In a highly anticipated decision, the Second Circuit ruled on July 14, 2016, that the United States cannot compel Microsoft Corp. ("Microsoft") to disclose certain customer emails stored in Ireland because Congress did not intend the warrant provisions of the Stored Communications Act ("SCA"), 18 U.S.C. §§ 2701-2712, to apply extraterritorially. In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, No. 14-2985 (2d Cir. July 14, 2016). The court's decision will come as a relief to cloud service providers and other multinational companies that provide data storage and communications services overseas and may at least partially alleviate concerns about the extent of the U.S. government's territorial reach.
The Stored Communications Act
The SCA was enacted as part of the Electronic Communications Privacy Act in 1986 ("ECPA"), well before the development of the modern-day internet and web-based email services. Among other things, the SCA restricts the disclosure of stored communications—e.g., email, texts, instant messages—and certain information associated with them. But the law also establishes conditions pursuant to which the government may require a service provider to disclose such information. For example, the SCA requires that the government use at least a subpoena to compel service providers to disclose certain customer information associated with an electronic communications account. With respect to the content of electronic communications stored by service providers for less than 180 days, the government must obtain a warrant from a competent court that is supported by probable cause. Unlike traditional warrants, however, an SCA warrant can be served on an electronic communications provider and does not require that the government conduct a physical search at the site at which the data at issue is stored. As a result, an SCA warrant has been described as a "hybrid" between traditional warrants and subpoenas, which are executed by a recipient rather than a government law enforcement agent. As the Second Circuit noted, "the subpoena-warrant distinction is significant here because, unlike warrants, subpoenas may require the production of communications stored overseas" (emphasis added).
The U.S. Government's Dispute with Microsoft
Microsoft provides a free email service that allows customers to send and receive messages via a web-based user interface using email accounts hosted by the company. Microsoft hosts the service and stores the contents of such email on servers housed in data centers located around the world. In general, Microsoft stores its customers' email information and content at data centers located near the physical location that the user identifies as his or her place of residence when subscribing to the service.
On December 4, 2013, a magistrate judge in the Southern District of New York issued a "Search and Seizure Warrant" directed at a particular email account hosted by Microsoft. Microsoft did not produce the content of the email account—the actual text of emails themselves—because that content was stored in Microsoft's data center located in Dublin, Ireland, and, in its view, beyond the territorial reach of an SCA search warrant. The company did, however, disclose all other responsive information that was stored in the United States. Microsoft moved to quash that portion of the subpoena that sought to compel the production of certain email content, and the district court denied the motion.
On appeal, the Second Circuit resolved, at least in that circuit, what some believed to be an open question—that is, whether an SCA warrant should be treated more like a traditional subpoena that can be used by the government to require the production of certain data stored overseas, or more like a Rule 41 search warrant that has no extraterritorial effect. The court found that Congress did not intend the SCA's warrant provisions to apply extraterritorially and held that the physical location of the storage of such data—in particular, the physical location where such data would be seized—is the decisive factor in determining whether the government can compel its disclosure. In doing so, the court rejected an emphasis on other considerations such as the location where data can be transferred or reviewed, the location of the party that has control over such data, and the location of the customer, among other things. If such data is stored in the United States, the government can compel its disclosure using an SCA search warrant; if the data is stored elsewhere, the government cannot.
Impact of the Second Circuit's Decision
The Second Circuit's decision may lessen privacy-related concerns—especially those related to the territorial reach of the U.S. government—by overseas service providers with a presence in the United States. In particular, U.S. companies with a multinational presence often face competing demands between U.S. law enforcement requests for user data and the legal protections afforded such data by the country in which it physically resides. The ruling thus provides more clarity to electronic communications service providers in determining how to respond to SCA warrants, while also providing assurance to international customers that privacy rights will be respected and laws adhered to—most notably, through greater use by the United States of the Mutual Legal Assistance Treaty process to obtain certain data (e.g., stored customer communications). Moreover, because the decision effectively limits the U.S. government's jurisdictional reach, the ruling may cause certain providers to maintain such data elsewhere and may also reinforce the growing trend of data localization requirements around the world.
Practitioners should monitor any legislative proposals in the wake of this decision, which largely turned on the court's conclusion that Congress did not intend the SCA's warrant provisions to apply extraterritorially. The pending International Communications Privacy Act, for example, would permit U.S. law enforcement to use a search warrant to obtain the electronic communications of U.S. citizens or residents no matter where the person or communications are located. The law would also allow U.S. law enforcement to use warrants to access the electronic communications of foreign nationals in certain limited circumstances (e.g., no law enforcement cooperation agreement is in place with the foreign government).
Practitioners should also monitor ongoing developments regarding the extraterritorial reach of SCA subpoenas. The Second Circuit's decision left open the question of whether an SCA subpoena, served on a U.S. service provider, could require the service provider to turn over users' communications in its custody or control regardless of the location where the information is stored.