requests will continue to be actively litigated at the domestic and international levels. The question now is to what extent, if any, the U.S. Supreme Court will take into account concerns expressed in the amicus briefs regarding international comity, sovereignty and global privacy laws in the context of data stored abroad. Companies and providers should therefore stay apprised of the U.S. Supreme Court’s upcoming decision in Microsoft and subsequent developments both in lower federal courts and on the international stage.