The U.S. Supreme Court has agreed to hear a case testing the extraterritorial reach of the Stored Communications Act (SCA), 18 U.S.C. § 2703. At issue is whether a U.S. corporation served in the United States with a criminal warrant is required to produce data located outside the United States. United States v. Microsoft, Case No. 17-2, highlights the ongoing tension between big-data privacy issues and legitimate law-enforcement objectives and the difficulty of making and enforcing laws in our rapidly evolving technological environment. The Supreme Court’s decision will have important business implications for any global company maintaining significant user data.
In December 2013, the U.S. government applied for a warrant to search for information related to a particular user’s Microsoft email account based on suspicion that the account was being used for drug activity. Under the SCA, a 1986 law, the government can obtain a search warrant for information maintained by an electronic-communications provider. The magistrate judge found probable cause and issued the warrant, which was served on Microsoft at its Redmond, Washington, headquarters. Microsoft turned over identifying information about the account physically located in its offices in the United States, but refused to provide email content that it had migrated to its Dublin, Ireland, server. Microsoft acknowledged that while the data was physically located abroad, its U.S. employees could collect that data remotely from its U.S. offices.
Microsoft moved to quash the warrant. Microsoft’s motion to quash was denied by the magistrate judge, which decision was upheld by the district court judge. Following a stipulation by the parties for jurisdictional purposes, the court entered a civil contempt order against Microsoft. In June 2016, the Second Circuit reversed the lower court’s decision.
The Second Circuit’s opinion focused heavily on the privacy concerns underpinning the SCA, albeit in a far different technological environment. The SCA was designed to extend the Federal Wiretap Act to cover electronic communications. Because the SCA established parameters for lawfully searching electronic records, the Second Circuit reasoned that “[t]he overall effect [of the SCA] is an embodiment of an expectation of privacy in those communications, notwithstanding the role of service providers in their transmission and storage and the imposition of procedural restrictions on the government (and other third party) access to priority communications.” Relying on what it termed a presumption against extraterritoriality, the Second Circuit sided with Microsoft and reversed the lower court’s decision. A divided panel of the Second Circuit narrowly denied a petition for rehearing.
On petition for writ of certiorari and in argument below, the parties relied on very different interpretations of the underlying data request and its implications. The government’s position is that a warrant issued in this context is akin to a subpoena, which requires a company to disclose all information within its possession, custody, and control. As a U.S. corporation with the ability to collect and disclose (from the United States) email content it chose to migrate to Ireland, Microsoft is subject to the warrant regardless of where the data is physically stored.
By contrast, Microsoft highlighted the extraterritorial nature of the warrant, which it says allows U.S. law enforcement to impermissibly reach beyond its U.S. borders for enforcement of U.S. law. To the extent that the SCA must be modernized to account for the global mobility of data, Microsoft argues, that update must happen in Congress. Reacting in a blog post to the decision to grant certiorari, Microsoft president and chief legal officer Brad Smith continued to highlight Microsoft’s privacy concerns: “We believe that people’s privacy rights should be protected by the laws of their own countries and we believe that information stored in the cloud should have the same protections as paper stored in your desk.”
With significant amicus support on both sides, the Microsoft case is poised to play a prominent role in the ongoing development of big-data privacy jurisprudence. Argument before the Supreme Court is scheduled for February 27, 2018.
Eileen H. Rumfelt is a member of Miller & Martin, PLLC in Atlanta, Georgia.