Today, the United States Supreme Court hears arguments in a case with major implications for the privacy profession.
The dispute between Microsoft and the United States government has spanned several years and will determine whether the U.S. can compel Microsoft to turn over data stored on a server located outside of the United States via a warrant issued by a U.S. court under the Stored Communications Act. The case has attracted considerable international attention, eliciting the submission of more than 20 amicus briefs with hundreds of total signatories. Technology industry heavyweights, including Apple, Amazon and Google, have filed briefs supporting Microsoft’s position, along with a variety of policy advocacy organizations. Thirty-seven U.S. states and the Commonwealth of Puerto Rico have joined Vermont’s brief in support of the U.S. government. The governments of the United Kingdom, Ireland, and New Zealand, the United Nations Special Rapporteur on the Right to Privacy, and the European Commission have filed briefs that do not take either side, but emphasize the importance of international law enforcement cooperation.
The basic facts of the case are relatively simple: The U.S. seeks to compel Microsoft to turn over the emails of one of its subscribers. This data is stored on servers controlled by Microsoft’s wholly-owned European subsidiary. The servers are physically located in Ireland—in a Dublin datacenter—and the citizenship status and location of the Microsoft customer are not revealed in the record. Microsoft has refused to produce the information.
The U.S. seeks this disclosure pursuant to a warrant it obtained from a federal magistrate judge in 2013, under Section 2703 of the Stored Communications Act. The validity of the underlying warrant is not disputed—instead, the question centers on whether the warrant can compel Microsoft to produce material that is stored outside of the U.S., and presents conflicting descriptions of what conduct qualifies as “domestic.”
The U.S. position, adopted by the magistrate judge and district court, is that because Microsoft Inc. is a U.S. company, and is fully capable of accessing the information described in the warrant from its U.S. offices, the warrant is a valid exercise of wholly domestic power. The government makes two primary arguments: first, that an SCA warrant is more accurately described as a “subpoena hybrid” that deals with required disclosure by the recipient (and could compel the recipient to turn over material located abroad) and second, that compliance with an SCA warrant is at its heart a purely domestic act, as compliance would require a U.S. company to disclose to U.S. law enforcement records it can access and control from within the U.S.
Microsoft’s position, with which the 2nd Circuit Court of Appeals sided in 2016, is that the Stored Communications Act cannot reach outside of the territorial jurisdiction of the U.S., and thus the government must pursue other means to compel Microsoft to disclose the information in question. The 2nd Circuit disagreed with the government that the SCA warrant provision could be described as a “hybrid” with traditional subpoena powers, and questioned whether even an SCA subpoena would compel a data provider to turn over foreign-located emails, though it declined to rule on the latter issue. The 2nd Circuit further identified the “focus” of the SCA as the privacy interests of the user, rather than the “disclosure of information” by the party served.
Microsoft points to two presumptions of U.S. law to support its position: First, that absent clear intent from Congress otherwise, U.S. law should apply only within the territory of the U.S.; and second, that U.S. courts should interpret U.S. law to avoid conflict with the laws of other nations, when possible. Microsoft argues that the SCA was never intended to apply to information held outside of the United States, and further that complying with the SCA warrant obtained by the government would force it to violate the data protection laws of Ireland, the jurisdiction where the data is physically located.
This case represents a potential minefield however the Supreme Court rules.
This case represents a potential minefield however the Supreme Court rules. Siding with Microsoft may please many in the tech industry and gratify foreign governments, but may also encourage bad behavior by the clients of multinational data controllers. The States’ amicus brief warns that upholding the 2nd Circuit could, in an age of essentially instantaneous international data transfers and largely automated data localization procedures, result in bad-faith clients causing data controllers to offshore any data that they wish to conceal from government scrutiny. The government argues that the United States does not have Mutual Legal Assistance Treaties with all foreign jurisdictions, and even where they exist, the process to make use of them is a cumbersome one that may take months or years to result in disclosure.
Ruling in favor of the government, however, may bring its own problems.
First of all, critics of the U.S. position argue that such a ruling will drastically expand the reach of the SCA to encompass scenarios that could not have possibly been anticipated when the statute was enacted in 1986. Overruling the 2nd Circuit, critics allege, will harm the commercial position of U.S. cloud computing providers and put U.S. companies in a much weaker position should they seek to resist requests from foreign governments for data stored in the U.S.—perhaps including data about political dissidents or proprietary commercial information.
A ruling for the government may also undermine the usefulness Mutual Legal Assistance Treaties as a tool for cooperation in foreign jurisdictions — which may, in turn, have consequences under the General Data Protection Regulation. If U.S. courts begin to ignore the MLAT process and rely on domestic warrants instead, the companies served with those warrants may run afoul of Article 48 of the GDPR. Under Article 48, the judgments of courts, tribunals or administrative authorities outside of the EU may only be enforced on controllers or processors within the EU “if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.” If the Supreme Court overturns the 2nd Circuit, a U.S. company facing an SCA warrant targeting data held by an EU subsidiary may be forced to choose between a contempt ruling from a U.S. court for refusing disclosure or an enforcement action from an EU data protection authority for turning over data.
Additionally, a ruling in favor of the government may jeopardize the Privacy Shield agreement between the United States and European Union, which depends on the determination that the United States provides “adequate” protection to the personal data of European Union citizens. A decision that requires a company to turn over personal data held in the EU via a warrant obtained from a U.S. court and served on a company’s U.S. office may jeopardize existing data transfer arrangements for multinational firms operating in both the EU and the United States. In its review of the Privacy Shield framework, the Article 29 Working Party has already threatened a legal challenge to the Privacy Shield’s adequacy before the CJEU if the PCLOB and Privacy Ombudsperson positions remain unstaffed; it is unlikely to ignore a major shift in the international applicability of U.S. criminal law.
If you want to comment on this post, you need to login.