On 31 July, the chief judge of the Southern District of New York delivered the latest in a series of controversial judgments stemming from a test case brought by Microsoft in an extra-territorial warrant issued under the U.S. Stored Communications Act (‘SCA’). In the third ruling on the matter, the court found in favour of the U.S. government, upholding the warrant and ordering that Microsoft turn over customer emails stored in a data centre in Ireland. The District Court agreed to stay the order while the decision is appealed further.

In the wake of Edward Snowden’s revelations about the activities of national security services across the globe, tech companies have adopted an increasingly tough stance in the face of information requests. As a result, Apple, AT&T, Cisco and Verizon joined the bid to quash the warrant and supported Microsoft’s argument that the SCA should not be interpreted to allow warrants to be issued for the search and seizure of data stored outside the United States. It was argued that this would constitute an extra-territorial warrant for which the SCA provided no jurisdiction.

If Microsoft’s final appeal is dismissed, the case will have significant implications for all U.S. businesses that store customer data overseas. The implications also extend to non-U.S. customers, including those companies located within the EEA, that have entered agreements with U.S.-based companies to store their data outside the United States. In particular, there is concern that foreign companies and consumers will lose trust in the ability of American companies to protect the privacy of their data. Similar concerns were expressed in July by then Vice-President of the European Commission, Viviane Reding, who stated that the use of extra-territorial warrants “bypasses existing formal procedures” and may “be in breach of international law”.

Background

The warrant subject to appeal was granted 4 December 2013 following an application by the United States under the SCA, and authorised the search and seizure of information associated with a specified web-based email account that was maintained and controlled by Microsoft but was hosted in Dublin, Ireland.

In an action heard 25 April 2014 and covered by Reed Smith in May, the same judge refused an appeal brought by Microsoft to overrule his earlier decision to grant the warrant. In support of this conclusion, the court stated that Microsoft’s arguments would be inconsistent with the legislative history of the SCA, and would also impose a “substantial” burden on the government, requiring reliance on the Mutual Legal Assurance Treaty which “generally remains slow and laborious.”

Territorial scope of the SCA

Microsoft highlighted to the court well-established case law that does not permit search warrants to extend outside the jurisdiction, such that any attempt to issue search warrants for data stored overseas was beyond the power of the District Court. Microsoft also argued that the grant of a search warrant in relation to the data intruded upon the sovereignty of the Republic of Ireland in a manner that would not be accepted by the United States were the position reversed.

The District Court dismissed these arguments and concluded that the search warrant was authorised by the U.S. Congress, which had intended the SCA to act as a tool allowing those seeking warrants to gain access to any data held by American businesses, regardless of the location of that data. The court reasoned that the question was one of control rather than location of the data.

Microsoft’s stance

Brad Smith, Microsoft Executive Vice President and General Counsel, recently highlighted research “that found 83% of American voters believe personal information stored in the cloud deserves the same protection as personal information stored on paper.”

In the wake of the ruling, Smith announced that “[T]he only issue that was certain this morning was that the District Court’s decision would not represent the final step in this process. We will appeal promptly and continue to advocate that people’s email deserves strong privacy protection in the U.S. and around the world.”

International developments

This decision is particularly significant in light of the recent developments in privacy and data protection law globally. In July, the UK government passed the Data Retention and Investigatory Powers Act 2014 (‘Act’) using controversial emergency procedures to permit extra-territorial warrants to intercept data in certain circumstances. The Act has been widely criticised by politicians and academics, with the latter describing the powers as “not only completely novel in the United Kingdom … [but] some of the first of their kind globally.”

During House of Commons debates, Theresa May MP stated that the provisions were needed to “put beyond doubt the legal obligation on companies that provide services to people in the UK to comply with our laws on interception, regardless of where they are based”, and she told the Home Affairs Committee that “it has always been regarded, from Government circles certainly, that [the Regulation of Investigatory Powers Act 2000] had an ability to operate extraterritorially.” Whether or not this is the case, it appears that the UK government has side-stepped dealing with an issue such as the Microsoft case by introducing primary legislation in an peremptory fashion.

In Russia, legislation was passed in July providing that the personal data of Russian citizens must be stored domestically. The law will take effect in September 2016 and, if it remains in its current form, will allow websites that do not comply to be blocked from operating in Russia, which would keep the data of Russian citizens beyond the reach of SCA warrants similar to the type that was served on Microsoft.

Finally, negotiations between the United States and the EU Commission in relation to the future of the Safe Harbour regime are still ongoing. In June, Viviane Reding indicated that the bulk of the negotiation points had been agreed. Notably, one of the final sticking points identified was the lack of judicial redress offered by the United States to citizens who feel that their case has not been handled correctly. While the result of the negotiations remains to be seen, it is difficult to reconcile the findings of the judgment of the District Court with this objective.

On 31 July, the chief judge of the Southern District of New York delivered the latest in a series of controversial judgments stemming from a test case brought by Microsoft in an extra-territorial warrant issued under the U.S. Stored Communications Act (‘SCA’). In the third ruling on the matter, the court found in favour of the U.S. government, upholding the warrant and ordering that Microsoft turn over customer emails stored in a data centre in Ireland. The District Court agreed to stay the order while the decision is appealed further. If Microsoft’s final appeal is dismissed, the case will have significant implications for all U.S. businesses that store customer data overseas. The implications also extend to non-U.S. customers, including those companies located within the EEA that have entered agreements with U.S.-based companies to store their data outside the United States. In particular, there is concern that foreign companies and consumers will lose trust in the ability of American companies to protect the privacy of their data.