A three-judge panel of the U.S. Court of Appeals for the Second Circuit today unanimously reversed a lower court’s denial of Microsoft’s motion to quash a warrant seeking the content of emails for a customer of its Outlook.com email service. The decision is surprising in that that U.S. courts, including the Second Circuit, have traditionally enforced government process seeking documents or data stored abroad from entities that have control over the information under the test of “control, not location.” See In the Matter of a Grand Jury Subpooena Directed to Marc Rich & Co. v. United States, 707 F.2d 663 (1983) and our earlier blog post on the district court decision.
The Second Circuit focused its analysis on the government’s use of a warrant issued pursuant to section 2703 of the Stored Communications Act (SCA) to obtain the content of emails. Under the SCA, where the U.S. Government seeks the content of emails from an email service provider, the Government must, in certain specified circumstances, use a warrant following the procedures in Rule 41 of the Federal Rules of Criminal Procedure. The court concluded that Rule 41, with the exception of certain diplomatic operations, only allows for magistrate judges to issue warrants for information stored in the United States. Moreover, the court found “Congress did not intend the SCA’s warrant provisions to apply extraterritorially,” citing the presumption against extraterritorial application of United States statutes absent a clear contrary intent.
Although the court acknowledges that “domestic contacts” can eliminate concerns of extraterritoriality in a given case, the court found that in this case, the SCA’s focus on the “privacy of the content of a user’s stored electronic communications” tipped the balance in favor of the presumption against extraterritorial application of the SCA. The court addressed earlier cases where subpoenas were issued to businesses that owned the information sought, finding that compelling the production of information stored abroad from the owner of the information is distinguishable from compelling the production of information stored abroad from a caretaker of that information. The court also noted the importance of international comity that “ordinarily govern the conduct of cross-boundary criminal investigations.”
This case could have a significant impact on cloud providers’ decisions to store information abroad. It also serves, in the midst of debates about the newly enacted Privacy Shield and the recent challenge to Standard Contractual Clauses now before the Court of Justice of the European Union, as a counterbalance to arguments that some make about the U.S. legal system not respecting personal privacy.
There are a number of interesting aspects to the case:
- Extraterritoriality: The court easily concluded – indeed the government conceded at oral argument – that the SCA warrant provisions do not contemplate or permit extraterritoriality and the use of “warrant” in the SCA implicated historical “privacy concepts applied within the territory of the United States.”
- Subpoena/Warrant Distinction: The court emphasized the distinct nature of warrants and subpoenas. In one part of the opinion, the court did not question prior case law as embodied in the Marc Rich case involving the use of subpoenas to obtain communications stored outside of the U.S. But the court later noted that “the protections rightly accorded user content in the face of an SCA subpoena [specifically] have yet to be delineated.” In addition, the court noted that it:
“has never upheld the use of a subpoena to compel a recipient to produce an item under its control and located overseas when the recipient is merely a caretaker for another individual or entity and that individual, not the subpoena recipient, has a protectable privacy interest in the item.”
- SCA Focus: The opinion emphasized the SCA’s focus on protecting user’s privacy interests, finding the SCA’s warrant provisions for government access, the prohibitions on unauthorized access, service provider disclosure restrictions for communications, criminal and civil remedies, and the legislative history’s focus on privacy protections for stored communications created an “elaborate hierarchy of privacy protections.”
- Place of Seizure: The court concluded that service provider recipients of SCA warrants act as agents of the government in seizing the content sought and any SCA “invasion of privacy” takes place “where the customer’s protected content is accessed.” In this case, Microsoft, regardless of where it sat when it pulled the data, would access the data from its place of storage in the Dublin data center, resulting in the seizure taking place in Ireland. The court thereby rejected the government’s assertions that obtaining the emails only required Microsoft to act in the United States (a location from which Microsoft could pull the information).
- Mutual Legal Assistance Treaties (MLATs) and Comity: The court rejected the argument that a customer’s ability to mislead a service provider into storing data overseas (by e.g., by providing a false address ) and the cumbersome nature of MLATs were valid reasons for enforcing the warrant in light of SCA protections, noting that:
“Our conclusion today  serves the interests of comity that, as the MLAT process reflects, ordinarily govern the conduct of cross-boundary criminal investigations … [and] we find it difficult to dismiss [comity] interests out of hand on the theory that the foreign sovereign’s interests are unaffected when a United States judge issues an order requiring a service provider to ‘collect’ from servers located overseas and ‘import’ into the United States data, possibly belonging to a foreign citizen, simply because the service provider has a base of operations within the United States.”
Judge Lynch, in his concurring opinion, emphasized that “the dispute here is not about privacy, but the international reach of American law.” He views the Government’s attempt to obtain the emails through a warrant as justified, but thwarted by Microsoft’s choice of storage. He urges Congress to take action to clarify not only the extraterritorial reach of the SCA, but also various other aspects of the SCA that, as a statute written in 1986, make it difficult and cumbersome to apply to modern technologies. See the following for more information on ECPA reform generally https://cdt.org/issue/security-surveillance/ecpa-reform/.
The court’s nod to comity could have an impact in other circumstances where the government or private parties in litigation seek personal or other data stored abroad in countries that restrict cross-border transfers. The case may also have a significant impact on where service providers choose to store customer communications or other data. However, the issues are far from settled. A government appeal to the Second Circuit en banc or the Supreme Court seems likely.