In a long-awaited ruling in a case in which the government had served a warrant on Microsoft MSFT +0.02% demanding the production of customer emails, the Second Circuit held in July that Microsoft had no obligation to produce customer emails because they were stored on a server located in Ireland. Some privacy groups cheered the decision, while others cautioned that the opinion’s focus on the location where data is stored could have negative consequences for privacy rights and the internet generally, as it could make user data more easily obtainable when the relevant servers are located in countries that may impose less stringent safeguards than exist in the U.S. Aside from privacy concerns, others warned the opinion could make it harder for law enforcement to investigate criminal activity. For example, Law Professor Orin Kerr wrote in a tweet: “Want to stymie U.S. law enforcement? Store your data in the cloud fragmented over many locations outside U.S.” And, in a concurring opinion, Judge Lynch urged Congress to take action to modernize the law, a call echoed by commentary following the decision.
Whatever the implications for data stored overseas, the Microsoft decision also has seemingly unintended consequences for data stored domestically that warrants close attention. In particular, although the decision focuses on the extraterritorial reach of the statute under which the government obtained the warrant at issue—the Stored Communications Act (the “SCA ”)—the decision’s reasoning also provides a foundation that service providers could use to challenge even those SCA warrants that seek data stored here in the U.S.
Under Rule 41 of the Federal Rules of Criminal Procedure, the government generally has to obtain a search warrant from a magistrate judge in the district in which the property the government seeks to search is located. When the government wants to search an apartment in Manhattan, for example, under Rule 41, it usually has to seek a warrant from a magistrate judge in the Southern SO -0.54% District of New York. The government does not, however, typically follow this rule when it seeks a warrant to compel service providers to produce electronic communications such as email. Rather, U.S. Attorney’s Offices around the country routinely seek warrants in their home districts compelling production of such data, and serve them by email or fax on service providers’ main offices, regardless of where either those offices or the stored data are located.
This practice has important practical consequences for both the government and service providers. At least before the Microsoft decision, when the government sought to compel Google GOOGL -0.14%, for example, to produce the contents of an email account, the government typically did not need to figure out where Google stored the data at issue and then seek a warrant in the districts encompassing the relevant servers (assuming the data is stored domestically in the first place), as Rule 41 would require. Rather, the Assistant U.S. Attorneys simply needed to obtain a warrant from a magistrate judge in their home court, which they could then email to Google at a central email address (as described on Google’s own website).
The legal basis for this practice lies in Section 2703(c)(1)(A) of the SCA, which provides that the government may require a service provider to disclose records by obtaining “a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court of competent jurisdiction.” The SCA in turn defines the term “court of competent jurisdiction,” in Section 2711(3), as a court either with jurisdiction over the offense being investigated or over the service provider being served with a warrant. The government explained in its Microsoft brief that “[t]his grant of jurisdiction is broader than the one in Rule 41, as it authorizes courts with ‘jurisdiction over the offense being investigated,’ as well as those with jurisdiction over the physical location of the records and service providers, to issue SCA warrants.”
The government’s interpretation of Section 2711(3), however, may not survive the Second Circuit’s Microsoft decision. In describing the contours of the SCA, the Second Circuit highlights the language in Section 2703(c)(1)(A) that calls for warrants issued under the SCA to be “issued using the procedures described in the Federal Rules of Criminal Procedure,” and notes that this language incorporates “Rule 41 of the Federal Rules of Criminal Procedure.” Further, the Second Circuit suggests that even Rule 41’s limitations on the “territorial reach” of courts issuing warrants are incorporated into the SCA. See 2016 WL 3770056, at *8.
This portion of the Microsoft decision suggests that, regardless of how Section 2711(3) defines “court of competent jurisdiction,” that definition does nothing more than identify which courts are allowed to issue warrants under the SCA, a category that is further limited by Rule 41. The decision thus undercuts the government’s position that Section 2711(3) supplants Rule 41’s territorial limitations and provides a broader grant of jurisdiction. The government could respond that Section 2711(3) itself lists certain jurisdictional limits in subsections (i), (ii), and (iii), and argue that this suggests that the Section was, in fact, meant to supplant Rule 41’s territorial limitations. But there is reason to doubt whether such an argument would succeed, because, as Professor Kerr has explained, those limits in Section 2711(3) reflect nothing more than an “inartful” effort by Congress in 2009 “to answer in what jurisdictions U.S. courts can issue warrants . . . to help foreign governments.”
Further the Microsoft case’s ultimate holding—with its sharp focus on the location where data was stored—supports a reading that gives effect to Rule 41’s limits. The ultimate question for the Second Circuit was whether the execution of the warrant at issue—which would have required Microsoft to produce data stored on a server in Ireland—would constitute an unlawful extraterritorial application of the SCA. This question depended, in turn, on whether the invasion of privacy at issue was here in the U.S., where the data would be disclosed, or in Ireland, where the data was stored. The Second Circuit held it was the latter, writing that “it is our view that the invasion of the customer’s privacy takes place under the SCA where the customer’s protected content is accessed – here, where it is seized by Microsoft, acting as an agent of the government.” 2016 WL 3770056, at *17. If the Second Circuit had taken seriously the government’s reading of Section 2711(3) as a jurisdictional grant (based on a court’s jurisdiction over the offense being investigated), then it is not at all clear why the location where the data is stored would have mattered to the analysis.
The lack of clarity in the Second Circuit’s opinion could make the opinion vulnerable to reversal en banc or on a further appeal to the Supreme Court, but for the time being, the Second Circuit’s conclusion that the invasion of privacy takes place where data is stored, combined with the opinion’s suggestion that the territorial limits expressed in Rule 41 are incorporated into the SCA, provides ammunition for service providers to challenge even those warrants that seek data stored here in the U.S. When the government seeks a warrant in the usual manner—by applying to a home-court magistrate and then faxing or emailing the warrant to the service provider—the service provider may be able to argue that the government has not complied with Rule 41’s general requirement that warrants be sought in districts where property is located. In many cases, moreover, it may not be clear where a service provider stores data. Indeed, further complicating matters, the data may be stored across multiple districts, thereby making it impractical for the government to pursue a warrant in the first place.
On the whole, practitioners should be mindful of these issues, assess whether they arise in a given case, and follow any changes Congress makes to the SCA and developments in the case law.
From The Insider Blog: White Collar Defense & Securities Enforcement.