In a case with important privacy implication for U.S. companies providing services ranging from e-mail, social networking, chat communications and remote storage, the Second Circuit Court of Appeal this week held in Microsoft Corp. v. United States that the government cannot compel a U.S. service provider to comply with a search warrant to produce users’ electronic data stored on its overseas servers. In reaching that holding the court determined that the warrant provisions of the Stored Communications Act to not extend outside the United States’ borders.
Stored Communications Act
The Stored Communications Act (“SCA”), which was enacted in 1986, imposes non-disclosure obligations on electronic communications services (ECS) and remote computing services (RCS), with certain exceptions. One of those exceptions was 18 U.S.C. § 2703, which establishes the condition under which the government may access stored communications. The government may obtain access to basic subscriber and transaction information through an administrative subpoena. See 18 U.S.C. § 2703(c)(2). It may also obtain other non-content records through a court order upon a showing that the “content or records… are relevant and material to an ongoing criminal investigation.” 18 U.S.C. § 2703(c)(2), (d). The only way that the government may access the contents of recent electronic communications, such as email, stored by an ECS is through a warrant. See 18 U.S.C. § 2703(a). For older electronic communications and electronic communications stored by an RCS, the government needs a warrant as well, unless it is willing to provide notice to the subscriber or customer. See 18 U.S.C. § 2703(b)(1)(A).
The Search Warrant and Lower Court Opinion
Microsoft provides free, web-based email services to the public. Depending on the location of its users, Microsoft may store their email on servers located in data centers in different parts of the world. In 2013, a United States Magistrate Judge issued a search warrant ordering Microsoft to produce emails from a user’s account that Microsoft determined were stored on servers located in Ireland. Microsoft produced the non-content account information about the user, as that information was stored in the United States, but declined to produce the users’ emails. Microsoft moved to quash the warrant with respect to the email content, which the Magistrate denied, finding that a warrant issued under the SCA was similar to a subpoena and obligated Microsoft to produce data under its control, “wherever it might be stored.” In re Warrant to Search a Certain E-Mai Account Controlled and Maintained by Microsoft Corp., 15 F.Supp.3d 466, 471-72, 477 (S.D.N.Y. 2014). The District Court adopted the reasoning of the Magistrate Judge and held Microsoft in civil contempt for refusing to comply with the warrant.
The Second Circuit’s Opinion
Reversing the District Court’s ruling, the Second Circuit held that warrants issued under the SCA do not apply outside the United States. Noting the strong presumption against the extraterritorial application of U.S. law, the court applied the two-part approach articulated by the Supreme Court in Morrison v. National Australian Bank Ltd., 561 U.S. 247 (2010) to determine whether the SCA can be applied to seize data outside the U.S. See Microsoft Corp. v. United States, No. 14-2985, slip opinion, at *22. The Court explained: “We first determine whether the relevant statutory provisions contemplate extraterritorial application. If we conclude that they do not, by identifying the statute’s focus and looking at the facts presented through that prism, we then assess whether the challenged application is ‘extraterritorial’ and therefore outside the statutory bounds.” Id.
As an initial matter, the Second Circuit found that there was nothing in the warrant provisions of the SCA indicating that Congress intended those provisions to apply extraterritorially or that Congress meant to invoke the term “warrant,” in any way other than with that term’s “traditional, domestic connotations.” See id. at *23-26. The Court also expressly rejected the Magistrate Judge’s analogy of a SCA warrant to a subpoena, noting that “[w]arrants and subpoena are, and have long been, distinct legal instruments,” and that the Court “ha[d] never upheld the use of a subpoena to compel a recipient to produce an item under its control and located overseas when the recipient is merely a caretaker for another individual or entity and that individual, not the subpoena recipient, ha[d] a protectable privacy interest in the item.” Id. at *28, 31. Accordingly, the Second Circuit held that the warrant provisions of the SCA do not contemplate extraterritorial application.
The Second Circuit then turned to whether the “domestic contacts presented by the case” fell within the “focus” of the statutory provision or were “secondary.” Id. at *33. Examining the SCA’s text and legislative history, the Second Circuit found that “the relevant provisions of the SCA focus on protecting the privacy of the content of a user’s stored electronic communications.” Id. Having concluded that the SCA focuses on user privacy, the Court also concluded that the execution of the warrant constituted an unlawful extraterritorial application of the statute because “the conduct that falls within the focus of the SCA (i.e., the seizure of the data from Dublin) would occur outside the United States, regardless of the customer’s location and regardless of Microsoft’s home in the United States.” Id. at *39. While the government raised concerns about companies evading law enforcement by storing data abroad, the Second Circuit found these concerns to be “practical considerations” which “cannot, however, overcome the powerful clues in the text of the statute, its other aspects, legislative history, and use of the term of art ‘warrant,’ all of which lead us to conclude that an SCA warrant may reach only data stored within United States boundaries.” Id. at *41-2.
The Microsoft decision affirms that the focus of the SCA is to protect the privacy of user data and not to facilitate its disclosure (as argued by the government). In keeping with the SCA’s focus, the Microsoft decision limits the ability of the government to access electronic data stored overseas, regardless of whether the subscriber or customer possessing the privacy interest in the data or the third party storing the data was located in the United States. The Microsoft decision prevents the government from obtaining a warrant to compel an organization in the United States to retrieve electronic data stored in a foreign jurisdiction. Instead, the government must now rely primarily on the more time-consuming Mutual Legal Assistance Treaty process, making the level of privacy protection for electronic data dependent upon the laws and treaties of the foreign jurisdiction where the data is stored.
When U.S. service providers receive search warrants for subscribers stored data, they will need to determine the physical locations of the servers storing the subscribers’ data. Where the data is located on servers outside the United States, the Microsoft decision provides companies with a strong legal position—at least within the Second Circuit—for not producing the data without the risk of contempt. What will remain to be seen is whether Microsoft gives service providers with substantial user bases in Europe greater incentives to store those users’ data within the EU to provide those users’ greater privacy protections.
Clay Venetis is a summer associate in Fenwick's litigation group.