The U.S. Supreme Court recently granted certiorari in United States v Microsoft. Microsoft Corporation has been fighting a search warrant to produce customer e-mails that are stored on a server located in Dublin, Ireland since 2013. The high-profile data privacy case could dramatically impact U.S. businesses as well as the ability of U.S. law enforcement to obtain digital information stored overseas.
Microsoft’s Refusal to Comply with Warrant
On December 4, 2013, federal prosecutors obtained a search warrant to obtain information associated with a specified, web-based e-mail account that is “stored at premises owned, maintained, controlled, or operated by Microsoft Corporation, a company headquartered at One Microsoft Way, Redmond, WA.” The warrant was issued under the Stored Communications Act (SCA).
Microsoft complied with the search warrant to the extent of producing the non-content information stored on servers in the United States. However, after it determined that the target account was hosted in Dublin and the content information stored there, Microsoft sought to quash the warrant to the extent that it directs the production of information stored abroad. The motion argued that federal courts are not authorized to issue warrants for the search and seizure of property outside the territorial limits of the United States.
The Stored Communications Act
The SCA is part of the Electronic Communications Privacy Act of 1986. The statute authorizes law enforcement agents to obtain information from Internet service providers (ISPs) through subpoenas, court orders, or warrants. Each legal process allows the government to obtain a specific level of data.
A warrant entitles the government to most information, including basic customer information, opened emails, records or other information pertaining to a subscriber or customer, and unopened e-mails stored by the provider for less than 180 days. In order to obtain an SCA Warrant, the government must demonstrate probable cause. The relevant section of the statute provides:
A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure . . . by a court of competent jurisdiction.
Court Split on Extraterritorial Reach of SCA
U.S. Magistrate Judge James C. Francis IV denied Microsoft's motion to quash the warrant. “Even when applied to information that is stored in servers abroad, an SCA Warrant does not violate the presumption against extraterritorial application of American law,” he ruled.
In his decision, Judge Francis noted that SCA Warrants are "hybrid: part search warrant and part subpoena." As he further explained: “The ‘warrant’ requirement of section 2703(a) cabins the power of the government by requiring a showing of probable cause not required for a subpoena, but it does not alter the basic principle that an entity lawfully obligated to produce information must do so regardless of the location of that information.”
U.S. District Judge Loretta Preska upheld the decision, but the Second Circuit Court of Appeals reversed. The Second Circuit ruled that enforcing the warrant as to information stored abroad would constitute an impermissible extraterritorial application of the SCA. Under the Second Circuit’s reasoning, the relevant statutory focus is maintaining the privacy of a user’ s email communications and “the invasion of the customer’s privacy takes place… where the customer’s protected content “is stored — here, in the Dublin data center.” The full Second Circuit denied rehearing by a 4-4 vote.
The Supreme Court justices will specifically consider the following question on appeal from the Second Circuit:
“Whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. § 2703 by making disclosure in the United States of electronic communications within that provider's control, even if the provider has decided to store that material abroad.”
Potential Impact on Businesses
In its petition for certiorari, the federal government characterized the Second Circuit’s decision as “unprecedented.” It further maintained that “the decision is causing immediate, grave, and ongoing harm to public safety, national security, and the enforcement of our laws.”
However, should the Court rule in favor of the federal government, businesses could be forced to produce data to law enforcement regardless of where in the world data reside. The Supreme Court’s interpretation of the SCA will not only impact email providers but also cloud-based service providers, which also frequently store data abroad.
The Court has not yet scheduled oral arguments in United States v. Microsoft. However, a decision should come by the end of the term in June 2018. We encourage readers to check back for updates and contact one of our attorneys with any questions regarding how the Court’s decision may impact your operations.
Do you have any feedback, thoughts, reactions or comments concerning this topic? Feel free to leave a comment below for Fernando M. Pinguelo. If you have any questions about this post, please contact me or the Scarinci Hollenbeck attorney with whom you work. To learn more about data privacy and security, visit eWhiteHouse Watch – Where Technology, Politics, and Privacy Collide (http://ewhwblog.com).
 For an in-depth analysis of the Stored Communications Act, see “Reasonable Expectations of Privacy Settings: Social Media and the Stored Communications Act,” Borchert, Pinguelo, Thaw, 13 Duke L. & Tech. Rev. 36 (2015)