Chief Judge Loretta A. Preska of the U.S. District Court for the Southern District of New York affirmed Magistrate Judge James C. Francis IV’s opinion and ordered that the U.S. Department of Justice (DOJ) could compel Microsoft Corporation (Microsoft) to disclose internationally stored customer emails.
The dispute arose in connection with DOJ’s efforts to execute a warrant to seize emails that Microsoft stores in Dublin, Ireland. U.S. investigators were seeking the information from Microsoft as part of a narcotics investigation. Last year, Magistrate Judge Francis authorized a warrant to Microsoft pursuant to the Stored Communications Act (the SCA)—passed as part of the Electronic Communications Privacy Act of 1986 (the ECPA), 18 U.S.C. §§ 2701-2712—which obligates an Internet Service Provider (ISP), like Microsoft, to disclose customer information or records to the government.
Microsoft argued that the SCA provisions do not apply outside of the United States. The company claimed that Congress did not consider such rapidly changing technology—e.g., cloud computing and international server storage—when it passed the SCA and, therefore, did not intend for a warrant to reach beyond the U.S. borders. The search warrant, according to Microsoft, amounted to the extension of U.S. law enforcement authority to another country, which would invade and offend the laws of sovereign countries—Ireland, in this instance. Microsoft warned that judicial approval of this type of seizure could be met with potential backlash from the international community. Finally, Microsoft argued that the records DOJ sought were personal, third-party emails where the international customer had a reasonable expectation of privacy and not Microsoft’s business records. The thrust of this argument centered on the idea that the international customer had certain legal entitlements in the foreign sovereignty as opposed to Microsoft’s business records that were subject to U.S. laws.
DOJ’s position was that the SCA warrant is a hybrid tool—part search warrant and part subpoena. The government obtains it like a warrant, with an independent magistrate judge finding probable cause that the data to be seized would turn up evidence of a crime. The government, however, executes it like a subpoena in that it is served on the company and does not involve federal agents searching the company’s servers at its physical location. Thus, DOJ insisted that the key issue was not where Microsoft stored the information, but rather the fact that Microsoft maintained control over the data. The prosecutor argued that Microsoft’s privacy arguments were unfounded because the privacy considerations of the Fourth Amendment were satisfied when the Magistrate Judge Francis found probable cause and authorized the search warrant.
The Court, drawing heavily on the Bank of Nova Scotia doctrine (which obligates banks to disclose information to the government, including data stored extraterritorially), opined that Congress considered such a seizure of international data from a domestic corporation when it passed the SCA and the ECPA. Additionally, the Court explained that the central question was who controlled the data, not where it was physically stored. After considering arguments from both parties and Amici—including Apple, Verizon, and AT&T—the Court ordered that the DOJ can compel Microsoft to turn over emails it stores internationally. Importantly, though, the Court did not consider Microsoft’s argument that the warrant applies only to Microsoft business records rather than internationally-stored, third-party emails because Microsoft had not previously raised the issue before Magistrate Judge Francis and had, therefore, waived the argument.
This case is believed to be the first time that a domestic company has challenged a domestic search warrant for data stored overseas. The Court, however, has stayed the effect of its ruling to give Microsoft time to appeal.