In a landmark decision issued last Thursday, July 14, 2016, a unanimous three-judge panel of the United States Court of Appeals for the Second Circuit reversed the United States District Court for the Southern District of New York and held that the Stored Communications Act (SCA) does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer email content that is stored exclusively on foreign servers. The decision, captioned In the Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corp., overturned a July 2014 lower court decision upholding such a warrant against Microsoft Corporation and finding the company in civil contempt for refusing to comply with the warrant. Circuit Judge Susan L. Carney authored the Second Circuit's decision. Circuit Judge Gerard E. Lynch wrote a separate concurring opinion.

Background

The SCA — part of the broader Electronic Communications Privacy Act (ECPA) — sets up a tiered structure regulating governmental access to stored communications, raising the standard the government must satisfy to obtain progressively more sensitive communications. To obtain "priority stored communications," including the content of communications stored for less than 180 days, the government must, with rare exceptions, obtain a warrant based on a showing of probable cause pursuant to the Federal Rules of Criminal Procedure. In the course of a criminal investigation and after a showing of probable cause, the government issued a warrant to Microsoft, pursuant to the SCA, directing the company to seize and produce the contents of an email account of one of its customers. While some of this data was stored in the United States, the remainder was stored on servers in Ireland. Microsoft agreed to produce the data located in the United States, but declined to produce the data stored in Ireland, arguing that the warrant authorized law enforcement to seize only items within the United States or United States-controlled areas.

In April 2014, Magistrate Judge James Francis, who issued the warrant, denied Microsoft's motion to vacate the warrant with respect to the data stored in Ireland. In July 2014, Southern District of New York Chief Judge Loretta Preska affirmed the magistrate's ruling and held Microsoft in contempt for refusing to comply with the warrant. In December of 2014, Microsoft appealed to the Second Circuit.

On appeal, Microsoft argued that the SCA does not permit a court to issue a warrant compelling an electronic communications provider to seize and produce private correspondence stored on foreign computers or servers. Microsoft insisted there was no basis for the magistrate's position that a warrant under the SCA is actually a "hybrid: part search warrant and part subpoena" requiring a provider to turn over emails "regardless of the location of that information." Moreover, Microsoft argued, because Congress gave no indication that the ECPA's warrant provision should apply extraterritorially, the general presumption against extraterritorial application of U.S. law should control.

Numerous allies of Microsoft's position — including tech companies such as Cisco, Amazon, Apple, AT&T, eBay and Verizon, many of which offer cloud-based data or email storage to their customers, along with various media, business and civil liberties organizations — filed amicus briefs with the Second Circuit.

The Second Circuit's Decision

On July 14, in a 43-page decision by Judge Carney, the Court of Appeals reversed the district court's denial of Microsoft's motion to quash and vacated the order holding Microsoft in civil contempt of court.

The Second Circuit initially addressed whether Congress intended the SCA's warrant provisions to be applied extraterritorially. Following the Supreme Court's decision in Morrison v. National Australian Bank Ltd., 561 U.S. 247 (2010), courts must presume, absent an indication of Congress' clear intent to the contrary, that federal laws apply only within the territorial jurisdiction of the United States. Judge Carney wrote that Congress, in passing the SCA, made no explicit or implicit indication that its warrant provisions would apply overseas. The court observed that when Congress passed the SCA in 1986, it could not have foreseen today's globalized internet infrastructure, suggesting that Congress would not have intended the SCA to apply on an international level. In reaching this conclusion, the court noted that "a globally-connected Internet available to the general public for routine e-mail and other uses was still years in the future when Congress first took action to protect user privacy."

The court also stressed the significance of the SCA's use of the term "warrant," observing that the term "is traditionally moored to privacy concepts applied within the territory of the United States." The court rejected the government's argument that an SCA warrant should be treated as the equivalent of a subpoena, which, under certain circumstances, can reach documents located abroad. "When the government compels a private party to assist it in conducting a search or seizure, the private party becomes an agent of the government, and the Fourth Amendment's warrant clause applies in full force to the private party's actions."

The court then considered whether execution of the warrant in question would in fact qualify as an extraterritorial application of the SCA. In this analysis, the key issue is the "territorial events or relationships" that are the "focus" of the relevant statutory provision. If the events or contacts that are the focus of the statute lie in the United States, application of the law would not be extraterritorial. But if the "domestic contacts are merely secondary" to the focus of the statute, application of the provision would be extraterritorial and therefore impermissible. The court held that the SCA's warrant provisions focus on protecting the privacy of stored communications such as emails, writing that the "overall effect [of the SCA] is the embodiment of an expectation of privacy in those communications." Following this conclusion, the court determined that the territorial events that are the focus of the SCA as applied in this case occurred in Ireland, where the data in question was stored and the seizure of which, if compelled, would take place.

Based on this analysis, the court concluded that execution of the warrant on Microsoft "would constitute an unlawful extraterritorial application" of the SCA under Morrison. The court wrote, "[I]t is our view that the invasion of the customer's privacy takes place under the SCA where the customer's protected content is accessed — here, where it is seized by Microsoft, acting as an agent of the government." Even though Microsoft was located in the United States, "[b]ecause the content subject to the Warrant is located in, and would be seized from, the Dublin datacenter, the conduct that falls within the focus of the SCA would occur outside the United States." The record was silent on the "citizenship and location of the customer," but the court held that neither was relevant to the analysis because "the invasion of the customer's privacy takes place under the SCA where the customer's protected content is accessed."

Concurring Opinion by Judge Lynch

In a concurring opinion, Circuit Judge Gerard Lynch stated his agreement with the court's holding while also recognizing the validity of certain of the government's arguments and urging Congress to update the "badly outdated" 30-year-old statute that controlled the decision. Judge Lynch wrote that the SCA permitted Microsoft (and its foreign customers or Americans who represent to Microsoft that they reside abroad) to avoid a justified demand by the government by simply deciding to store emails outside of the United States for "reasons of profit or cost control." Here, Judge Lynch observed, the government's warrant was constitutionally sound, based on probable cause that the records sought contained evidence of a crime and would have allowed access to the electronic communications in an ordinary domestic context. However, because Microsoft's servers were stored in Ireland, the core issue in the case became whether "Microsoft can thwart the government's otherwise justified demand for the emails at issue by the simple expedient of choosing — in its own discretion — to store them on a server in another country." Judge Lynch concluded, although somewhat hesitantly, that Microsoft does indeed have this power under the SCA.

However, Judge Lynch also noted that the idea of storing online data in a particular physical location may be increasingly outmoded, and urged Congress to consider amending the SCA to allow for a more nuanced analysis grounded in contemporary technological realities. He concluded his opinion by stating that while he concurred in the result and had "little trouble agreeing with [the panel] that the SCA does not have extraterritorial effect," he was "without any illusion that the result should even be regarded as a rational policy outcome, let alone celebrated as a milestone in protecting privacy."

Looking Forward

Microsoft and various other companies have applauded the Second Circuit's ruling as a landmark victory for the protection of consumer privacy. The government is considering whether to seek certiorari before the Supreme Court and may also take up its cause in Congress, alerting legislators to the concerns raised by Judge Lynch in his concurrence and urging them to overhaul the SCA. In the meantime, the Second Circuit's decision may allow electronic communications service providers with servers overseas to place their customers' communications beyond the long arm of American law enforcement, based on where those providers have decided to store the communications.

Originally published in Pratt's Privacy & Cybersecurity Law Report, Volume 2, Number 8, October 2016.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.