21 July 2016 - Post by:Keren Livneh
On July 14, 2016, the Court of Appeals for the Second Circuit reversed a District Court decision ordering Microsoft to comply with a warrant issued in a U.S. narcotics trafficking investigation to produce a customer’s web-based emails, stored exclusively on servers in Ireland. The Second Circuit held that the Stored Communications Act (SCA), under which the warrant was issued, does not have extraterritorial reach and that permitting seizure of the emails in question would violate the privacy rights the legislation was enacted to protect.
Microsoft had complied with the warrant at issue with respect to “non-content” data stored in the U.S., but filed a motion in the Southern District of New York to quash the warrant to the extent that it required Microsoft to import the content of the emails from Ireland into the U.S. The District Court denied the motion.
In both the District Court and the Second Circuit, the case turned on the nature of a warrant under the SCA. Typically, a warrant is territorially limited to the U.S., whereas a subpoena compels production of information in the recipient’s possession, custody or control, wherever that information is located. The U.S. government argued, and the District Court held, that a warrant under the SCA is equivalent to a subpoena. Given that Microsoft’s Irish datacenter is owned by a subsidiary, and Microsoft acknowledged that it can access information stored on its foreign servers and transfer that information to the U.S., the District Court held Microsoft in contempt for refusing to comply with the warrant.
The Second Circuit disagreed with this analysis. It relied on the strong presumption against the extraterritorial application of U.S. laws, and held that there is no reasonable basis on which to conclude that Congress intended a warrant under the SCA to mean a subpoena. Indeed, the SCA does provide for a subpoena, with the prerequisite that notice to be given to the service provider’s customer.
The Second Circuit may have also forestalled a future attempt by the government to compel production of information stored outside the U.S. by way of a subpoena. Although the Court held that it “need not determine the reach of the SCA’s subpoena provisions, because [it is] faced here only with the lawful reach of an SCA warrant” (at *55), it went on to state that a service provider should be treated differently from other subpoena recipients:
“Microsoft convincingly observes that our Court has never upheld the use of a subpoena to compel a recipient to produce an item under its control and located overseas when the recipient is merely a caretaker for another individual or entity and that individual, not the subpoena recipient, has a protectable privacy interest in the item. The government does not identify, and our review of this Court’s precedent does not reveal, any such cases.” (at *46, citation omitted).
The Second Circuit held further that the impetus of the SCA was to shield the content of a user’s electronic communications from disclosure to third parties. “When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user’s interaction with a service provider.” (at *7). Interestingly, the record did not identify the citizenship or location of the customer under investigation. The Court’s decision was based solely on the location of the violation of the customer’s privacy rights or, in this case, where the protected content would have been seized.
Service providers and privacy advocates have won this round of the battle to balance law enforcement and privacy. But, in a concurring opinion, Judge Lynch stated that “neither privacy interests nor the needs of law enforcement [should] vary depending on whether a private company chooses to store records [in the U.S.] or abroad – particularly when the ‘records’ are electronic zeros and ones that can be moved around the world in seconds, and will be so moved whenever it suits the convenience or commercial purposes of the company” (at *72-73, emphasis in original). According to Judge Lynch, the holding of the Court effectively affords the content generated by foreign customers (or U.S. customers who provide a foreign location to their service provider) absolute protection from the U.S. government, regardless of the government’s basis for demanding access to that content. Judge Lynch highlighted that Congress has yet to weigh in on the balance to be struck between law enforcement and privacy in today’s world, and predicted the next round of the battle: that the government will enact legislation overruling the Court’s holding.