The Law and Business of Social Media
October 24, 2016 - Privacy, Stored Communications Act, Litigation

Second Circuit: Email Stored Outside the U.S. Might Be Beyond Government’s Reach

Second Circuit: Email Stored Outside the U.S. Might Be Beyond Government’s Reach

As a result of the Second Circuit’s recent opinion in Microsoft v. United States, the U.S. government likely can no longer use warrants issued pursuant to the Stored Communications Act (“SCA”) to compel U.S.-based companies to produce communications, such as emails, that are stored in a physical location outside of the United States—at least for now. Instead, the government will likely need to rely on Mutual Legal Assistance Treaties, which provide a framework for states to, among other things, provide assistance to one another to obtain and execute search warrants in their respective jurisdictions.

Nevertheless, it is likely that the U.S. government will seek an alternative, which could include appealing the case to the Second Circuit en banc or pursuing legislation in Congress to amend and update the SCA in light of new digital realities.

Background on the SCA and the Microsoft Dispute

The SCA, which limits service providers’ disclosure of the user data they store, provides that a service provider may disclose to the government certain information, such as the stored contents of a customer’s emails, only if the government first obtains a warrant requiring the disclosure. Microsoft v. United States arose out of Microsoft’s dispute over the scope of one such warrant, which sought information about an email account that Microsoft determined was hosted in Dublin.

Microsoft moved to quash the warrant with respect to the actual emails in the account on the grounds that the SCA does not authorize a search and seizure outside of the territory of the United States, which is where the emails were stored.

Summary of the Second Circuit Ruling

The Second Circuit reached its decision by answering three questions:

  • What is a warrant under the SCA? Is it like a quasi-subpoena that would require a company to produce documents or information under the company’s control, regardless of where the information may be physically located? Or is it truly a warrant that only provides the government the right to conduct a search or obtain documents or information based on the statutory authority underlying the warrant (i.e., the scope of the SCA itself)?
  • What is the scope of the SCA?  If the scope of the warrant is limited to the scope of the SCA, then the next vitally important question is whether the authority of the SCA is limited to the United States or extends extraterritorially.  If the SCA does not extend beyond the borders of the United States, neither would the warrant.
  • What action was required pursuant to the warrant, and did that action take place in the United States? Even if the court found that the SCA and, therefore, the warrant were confined to the territory of the United States, the court still had to address where the seizure of the emails would occur. Microsoft had the technical ability to access the emails from the United States, but argued that the emails themselves were located in Dublin, a foreign jurisdiction.

The Second Circuit agreed with Microsoft and found that the warrant was not enforceable outside of the boundaries of the United States, and that because the emails were stored outside of the United States and would need to be accessed outside of the United States, they could not be extracted from Dublin under the SCA.

The Scope of an SCA Warrant

First, Microsoft argued that the warrant contemplated by the SCA is not a “hybrid” of a warrant and a subpoena but, rather, purely a warrant. This distinction mattered because a subpoena may require the production of communications stored overseas, while a warrant may be more limited. A subpoena can be served on a company and call for materials within the company’s possession and control, regardless of where the information is physically located.  Citing the Second Circuit’s 1983 decision in Marc Rich & Co., A.G. v. United States, the court explained that relevant precedent provides that “a defendant subject to the personal jurisdiction of a subpoena-issuing grand jury could not ‘resist the production of [subpoenaed] documents on the ground that the documents are located abroad.’”

A warrant, however, only provides the government with a right to conduct a search or obtain documents or information. That right cannot extend beyond the scope of the statutory authority forming the basis for the warrant. And, because the warrant was authorized under the SCA, if it were truly a warrant, it would only encompass the authority to obtain information covered by the SCA (as opposed to all information within Microsoft’s possession).

The district court, in denying Microsoft’s motion to quash, had reasoned that the SCA warrant was like a subpoena because, in the words of the Second Circuit, “it is executed by a service provider rather than a government law enforcement agent, and because it does not require the presence of an agent during its execution.” In other words, the government simply served the warrant to Microsoft, and Microsoft then searched for and provided relevant materials to the government (albeit withholding some of them). The government does not execute an SCA warrant itself by conducting a search and seizing the emails directly in the same way it might search a house and seize a personal computer, for example.

The Second Circuit disagreed, reasoning that the warrant required for a service provider to make a disclosure to the government under the SCA—is, indeed, the same thing as is meant by the term of art “warrant.” As a result, the court concluded that no law developed in the subpoena context could apply to the SCA warrant, and the scope of the search would therefore be limited by the scope of the SCA’s authority. Accordingly, the fact that Microsoft was physically located in the United States and subject to the jurisdiction of the SCA generally was not relevant. Instead, the operative issue is what conduct of Microsoft—i.e., which of Microsoft’s services— are covered by the SCA and thus subject to a warrant issued under the SCA.

The court then addressed the SCA’s scope. If the SCA does not reach outside of the United States, the court reasoned, the warrant could not reach outside of the United States either. The court concluded that the SCA does not “contemplate or permit extraterritorial application,” reasoning that the “focus” of the SCA’s warrant provisions as “protecting the privacy of the content of a user’s stored electronic communications.”  In other words, the SCA is intended to protect the privacy of individuals in connection with the seizure of emails, and that privacy protection is intended to apply within the United States.

As a result, the activity permitted pursuant to any SCA warrant—e.g., a search of emails—also must apply only within the United States. Based on this analysis, the court had “little trouble” concluding that using the warrant to authorize the retrieval of emails stored abroad would constitute “an unlawful extraterritorial application” of the SCA.

Finally, the court confirmed that the activity at issue would, indeed, occur outside of the United States, reasoning in part that “the data is stored in Dublin, that Microsoft will necessarily interact with the Dublin datacenter in order to retrieve the information for the government’s benefit, and that the data lies within the jurisdiction of a foreign sovereign [i.e., Ireland].” In other words, even if Microsoft accessed the emails from a U.S. workstation, the actual seizure of the emails would occur on a server in Dublin.

Aftermath and Implications

Microsoft v. United States was closely watched because of privacy concerns raised by the governments of some countries in the European Union and by advocacy groups and others. A number of U.S.-based technology and media companies, as well as trade associations, advocacy groups and the government of Ireland itself, filed amicus briefs in favor of Microsoft’s position in the case. The Irish government’s brief, for example, argued “[f]oreign courts are obliged to respect Irish sovereignty” because Ireland cooperates with other states to fight crime and has enacted legislation giving effect to international treaties and instruments that provide for mutual legal assistance in criminal matters.

This ruling should be some comfort to U.S. companies that provide stored communications services, such as email, on a global basis. For now, at least, it appears U.S. law enforcement cannot directly access, via warrants issued under the SCA, information that: (1) belongs to people who are not in the United States; (2) is held by U.S.-based service providers; and (3) is stored on servers that are not within U.S. territory. The opinion does not, however, resolve all debates about cross-border data transfers and data access. In particular, the SCA is just one of many mechanisms by which the U.S. government can access information; there are other mechanisms that are, indeed, subpoena-based and thus not subject to the same strict territorial analysis.

Furthermore, the court did not resolve how the SCA warrant provisions would apply to data stored abroad but related to U.S. citizens or residents. While the U.S. legal regime has typically been territorially based, in the cloud-based digital age, a bright territorial line may not be viable. One possibility would be for the United States to adopt a regime that focuses not on the physical location of the data but on the physical location of the data subject (i.e., where the individual resides, as opposed to where the emails reside).

Otherwise, a singular focus on the location of the information itself might result in more governments implementing data localization requirements to ensure that they can access their residents’ information. Because increased localization requirements can make it difficult to deliver cloud‑based services, including email services, such requirements would ironically be just as detrimental to service providers as the prospect of a globalized SCA was prior to the Second Circuit’s Microsoft v. United States decision.

In light of these considerations, it remains to be seen how the U.S. Justice Department, other governments and other industries will respond. In the near term, possibilities include a legislative fix or an appeal, which—in light of the current eight-member Supreme Court and the possibility of a 4-4 split decision that would leave the Second Circuit’s ruling in place —would most likely be to the Second Circuit en banc.

One thing is clear: We have not seen the end of the debate over the reach of government authority in the digital age or over the concept of jurisdiction and territoriality when information can move across borders—and be moved across borders—in the blink of an eye.