Data stored by U.S. companies in the U.S. is within reach of the Department of Justice. Personal data (including email) of European citizens stored by U.S. companies in Europe is subject to European privacy laws that restrict its disclosure. What is a U.S. company to do, then, when faced with a decision of a U.S. court that requires it to comply with a subpoena for information stored in Europe?
In a recent decision, Magistrate Judge James C. Francis IV, of the U.S. District Court for the Southern District of New York, denied Microsoft Corporation’s motion to quash a search warrant that required Microsoft to provide data housed on a server in Ireland to the United States government. Magistrate Francis’ opinion, if upheld, essentially gives extraterritorial effect to the Electronic Communications Privacy Act, specifically the Stored Communications Act (“SCA”), a statute that allows the government to obtain certain electronic communications from American companies.
Judge Francis opined that, while the language of the SCA was ambiguous as to whether it applied to information stored by an American company outside the United States, the legislative history and practical considerations justified the extraterritorial scope of the SCA. Specifically, the opinion discussed the fact that a bad actor could simply cause an American company to store his or her information in a location outside of the United States, an outcome, the court observed, that was clearly not the intention of Congress.
The decision, if upheld by the District Court and, perhaps, the Second Circuit Court of Appeals, could have significant ramifications. It may, for example, open the door for the U.S. government to regularly request information about European users from American companies that host that information in Europe, thereby creating conflict with European governments. Worse, American companies could face a Hobson’s “Multiple Choice:” Does the company abide by European Union privacy law and refuse to comply with the subpoena, thereby risking proceedings in the U.S.; ignore the request, with the same result; or comply with it and risk proceedings under European privacy and data protection law? Verizon and AT&T, keenly perceiving this dilemma, wrote to the court in support of Microsoft. This dispute, sure to be repeated in the age of burgeoning e-commerce across the globe, is unlikely to be resolved soon.