Second Circuit Reverses Lower Court Microsoft Decision and Holds That Email Evidence Stored Abroad Cannot Be Gathered Pursuant to Criminal Warrant Issued Under Stored Communications Act
In a prior post, we reported that Southern District of New York Magistrate Judge Francis determined that Microsoft must comply with a U.S. Government’s warrant seeking a user’s email content, even though the emails are stored in Microsoft’s datacenter in Dublin, Ireland. After the lower court declined to quash the subpoena and held Microsoft in contempt for failing to turn over customer content stored abroad, Microsoft appealed to the Second Circuit. On July 14, 2016 the appeals court issued an extensive opinion reversing the lower court’s ruling.
The Second Circuit held that the obligation of an Internet Service Provider (“ISP”) like Microsoft to disclose to the U.S. Government customer information or records is governed by the Stored Communications Act (“SCA”), which was passed as part of the Electronic Communications Privacy Act of 1986 and codified at 18 U.S.C. §§ 2701-2712 (“ECPA”). The warrant in this case, obtained under SCA Section 2703(a) after a showing of probable cause as required by the Federal Rules of Criminal Procedure (see Fed. R. Crim. P. 41(d)(1)), authorized the search and seizure of information associated with a specified web-based e-mail account that is “stored at premises owned, maintained, controlled, or operated by Microsoft Corporation.”
Concluding that the ECPA was focused on “providing basic safeguards for the privacy of domestic users,” the Court held that the use of the term “warrant” in the SCA was meant to “require pre discovery scrutiny of the requested search and seizure by a neutral third party” and was not meant to “abandon the instrument’s territorial limitations and other constitutional requirements.” The Court noted that the SCA “imposes general obligation of non disclosure on service providers” and creates several exceptions to those obligations, including those under which the government may require disclosure. Basic subscriber and transactional information can be obtained through a basic administrative subpoena, whereas other non content records require court order and content-based records even require certain criminal warrant procedures to be followed, especially where no notice is given to the customer that the data is being sought. Under this pyramid structure for gathering information, allowing the issuance of a “warrant” under the SCA to gather material stored abroad would “require us to disregard the presumption against extraterritoriality” that has been reaffirmed repeatedly and recently by the U.S. Supreme Court.
Although the government claimed that nothing in the SCA indicated that compelled production of records is limited to those stored domestically, the Court found that such reasoning “stands the presumption against extraterritoriality on its head.” “It further reads into the [SCA] an extraterritorial awareness and intention that strike us an anachronistic, and for which we see, and the government points to, no textual or documentary support.” The Court also noted that the term “warrant” in the SCA could not be detached from “the historical role of warrants as legal instruments that pertain to discrete objects located within the United States, and that are designed to protect U.S. citizens’ privacy interests.” Although subpoenas can be used to gather evidence located abroad, the SCA requirements are more akin to a warrant than a subpoena when the government is seeking content based communications from service providers like Microsoft in connection with uncovering criminal activity.
Having concluded that the SCA did not intend to permit the extraterritorial application of warrants, the Court went on to decide whether, in the Microsoft case, there were sufficient domestic contacts that would avoid triggering the presumption against extraterritoriality. In this case, the Court concluded that the focus of the SCA is on maintaining the privacy of stored communications; and that the overall purpose and effect of the law is to embody “an expectation of privacy” in those communications. The focus is not, as the government had argued, on the disclosure of data, but on the end users expectation that the data will not be disclosed. Given that focus, the Court had “little trouble concluding that execution of the Warrant would constitute an unlawful extraterritorial application” of the SCA. Here, the content subject of the warrant is located entirely abroad, regardless of Microsoft’s home in the United States.
In a separate concurrence, Judge Lynch noted that, in his view, the government’s arguments are “stronger than the Court’s opinion acknowledges,” despite the presumption against extraterritoriality. According to Judge Lynch, the case raises difficult questions about the Court’s role in assisting law enforcement in gathering materials in connection with a crime for which there is probable cause, especially when the provider storing the information is located in the United States. Criminal conduct often touches “on multiple jurisdictions” and, moreover, this case differs from the “classic scenario with respect to both the nature of the legal instrument involved and the nature of the evidentiary material the government seeks.” The SCA does not describe the “warrant” as a search warrant, but as a mechanism to compel disclosure, and the material sought is not physical, but in some respect virtual. Thus, the government’s characterization of the warrant as “domestic” is “far from frivolous” and renders the matter “a very close case.” Judge Lynch therefore urges Congress to take up anew the issue presented in this case in light of current technology and weigh the costs and benefits of authorizing the gathering of the kind of information sought here by the government.
This decision is sure to receive widespread attention and provide some comfort to service providers who promote privacy and data protection to their customers abroad. It is also timely in light of the recent European Commission / U.S. Government pronouncements concerning the steps that companies must take to ensure the adequate protection of data in the context of cross-border data transfers. It remains to be seen whether Congress will take up the call of Judge Lynch to reassess how information can be disclosed under the SCA in light of technology today, as compared to what existed in 1986 when the statute was first enacted.