Last week, the U.S. Second Circuit handed Microsoft a decisive victory, holding that warrants for electronic content issued under the Stored Communications Act (SCA) cannot reach data located overseas. The court’s message was simple: SCA warrants cannot reach data outside the U.S. because Supreme Court precedent creates a presumption against extraterritoriality absent clear Congressional intent. However, the long-term implications of the case, and the future of law enforcement cross-border data requests, are still murky at best.
The so-called “Microsoft Ireland case” began in December 2013, when Microsoft challenged a search and seizure warrant issued under the SCA for email content stored in Dublin, Ireland. In the physical world, U.S. laws are presumed to apply only within U.S. territory, and thus domestic warrants generally cannot be used for items such as physical letters or files located overseas. Microsoft argued that the law should not treat digital content any differently, and thus, e-mail content stored in Dublin must be obtained through other means, such as the Mutual Legal Assistance Treaty (MLAT) between the U.S. and Ireland.
The Department of Justice (DOJ) pointed out that although the requested e-mail content was physically located overseas, Microsoft had the ability to obtain that content from its premises located in the United States. Therefore, the DOJ argued, the actual search and seizure would occur domestically. Moreover, it argued that an SCA warrant is akin to a subpoena, which could, under Second Circuit precedent, compel Microsoft to produce any material located anywhere in the world, so long as it is stored at premises “owned, maintained, controlled, or operated by Microsoft.”
The Second Circuit sided with Microsoft on statutory, not constitutional, grounds. It pointed out that absent a congressional indication to the contrary, statutes are presumed to operate only within the U.S. Based on a plain reading of the text and legislative history, the court concluded that the SCA does not have extraterritorial reach and the government, therefore, cannot apply an SCA warrant for digital content extraterritorially. Most notably, the court concluded that the SCA is fundamentally a law focused on “protecting the privacy of the content of a user’s stored communications,” and rejected the DOJ’s assertion that the SCA is primarily focused on enabling disclosures of electronic content to law enforcement. Because Congress primarily enacted the SCA to protect user privacy, the key factor to be used when determining whether or not the statute was being applied outside U.S. territory was where the privacy invasion would take place. For the Second Circuit, it was clear that the invasion would take place in Dublin – where the content to be seized was stored, where the data center that Microsoft would have to interact with in order to retrieve the data was located, and where the jurisdiction in which the data was located would lie.
The court’s opinion will help avoid a parade of horribles that CDT, along with other civil society organizations and companies, warned about in an amicus brief supporting Microsoft’s position. For starters, permitting domestic warrants to apply abroad would rob the United States of the vast economic and societal benefits of remote data services because global internet users would likely shy away from American service providers that are susceptible to the U.S. government’s prying eyes (as they did in the wake of the 2013 Snowden revelations about N.S.A. spying activities). In addition, the decision helps prevent a world in which law enforcement investigations resemble a “Wild West” in which anything goes – if the United States could apply its warrants anywhere in the world, other countries would surely follow suit and claim that warrants issued under their laws can be used to retrieve data within U.S. territory. This would have been a disaster for privacy and civil liberties.
However, the story is not over yet – the DOJ will almost certainly appeal the Second Circuit’s decision, given the possibility of criminals taking advantage of the court’s conclusion by storing their digital content with providers offshore and out of reach for domestic warrants. In addition, the results of the case underscore the urgent need to reform U.S. laws. For starters, Congress should advance legislation that addresses the need of law enforcement to efficiently gain access to stored communications content across borders. Bilateral agreements between the United States and other nations, in which foreign governments whose laws meet certain human rights criteria may make demands for content held by U.S. service providers under the law of the foreign government (rather than under U.S. law), is one possible approach to solving this problem, so long as sufficient protections can be built in. The proposal that the DOJ conveyed to Congress last week to clear the way for such agreements – including one already drafted between the U.S. and the U.K. – contains some promising language, but its privacy and civil liberties protections are inadequate. It would also vastly expand surveillance beyond that which can be conducted through the current MLAT process, because it would empower foreign governments to engage in wiretapping in the U.S.
Overall, the Second Circuit’s opinion affirmed that the privacy rights we enjoy in the physical world should also apply to the digital world: if domestic laws cannot reach physical evidence stored abroad, they should not be able to reach digital evidence stored abroad, either. Unfortunately, the future of cross-border law enforcement data requests is still messy, convoluted, and extremely uncertain.