Second Circuit Prohibits Extraterritorial Application of Stored Communication Act’s Warrant Provision

Privacy Cyberlaw Electronic Comm. Privacy Act

13399-surveillance_newsBy Filippo Raso – Edited by Shailin Thomas

Microsoft v. US, Docket No. 14-2985 (2nd. Cir. July 14, 2016) Opinion hosted by DocumentCloud.

The U.S. Court of Appeals for the Second Circuit reversed in part, vacated in part, and remanded the decision of the U.S. District Court for the Southern District of New York. The Second Circuit found the Magistrate Judge’s decision rested on a mistaken interpretation of the statute and its legislative history, and accordingly reversed the District Court’s denial of Microsoft’s motion to quash a warrant, reversed the District Court’s finding of civil contempt, and remanded with instructions to quash the warrant insofar as it directs Microsoft to produce customer content stored outside of the United States.

The Second Circuit held that the warrant provisions in § 2703 of the Stored Communications Act, 18 USC §§2701-2712 (1986) (“SCA”), cannot be used to compel a service provider to disclose user e-mail content stored exclusively on a server in a foreign country. In so holding, the Court noted that the SCA granted users a privacy interest in their stored electronic communication, and that the SCA formally recognized that service providers take on a “special role” when acting on behalf of the government. The Fourth Amendment restrictions apply to service providers when acting pursuant to this “special role.”

This case comes from a federal narcotics investigation started in 2013. During the investigation, federal investigators sought a search warrant pursuant to § 2703(a) to view e-mail content stored on Microsoft’s servers. According to § 2703(a), a warrant must be issued according to Rule 41 of the Federal Rules of Criminal Procedure Rule, which requires a showing of probable cause. A Magistrate Judge granted the warrant. Microsoft complied by disclosing responsive information stored on its U.S. services, but refused to disclose information stored on its Irish servers, which included the e-mail contents sought. Microsoft is capable of accessing the Irish content from the U.S., but the content is stored in Ireland. A District Court affirmed the Magistrate’s order, requiring Microsoft to provide the e-mail contents. Microsoft appealed.

The Second Circuit’s holding involved a two-step inquiry. First, the Court asked whether Congress intended the SCA to apply extraterritorially. Concluding that Congress did not intend for the SCA to apply extraterritorially, the Court then asked whether the case’s domestic contacts, particularly authorizing U.S. law enforcement officers to access content, fall within the primary focus of the statute. If the provisions’ primary focus is to provide a method of disclosure, the provisions may lawfully be applied extraterritorially under Morrison v. National Australian Bank Ltd., 561 U.S. 247 (2010). The Court found § 2703 of the SCA primarily focused on “protecting the privacy of the content of a user’s stored electronic communications,” precluding extraterritorial application.

Circuit Judge Gerard Lynch concurred, but claimed the majority’s opinion failed to adequately recognize the strength of the Government’s argument. Judge Lynch disagreed with the majority’s conclusion that the SCA is focused on user privacy, citing Microsoft’s agreement that the SCA allows law enforcement to lawfully access content stored in the United States following appropriate procedures. Judge Lynch nonetheless agreed with the outcome for a simple reason—the statute is silent on extraterritorial application. Judge Lynch highlighted the technological changes since the SCA was enacted and called on Congress to evaluate whether the SCA should be applied extraterritorially.

While the court focused on extraterritoriality, it wasn’t always clear that was the key issue in the case.  The Washington Post’s Volokh Conspiracy posited in August 2015 that the extraterritoriality would prove to be irrelevant in the final analysis.  Instead, it argued the critical issue was whether the SCA imposed an independent duty on providers to comply with court orders.

This case gathered significant attention—both from media outlets, including TechCrunch, DigitalTrends, Lawfare Institute, and Lexology, as well as from companies, privacy advocates, and international regulators. Amici curiae included, among others, Apple, AT&T, Verizon, a Member of European Parliament, the ACLU, the EFF, and the Irish government. Following this decision, both individuals and companies abroad may be more likely to adopt cloud services. The Court’s ruling may further incentivize governments to implement data localization requirements to ensure data is stored under their legal jurisdiction.

Nora Ellingsen of the Lawfare Institute provides an overview of the case and decision. The New York Times provides context and business implications of the decision.

Filippo Raso is a rising 2L at Harvard Law School and a summer clerk at the Electronic Privacy Information Center (EPIC).