Microsoft prevailed in its appeal to the Second Circuit from an order denying its motion to quash a warrant seeking a Microsoft user’s email stored on the company’s servers in Ireland. The ruling sets important precedent limiting the extraterritorial reach of the federal government in seeking to compel disclosure of private company data under the Stored Communications Act (“SCA”). Microsoft received high profile support in its appeal, with the likes of Apple, AT&T, Amazon, Verizon Communications, Cisco, and the country of Ireland joining as amici curiae.
The ruling may also help bolster the credibility of the fledgling EU–U.S. Privacy Shield data transfer agreement, which has been criticized by European regulators for not adequately safeguarding EU personal data from U.S. government scrutiny. Privacy Shield’s predecessor, Safe Harbor, was struck down by the European Court of Justice over similar concerns. European regulators have so far signaled reluctant acceptance of Privacy Shield, but issues like automated data profiling continue to cause worries. The ruling by the Second Circuit may help to allay some fears over the staying power of Privacy Shield.
The July 14 ruling by Judge Susan L. Carney of the United States Court of Appeals for the Second Circuit reversed the denial by the District Court for the Southern District of New York of Microsoft’s motion to quash, and vacated the court’s finding of civil contempt for Microsoft’s failure to comply with the warrant.
Judge Carney’s ruling emphasized the SCA’s intended focus on safeguarding privacy in stored electronic communications. “Contrary to the government’s contention, this section does more than merely protect against the disclosure of information by third parties. By prohibiting the alteration or blocking of access to stored communications, this section also shelters the communications’ integrity.” Importantly, Judge Carney held that a “warrant” issued under the SCA is subject to traditional territorial limitations and constitutional requirements, including the presumption against extraterritoriality, and is not akin to a subpoena.
The warrant served on Microsoft was issued by a United States magistrate judge as part of a narcotics investigation into an unnamed individual. The warrant directed Microsoft to seize and produce the contents of the individual’s Microsoft Outlook “@msn.com” email account. The individual’s non-content information was stored on servers in the United States. The individual’s content information, however, was stored on servers in Ireland, as Microsoft generally stores content at datacenters located near the physical location identified by the user.
Microsoft complied with the warrant in part and produced the individual’s U.S.-based non-content information. Microsoft refused to produce the customer content stored on its servers in Ireland, however, and moved to quash the warrant. Microsoft’s motion subsequently was denied by the District Court, and the company was eventually held in civil contempt.
In presenting its case, the federal government argued that similar to a subpoena, an SCA warrant requires the recipient to deliver records to the government regardless of where the records are located, so long as they are in the recipient’s custody and control. Microsoft swayed the court in asserting that an SCA warrant is subject to the same territorial boundaries as a traditional warrant. Judge Carney also noted that the federal government conceded that the warrant provisions of the SCA do not contemplate or permit extraterritorial application. The court further pointed out that the SCA itself draws a distinction between “subpoena” and “warrant”, with the latter providing a greater degree of privacy protection.
The federal government also contended that preventing SCA warrants from reaching data stored abroad would seriously impede law enforcement efforts, and that the current process for obtaining such information, using Mutual Legal Assistance Treaties (“MLATs”), is overly cumbersome. Judge Carney dismissed this argument, noting that international comity and the text of the SCA supported limiting the scope of a warrant under the SCA.
The Second Circuit’s ruling can be seen as a win for companies concerned about maintaining user privacy and curbing law enforcement’s reach into private user data. The ruling limits law enforcement’s ability to compel host companies like Microsoft to produce private user data stored abroad.