In a 90-minute hearing earlier today, Microsoft Corp. asked the Second Circuit Court of Appeals to reverse a district court decision forcing the technology giant to turn over customer email traffic residing on a server in Ireland.
American companies with data centers located outside the U.S., as well as privacy advocates and media organizations are closely watching this case. During the argument, the Court acknowledged that the “implications of its ruling would be broad.”
The three-judge panel included Gerald E. Lynch, a former Columbia Law School professor and U.S. District Judge; Susan L. Carney, former Deputy General Counsel of Yale University; and Victor A. Bolden, a U.S. District Judge from Connecticut who was sitting on the Second Circuit by designation.
Judge Lynch was the author of a 97-page decision handed down by the Second Circuit in May 2015 which ruled the once-secret National Security Agency (“N.S.A.”) program that collected bulk phone records of U.S. citizens was illegal under a provision of the U.S.A. Patriot Act. The ruling was the first time a Federal appellate court had reviewed the N.S.A. phone records program. Prior to Judge Lynch’s ruling, the data collection was approved by judges serving on the Foreign Intelligence Surveillance Court, or FISA, a secret court that oversees U.S. national security matters.
At issue in the Microsoft case is whether a U.S. search warrant can reach data stored on a server in Europe. Microsoft has fought the case for the past two years, starting in December 2013 when, in connection with a drug-trafficking investigation, U.S. law enforcement officials served a warrant on Microsoft Corp. at its headquarters in Redmond, Wash. The warrant sought email traffic including email content associated with an unnamed user’s msn.com account. It’s not known whether the account belonged to a U.S. or European citizen.
The warrant was issued under the Stored Communications Act or “SCA,” a 1986 law that authorizes the government to seek electronic communications. Microsoft refused to produce the email and moved to quash the warrant. Both the Magistrate Judge and District Court denied Microsoft’s motion.
Microsoft’s argument before the Second Circuit was straightforward: the SCA warrant requires an extra-territorial search because the information sought resides on a data server outside U.S. borders. Because there is a presumption against extra-territoriality in U.S. law coupled with the fact that the SCA does not provide for extra-territorial reach, a warrant issued under that statute cannot reach data stored outside the U.S. Microsoft also argued that the proper method of seeking such material was through a mutual legal assistance treaty or MLAT, which is an agreement between the U.S. and a foreign government to facilitate cooperation between law enforcement authorities for search warrants and court orders. In fact, there is an MLAT in place between the U.S. and Ireland. In an amicus filing, the Government of Ireland noted that it “would be pleased to consider, as expeditiously as possible, a request under the treaty, should one be made.”
The government disputed that the SCA warrant implicates the presumption against extraterritoriality, arguing that Microsoft is a U.S. corporation, had access in the U.S. through a computer program to the emails on the server in Ireland, and was required to comply with the warrant because Microsoft controlled the email. Under the government’s theory, the physical location of the email storage isn’t relevant because Microsoft was able to access it from its facilities in Washington state.
During the argument, Judge Lynch made clear that the distinction between extraterritorial and non-extraterritorial wasn’t as simple as either party suggested. He noted that the warrant was served domestically but the emails sought were located in Ireland.
Judge Lynch also pressed Microsoft’s counsel on whether production of the email would violate either Irish or EU data privacy protections. Although counsel for Microsoft would not concede that producing the email violated EU law, he pointed to excerpts from two amicus briefs that suggested U.S. and EU privacy protections were vastly different and that the email could only be produced through the MLAT process or by order of the Irish courts.
It’s likely that the Second Circuit’s ruling will not be the last word on this case. Indeed, Judge Lynch queried counsel whether Congress was prepared to act to address some of the lingering questions that arise when statutes don’t address the issue at hand or have been overtaken by technological advances.