Recent Congressional legislation provided a procedure for U.S. law enforcement to obtain foreign-located communications data from U.S. service providers, ending a long-running dispute concerning the extraterritorial reach of the Stored Communications Act (the SCA).
On April 17, 2018, the U.S. Supreme Court remanded In re Warrant to Search a Certain Email Account Controlled & Maintained by Microsoft Corp. (Microsoft) with instructions to the lower court to dismiss the case on the grounds that the recently enacted Clarifying Lawful Overseas Use of Data Act (the CLOUD Act) mooted the core legal issue in the case. Between oral arguments in February 2018 and the April decision, Congress passed an omnibus federal spending bill that included the text of the CLOUD Act, dramatically changing the legal landscape for the issue in the case.
The CLOUD Act amended parts of the SCA to clarify that warrants issued under that law apply to data that U.S. service providers maintain regardless of where it is stored in the world. The CLOUD Act also provides a judicial mechanism for service providers to challenge an SCA warrant. The CLOUD Act resolved the question at the heart of the Microsoft case in favor of the government’s ability to reach data and records stored extraterritorially. It also simultaneously preempted the much-anticipated Supreme Court legal opinion that was expected to have broader relevance to questions concerning the extraterritorial reach of other U.S. laws.
In December 2013, as part of a criminal narcotics investigation being led by the U.S. Attorney’s Office in the Southern District of New York, law enforcement authorities sought and obtained an SCA warrant authorizing the search and seizure of information including emails “associated with a specified web-based e-mail account” stored by Microsoft.1 After receiving the SCA warrant, Microsoft determined that while some of the responsive information was stored on U.S. servers, customer emails sought by the warrant were stored on company servers located in Dublin, Ireland.2 In response to the warrant, Microsoft produced the U.S.-located data but moved to quash the warrant to the extent it sought the production of information or documents stored abroad.
The magistrate judge hearing the motion pending in the U.S. District Court for the Southern District of New York ruled that Microsoft must comply with the subpoena and produce the foreign-located documents, the district court affirmed, and Microsoft appealed to the U.S. Court of Appeals for the Second Circuit.
The Second Circuit reversed. In analyzing whether the presumption against extraterritorial application is overcome by the Act, the appellate court examined the history of the SCA, as well as its purpose of “protect[ing] a user’s privacy interests.”3 Finding that “Congress did not intend the SCA’s warrant provisions to apply extraterritorially,”4 the appellate court reversed the district court’s decision and quashed the warrant. The government appealed to the U.S. Supreme Court. Developments of the case on appeal are discussed in more detail in our previous alert “Microsoft: Supreme Court Decision on Jurisdiction over Foreign-Located Communications Anticipated.” During the February 27 oral arguments, about which we reported in “Justices Hearing Microsoft Appeal Appear Mixed on Jurisdiction over Foreign-Located Communications,” the Supreme Court grappled with how to apply the decades-old SCA, which Justice Kennedy referred to as a “difficult statute,” to modern internet-based communication platforms. The litigants’ arguments focused on the nature and location of the conduct the SCA regulates and whether a victory for Microsoft would make certain data effectively unreachable by U.S. law enforcement. Ultimately, the justices appeared mixed on whether an SCA warrant could be used to compel disclosure of foreign-located materials.
CLOUD Act and its Effect on the Microsoft Case
In response to Microsoft and the government’s dueling arguments regarding the reach of the SCA, Supreme Court oral arguments in the Microsoft case also included discussion of the then-proposed CLOUD Act. The CLOUD Act was originally proposed by Senator Orrin Hatch (R-Utah) in February 2018, before oral arguments in the case but after certiorari was granted, and had the support of a bi-partisan group of senators. It was proposed in response to U.S. law enforcement’s increasing challenges in obtaining data located in foreign countries. The CLOUD Act updates the SCA and provides specific authority for U.S. law enforcement authorities to compel disclosure of communications and records stored abroad by U.S. service providers. It also provides a mechanism for the service provider to object and notify the host country, which may also have jurisdictional, data privacy, or other objections to the provider’s compliance with the U.S. data request. In making a determination of whether foreign-located communication data and records should be considered within the scope of U.S. jurisdiction, the CLOUD Act requires the federal court hearing a motion to quash the legal process to consider the impact of the law of the foreign country hosting the data and records.
On March 23, 2018, Congress passed the CLOUD Act as a part of the omnibus federal spending bill. Soon after the CLOUD Act passed, the government obtained a new warrant for Microsoft seeking the same materials pursuant to the CLOUD Act as those previously sought under the SCA and informed the Court via letter of the passage thereof. Without indicating whether Microsoft would challenge the new warrant, or whether Irish law (where the records and data are stored) prohibits the disclosure, the government and Microsoft both filed motions in March and early April 2018, respectively, arguing the case was now moot. On April 17, 2018, the Court agreed and vacated the Second Circuit decision and remanded the case to the lower court for dismissal.
As a corollary measure for foreign law enforcement authorities, the CLOUD Act also provides for “executive agreements” that permit U.S. service providers to respond to foreign legal process seeking access to stored communications data so long as they do not target U.S. persons or other persons located in the United States. The CLOUD Act specifies requirements for such agreements, including that the foreign requesting country has robust legal protections for privacy and civil liberties, that electronic data requests relate only to serious crimes, and that the foreign country provides oversight by an independent authority. Some industry watch-groups have worried that communications from U.S. persons, while not targeted, could nevertheless be swept up via an executive agreement under the CLOUD Act and shared with foreign law enforcement authorities.
This dismissal may resolve the issue presented in Microsoft but preempted a much-anticipated decision by the U.S. Supreme Court that was thought likely to have implications regarding the extraterritorial reach of other U.S. laws and U.S. legal process in other contexts. Nonetheless, the CLOUD Act has provided mechanisms to ease the ability of both U.S. law enforcement and communication-service providers to stake out their positions with respect to efforts by law enforcement to obtain foreign-located, electronically stored information and documents. While U.S. law enforcement agencies will now have a clear procedure to obtain this data, providers similarly have a clear avenue to challenge warrants seeking the information. Through the CLOUD Act, Congress could be sending a signal that similar legislation could be used to resolve other questions concerning the reach of U.S. law enforcement over other types of foreign-located records and data where there is a nexus between the custodian and the United States.