The recent appellate court decision in Microsoft Corp. v. United States, No. 14‐2985, slip op. (2d Cir. July 14, 2016) (Microsoft Ireland), represents an important setback for the U.S. government’s aggressive extraterritorial application of traditional law enforcement techniques to collect electronic communications and data. However, it is just an initial skirmish in what will be a lengthy battle between privacy rights and principals of international comity, on the one hand, and the legitimate needs of law enforcement in an age of rapid globalization of digital communications, on the other. Indeed, in the wake of the decision – which may ultimately wind up before the U.S. Supreme Court – the U.S. government pushed forward with new and potentially far-reaching proposals for seizing the electronic communications of foreign nationals and for sharing data stored in the U.S. with law enforcement agencies of foreign governments. Corporations and individuals with a global footprint need to keep apprised of these developments in order to make effective decisions about where and how to store their data.
In Microsoft Ireland, the Second Circuit Court of Appeals ruled that a Department of Justice (DOJ) search warrant for electronic communications stored by Microsoft on servers in Ireland was an unlawful attempt to seize data beyond U.S. borders. The court held that the 1986 Stored Communications Act (SCA), which permits U.S. law enforcement to issue search warrants targeting electronic communications, does not apply extraterritorially to data stored abroad. Because the Microsoft warrant sought data stored in Ireland, the court found that the warrant would have to be executed there – an unlawful extraterritorial application of the SCA. The court reached this conclusion despite Microsoft’s technical ability to recall the data in Ireland back to the U.S. using database commands.
The decision culminated from events that began in December 2013, when a magistrate judge in New York issued a warrant under the SCA directing Microsoft to disclose all emails and other private information associated with a certain email account in Microsoft’s possession, custody or control. Microsoft determined that the target account and content were stored in Ireland and filed a motion to quash the warrant, arguing the information was beyond the U.S. government’s reach. The magistrate judge denied the motion and the District Court affirmed, but a unanimous three-judge panel at the Second Circuit reversed and held that the SCA does not authorize courts to “issue and enforce against U.S.-based service providers warrants for the seizure of customer email content that is stored exclusively on foreign servers.”
The ruling is a victory for U.S. technology companies that store data abroad; they now have some comfort, at least under Second Circuit jurisprudence, that such data are not reachable by U.S. law enforcement. The decision is also being perceived as an important reinforcement of the individual privacy rights that protect users under their own country’s laws.
The DOJ may still use mutual legal assistance treaties (MLATs) to obtain electronic evidence stored abroad, but MLATs tend to be slow and may prove unworkable if the target evidence relates to an immediate and quickly evolving criminal or national security threat. Given the significance of Microsoft Ireland for privacy, constitutional rights and national security, an appeal to the U.S. Supreme Court is well within in the realm of possibility.
On the heels of Microsoft Ireland, the DOJ submitted to Congress proposed legislation that would allow the U.S. to enter into reciprocal agreements with other countries to facilitate the DOJ’s ability to obtain electronic data stored abroad. In addition, the legislation seeks to remove legal barriers preventing foreign governments from directly accessing electronic communications stored in the U.S. by U.S. communications providers. Among other things, the legislation seeks to amend provisions of the Omnibus Crime Control and Safe Streets Act, the Stored Communications Act, and the Pen/Trap Statute to allow service providers to intercept, access and disclose communications content and metadata in response to an order from a foreign government if that order is pursuant to an executive agreement that the Attorney General determines meets several statutory requirements.
The Obama administration is already moving to negotiate deals with individual countries to obtain electronically stored data directly from offshore service providers and servers. On July 15, 2016, just a day after the Microsoft Ireland decision, senior DOJ official Brad Wiegmann announced at a public forum in Washington, D.C., that the Obama administration is working on a series of reciprocal agreements with foreign governments that would allow those governments to serve U.S. technology companies with foreign warrants for email searches and wiretaps. According to Wiegmann, foreign investigators would be able to serve a warrant directly on a U.S. firm to see a suspect’s stored emails or intercept their messages in real time, as long as the surveillance didn’t involve U.S. citizens or residents. Such deals would also give U.S. investigators reciprocal authority to search data in those countries.
The first such deal under consideration is a bilateral agreement between the U.S. and the U.K. that would permit U.S. companies to provide electronic data in response to U.K. orders targeting non-U.S. persons located outside the United States, while affording the United States reciprocal rights regarding electronic data of companies storing data in the United Kingdom. If Congress enacts the proposed legislation enabling the agreement with the U.K., U.K. law enforcement would be able to serve a search warrant on a U.S. company to see a suspect’s emails or intercept them in real time, as long as the surveillance did not involve U.S. citizens or residents. The U.S. would be able to do the same for data of U.S. citizens located in the U.K., although it remains to be seen how Microsoft Ireland may impede that effort.
As the complex policy issues surrounding the Microsoft Ireland decision continue to play out in the courts, Congress and the international arena, companies and individuals should monitor developments, seek guidance from outside counsel, and consider how best to advocate for the protection of their interests and the interests of the public.