On July 14, 2016, the United States Court of Appeals for the Second Circuit in New York City released its opinion in Microsoft v United States, Docket No. 14-2985, holding that Microsoft Corporation could not be forced to produce email communications of a suspect in a drug investigation that were stored in Microsoft’s data centre in Dublin, Ireland. In an article titled Microsoft Wins Appeal on Overseas Data Searches published in The New York Times the same day, Nick Wingfield and Cecelia Kang quoted Alex Abdo, a staff lawyer with the American Civil Liberties Union, who described the ruling as another reminder that the laws protecting the privacy rights of Americans online are dangerously out of date. Here’s the story.

Microsoft appealed from an order of the United States District Court for the Southern District of New York denying its motion to quash a warrant issued under s. 2703 of the Stored Communications Act (SCA), 18 USC s. 2701 and holding Microsoft in contempt of court for refusing to execute the warrant on the government’s behalf. The magistrate judge who issued the warrant had found probable cause to believe that the account was used for narcotics trafficking. The warrant was served on Microsoft at its headquarters in Redmond, Washington. The dispute thus arose over the nature and reach of the warrant and the extent of Microsoft’s obligations. Microsoft produced the customer’s non-content information that was stored in the United States. But it refused to import the data that it stored in Dublin.

Microsoft argued that Congress employed an authorizing instrument that traditionally carries territorial limitations by the use of the term warrant in the SCA. United States law enforcement officers may be directed by a warrant to seize items at locations in the United States but their authority generally does not extend further. The government characterized the dispute as about compelled disclosure regardless of the label appearing on the instrument. It maintained that, similar to a subpoena, an SCA warrant requires the recipient to deliver records to the government, irrespective of where those documents are located, so long as they are subject to the recipient’s custody or control.

Judge Susan L. Carney, writing the majority opinion in which Judge Victor A. Bolden concurred, summarized the conclusion of the court that interpreting warrant to require a service provider to produce data from beyond the borders of the United States would require the court to disregard the presumption against extraterritoriality, at p. 6:

“When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user’s interaction with a service provider. Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas. Three decades ago, international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users’ 21st-centurty demands for access and speed and their related, evolving expectations of privacy.

Rather, in keeping with the pressing needs of the day, Congress focused on providing basic safeguards for the privacy of domestic users. Accordingly, we think it employed the term ‘warrant’ in the Act to require pre-disclosure scrutiny of the requested search and seizure by a neutral third party, and thereby to afford heightened privacy protection in the United States. It did not abandon the instrument’s territorial limitations and other constitutional requirements. The application of the Act that the government proposes – interpreting ‘warrant’ to require a service provider to retrieve material from beyond the borders of the United States – would require us to disregard the presumption against extraterritoriality that the Supreme Court re-stated and emphasized in Morrison v National Australian Bank Ltd., 561 US 247 (2010) and, just recently, in RJR Nabisco, Inc v. European Cmty., 579 US_, 2016 WL 3369423 (June 20, 2016), We are not at liberty to do so.”

Judge Carney went on to say this about the warrant requirement that is rooted in the Fourth Amendment, at pp. 26-7: “As the term is used in the Constitution, a warrant is traditionally moored to privacy concepts applied within the territory of the United States: ‘What we know of the history of the drafting of the Fourth Amendment…suggests that its purpose was to restrict searches and seizures which might be conducted by the United States in domestic matters.’ In Re Terrorist Bombings of U.S. Embassies in East Africa, 552 F.3d 157, 169 (2d Cir. 2008) (alteration omitted and ellipses in original) (quoting United States v. Verdugo-Urquidez, 494 U.S. 259, 266 (1990). Indeed, ‘if U.S. judicial officers were to issue search warrants intended to have extraterritorial effect, such warrants would have dubious legal significance, if any, in a foreign nation.’ Id. at 171. Accordingly, a warrant protects privacy in a distinctly territorial way.”

Joining the majority in a separate concurring opinion, Judge Gerald E. Lynch questioned whether the result strikes the right balance between privacy and law enforcement interests, at pp. 4 and 17-8:

“…Microsoft’s argument is not that the government does not have sufficiently solid information, and sufficiently important interests, to justify invading the privacy of the customer whose emails are sought and acquiring records of the contents of those emails. Microsoft does not ask the Court to create, as a matter of constitutional law, stricter safeguards on the protection of those emails – and the Court does not do so. Rather, the sole issue involved is whether Microsoft can thwart the government’s otherwise justified demand for the emails at issue by the simple expedient of choosing – in its own discretion – to store them on a server in another country.

…I am skeptical of the conclusion that the mere location abroad of the server on which the service provider has chosen to store communications should be controlling, putting those communications beyond the reach of a purely ‘domestic’ statute. That may be the default position to which a court must revert in the absence of guidance from Congress, but it is not likely to constitute the ideal balance of conflicting policy goals. Nor is it likely that the ideal balance would allow the government free rein to demand communications, wherever located, from any service provider, of whatever nationality, relating to any customer, whatever his or her citizenship or residence, whenever it can establish probable cause to believe that those communications contain evidence of a violation of American criminal law, of whatever degree of seriousness. Courts interpreting statutes that manifestly do not address these issues cannot easily create nuanced rules: the statute either applies extraterritorially or it does not, the particular demand made by the government either should or should not be characterized as extraterritorial. Our decision today is thus ultimately the application of a default rule of statutory interpretation to a statute that does not provide an explicit answer to the question before us. It does not purport to decide what the answer should be, let alone to impose constitutional limitations on the range of solutions Congress could consider.”

However, the government was not left empty handed. The regime of Mutual Legal Assistance Treaties (MLATs), although a cumbersome process, allows signatory states to request one another’s assistance with criminal investigations including the issuance and execution of search warrants. Judge Carney observed, at p. 41, footnote 29, that the United States had entered into an MLAT with all member states of the European Union including Ireland. In an article titled Big Privacy Ruling Says Feds Can’t Grab Data Abroad With A Warrant published by WIRED the same day, Andy Greenberg quoted Nate Cardozo, a staff attorney with the Electronic Frontier Foundation, who said: “This is a curb on the government’s ability to just grab whatever it wants, process be damned. There’s a process in place to get this data, and the government has to follow it.”

And, in a post to his privacy and security blog, TeachPrivacy, titled Microsoft Just Won a Big Victory Against Government Surveillance – Why It Matters, dated July 15, 2016, Professor Daniel Solove of the George Washington University Law School argued that following the MLAT process is important to avoid at least three undesirable consequences:

• First, by seeking the data through the [Stored Communications Act (part of the Electronic Communications Privacy Act)] the US government would force companies (such as Microsoft and many of our other large tech companies) abroad to violate the laws of the countries where they are storing the data. This is not a position we want to put our companies in.

• Second, it would cause a huge competitive disadvantage to our tech industry. Imagine you’re an Irish citizen and you want to choose a cloud service provider. You have a choice between (1) a US cloud service provider with a data centre in  Ireland and (2) an Irish cloud service provider also with a data centre in Ireland. If the US government can obtain the data through ECPA, then it can ignore Irish law to obtain data stored in the cloud by the US cloud service provider. The Irish cloud service provider would not be subject to ECPA and would be governed under Irish law. So if citizens of Ireland don’t want to lose their country’s legal protections against government surveillance, then they must stay away from the US cloud service provider. This puts the US industry at a disadvantage, especially when the EU is extremely upset about US government surveillance in light of the NSA’s activities.

• Third, another consequence of the US government thumbing its nose at the laws of other countries is that those countries might start doing the same to the US. US law enforcement officials often seem to assume a US exceptionalism – it’s fine for the US to flaunt the law of other countries but not vice versa. But what if other countries were to demand that Microsoft turn over data stored in the US pursuant to their own laws? And what if these laws were much less protective than US laws?

Peter Carr, a spokesman for the U.S. Department of Justice, was reported as indicating that the agency is considering its legal options. (See: Jonathan Stempel. Microsoft wins landmark appeal over seizure of foreign emails. Reuters. July 14, 2016)