Attorneys interested in electronic communications privacy issues should take note of two cases currently under consideration by the Supreme Court that implicate the Stored Communications Act (SCA).
First, the court will hear oral argument this term in Carpenter v. United States. Carpenter concerns whether Fourth Amendment protections apply to cell phone “transactional records,” which reveal the location and movements of a cell phone. The case is important because it will reconcile a conflict between the long-standing “third party” doctrine and recent cases recognizing privacy interests in electronic data.
Second, the court is considering the government’s certiorari petition in United States v. Microsoft, a case addressing the territorial scope of SCA warrants. The case is being closely watched by global technology companies because if SCA warrants reach electronic personal data kept outside the United States, complying with SCA warrants will force companies to violate foreign privacy laws. These violations would expose these companies to significant fines and regulatory consequences.
Carpenter v. United States
In Carpenter, federal law enforcement obtained the transactional records of defendant Carpenter’s cell phones. Federal agents used the data to determine that Carpenter’s cell phones connected with towers near robberies they were investigating.
Law enforcement obtained those records through a court order under Section 2703 of the SCA. That provision allows the government to compel disclosure of communication “transactional records” based on “reasonable grounds to believe” that the information is relevant to an investigation. This standard is less stringent than the Fourth Amendment’s requirement of a warrant supported by “probable cause.”
In the trial court, the defendant moved to suppress the service records, arguing that the more stringent Fourth Amendment standard should apply to the records. That motion was denied, and Carpenter was convicted.
On appeal, the Sixth Circuit also rejected the defendant’s Fourth Amendment argument, finding that the defendant had no reasonable expectation of privacy in his cell phone records under the “third party” doctrine. The “third party” doctrine provides that people who voluntarily give information to third parties, such as banks or phone companies, have “no reasonable expectation” of privacy in that information under the Fourth Amendment.
Two recent opinions from opposite ideological wings indicate the defendant’s argument may find traction before the Supreme Court. In United States v. Jones, the Court held that the Fourth Amendment required police to obtain a warrant supported by probable cause to attach a GPS tracker to a car. Justice Sonia Sotomayor wrote, in a concurring opinion, that individuals have a reasonable expectation of privacy regarding their specific geographic location, because such information could allow the government to extrapolate conclusions regarding their personal life, including “political and religious beliefs” and “sexual habits.”
In Riley v. California, the Court held that searching the contents of a cell phone requires a warrant supported by probable cause. Chief Justice John Roberts used colorful language to describe the ubiquity of cell phones and the personal nature of their contents, noting that a “visitor from Mars might conclude that they were an important feature of human anatomy.”
While it would be logical to extend the Jones and Riley opinions to hold that cell phone transactional records also are protected by the Fourth Amendment, such a holding is still not a foregone conclusion.
As the Sixth Circuit noted in Carpenter, the “third party” doctrine is longstanding and is clearly implicated in the case given precedent relating to disclosures to telephone companies.
Furthermore, the information at issue in both Jones and Riley can be distinguished from the information sought by law enforcement in Carpenter. A transaction record only provides information such as when calls were made, to whom, and what tower to which the call linked. Unlike the GPS tracking data in Jones, these records can be obtained without a physical invasion. And they are at least arguably less sensitive than the cell phone content at issue in Riley.
While untangling the relevant precedent will be complex, the Carpenter holding will necessarily resolve important issues regarding the privacy of electronic information and provide clarity on these issues.
United States v. Microsoft
The issue in Microsoft is whether SCA warrants can be used to obtain data on servers located outside the United States. The government sought to compel Microsoft to produce data in connection with a criminal investigation under an SCA warrant. Microsoft delivered responsive data stored in the United States, but refused to produce responsive data kept on a foreign server and moved to quash the warrant.
In moving to quash, Microsoft argued that transferring that data to the United States authorities would violate European data privacy laws and subject Microsoft to enforcement actions and fines. Microsoft contended that SCA warrants only apply within the “United States and in United States-controlled areas.” The company further argued that it could not be compelled to obey the laws of one jurisdiction by violating the laws of another. The trial court denied Microsoft’s motion to quash, but the Second Circuit reversed.
The government filed its petition for certiorari in June. While certiorari is still pending as of this writing, it is worth monitoring Microsoft for two reasons. First, other federal courts have since issued conflicting rulings on whether SCA warrants can apply extraterritorially. Second, as the Supreme Court has historically heavily weighted the solicitor general’s opinion on whether a case is worthy of review, there is a good chance certiorari will be granted.
If accepted for review, the case will turn on how the court views the question of the location where the SCA warrant is to be executed. Microsoft has argued that compelling disclosure of data in a foreign country requires execution of a warrant within that country, which violates the established presumption against extraterritorial application of statutes. The government has argued that the warrant will be executed domestically because Microsoft would access the foreign server from within United States and disclose the subpoenaed data in the United States.
How the court resolves this conflict will have important implications for U.S. companies with operations in Europe and other countries with more stringent privacy laws, businesses subject to foreign privacy laws, as well as the laws of the United States.