Microsoft resisted a U.S. government warrant for emails stored on a server in Dublin, Ireland. A Magistrate and a District Court Judge ordered Microsoft to comply. Microsoft refused, and was held in contempt. The U.S. Court of Appeals for the Second Circuit, on July 14, 2016, agreed with Microsoft and unanimously reversed the District Court and vacated the contempt citation.
Privacy advocates and cloud providers (which work with data moving and stored across national boundaries daily) have some clarity on government reach as to global communications – for now.
The warrant, issued under the Stored Communications Act (SCA), which is part of the Electronic Privacy Communications Act of 1986, demanded Microsoft produce certain emails in an account alleged to have been used to facilitate narcotics transactions. The emails were stored in a data center in Dublin. Microsoft moved to quash the warrant, arguing that the SCA did not apply to data stored outside the U.S., and that seizing data from a center in Ireland would be an intrusion on the sovereignty of another country.
Southern District of New York Magistrate Judge James Francis IV and District Court Loretta Preska disagreed, holding that the essence of jurisdiction under the SCA was control over the data, not its location. As Microsoft could access the data, it therefore had control and was compelled to comply with the warrant.
In reversing the District Court, the Second Circuit noted that there was no language in the SCA that provided a basis for extraterritorial jurisdiction, while the statute and its legislative history were quite clear that a paramount focus of the SCA was the privacy of cloud service customers’ content, noting the “special role of service providers vis-à-vis content customers entrust to it.”
International cooperation and respect for laws of other nations, or “comity,” was recognized by the court with regard to the sovereignty of Ireland. The invasion of privacy under the warrant, the court noted, would take place in Ireland. The U.S. and Ireland are signatories to the Mutual Legal Assistance Treaty (MLAT), in which signatories can invoke aid to execute warrants, subject to procedures and protections in that treaty. No request for MLAT assistance was made by the U.S., and Magistrate Francis held none was required because MLAT processes are slow.
The Second Circuit emphatically rejected this point, writing “Our conclusion today also serves the interests of comity that, as the MLAT process reflects, ordinarily govern the conduct of cross-border criminal investigations. . . We find it difficult to dismiss (the laws of a foreign sovereign) out of hand on the theory that the foreign sovereign’s interests are unaffected” by a U.S. court order to collect data from servers located within that country in haste.
Privacy advocates’ rapture, though, should be tempered. The U.S. may appeal to the Supreme Court. The appeals court agreed that the SCA is woefully out of data. Written before the World Wide Web existed, the SCA did not contemplate data transfers and storage outside the U.S. A future Congress may fill this gap.
If you have questions regarding the scope of U.S. laws with regard to data transmitted or stored outside the U.S., or laws that affect U.S. companies’ data centers located overseas, please contact Kenneth N. Rashbaum.