CLOUD Act Moots Microsoft Data Privacy Case Before U.S. Supreme Court
April 18, 2018
Enactment of the CLOUD Act Moots Microsoft Data Privacy Case
Both Microsoft Corp. and the Department of Justice (DOJ) agree that their pending data privacy dispute, currently before the U.S. Supreme Court, is now moot. The DOJ withdrew the warrant at the center of the suit following the recent enactment of the Clarifying Lawful Overseas Use of Data (CLOUD) Act.
Microsoft v. United States
On December 4, 2013, federal prosecutors obtained a search warrant to obtain information associated with a specified web-based e-mail account that is “stored at premises owned, maintained, controlled, or operated by Microsoft Corporation, a company headquartered at One Microsoft Way, Redmond, WA.” The warrant was issued under the Stored Communications Act (SCA), which authorizes law enforcement agents to obtain information from Internet service providers (ISPs) through subpoenas, court orders, or warrants.
Microsoft complied with the search warrant to the extent of producing the non-content information stored on servers in the United States. However, after it determined that the target account was hosted in Dublin, and the content information was stored there, it sought to quash the warrant to the extent that it directed the production of information stored abroad. The motion argued that federal courts are not authorized to issue warrants for the search and seizure of property outside the territorial limits of the United States. Rather, they must rely on the Mutual Legal Assistance Treaty (MLAT) process.
While the district court denied Microsoft’s motion, the Second Circuit ruled that enforcing the warrant as to information stored abroad would constitute an impermissible extraterritorial application of the SCA. Under the Second Circuit’s reasoning, the relevant statutory focus is maintaining the privacy of a user’ s email communications and “the invasion of the customer’s privacy takes place … where the customer’s protected content ‘is stored — here, in the Dublin data center.’” The Second Circuit denied rehearing by a 4-4 vote, and the DOJ appealed to the Supreme Court.
During oral arguments, which were held in February, several justices noted that the issue was ripe for a legislative solution. “Congress takes a look at this, realizing that much time and innovation has occurred since 1986. It can write a statute that takes account of various interests. And it isn’t just all or nothing,” Justice Ruth Bader Ginsburg stated. “So wouldn’t it be wiser just to say let’s leave things as they are? If Congress wants to regulate in this brave new world, it should do it.”
Passage of the CLOUD Act
Justice Ginsburg’s words proved prophetic with the recent passage of the CLOUD Act, which clarifies that a U.S. search warrant could cover emails stored overseas. The statute, which amends the SCA, states that a “provider of electronic communication service” shall comply with a court order for data “regardless of whether such communication, record or other information is located within or outside of the United States.”
President Trump signed the CLOUD Act into law on March 23, 2018. Shortly thereafter, the DOJ obtained a new search warrant under the statute that requires Microsoft to turn over the emails. It then asked the Supreme Court to declare the case moot. “Microsoft no longer has any basis for suggesting that such a warrant is impermissibly extraterritorial,” Solicitor General Noel J. Francisco wrote. “There is thus no longer any live dispute between the parties, and the case is now moot.”
Microsoft, which supported passage of the CLOUD Act, did not oppose the DOJ’s motion. “Microsoft has argued from the beginning of this case that Congress is the proper branch to update the Electronic Communications Privacy Act of 1986,” Microsoft’s attorney wrote. “With the CLOUD Act, Congress has now enacted a nuanced legislative scheme that both creates a modern legal framework for law-enforcement access to data across borders and expressly incentivizes the negotiation of new international agreements that balance legitimate law-enforcement interests, individual privacy rights, and foreign sovereignty.”
While the CLOUD Act clarifies when service providers must turn over user data stored overseas, it also contains a number of other significant changes regarding data privacy and disclosure, including access by foreign governments to U.S. data. We encourage readers to stay tuned for a future article discussing the CLOUD Act in greater depth.
Please make sure to check out Part 2 of this article here.
If you have any questions regarding the CLOUD Act, please contact us
Do you have any feedback, thoughts, reactions or comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work. To learn more about data privacy and security, visit eWhiteHouse Watch – Where Technology, Politics, and Privacy Collide (http://ewhwblog.com).