The Government Cannot Compel Disclosure of Emails Stored on Overseas Servers via a Domestic Warrant

Can the Government employ a domestic search warrant to compel disclosure of communications stored on servers located outside of the United States?  In its much anticipated decision in In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, 14-2985 (“Microsoft”), a Second Circuit panel (Lynch, J., Carney, J., Bolden, J., sitting by designation) answered that it cannot.

Interpreting the warrant provision of the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, the Microsoft Court held that Congress did not intend the SCA’s warrant provision to apply extraterritorially, and that emails stored on a server in Ireland were therefore beyond the reach of a warrant issued pursuant to the SCA.

Microsoft establishes a clear rule for practitioners and law enforcement.  It also highlights the need for Congressional action to reform the SCA -- which was enacted in 1986 -- to reflect the modern multi-national cloud electronic data storage regime that exists today.  It is as if a law governing airplane use was passed months after the Wright Brothers took flight and still governed aviation in the 1930s.  The majority opinion’s reasoning in key areas of the opinion was not expansive, and this may limit the impact of the decision on the future direction of data privacy law.  Although it hard to predict Congressional action given the gridlock in Washington, D.C., reform of the SCA on a number of issues (including this one) can be expected to be a priority for the Department of Justice.  

1. The Decision Below

On December 4, 2013, Magistrate Judge James Francis of the U.S. District Court for the Southern District of New York issued a “Search and Seizure Warrant” to be served on Microsoft at the Government’s request.  The warrant required Microsoft to turn over all emails related to a particular email account that the Government believed was being used in furtherance of narcotics trafficking.  The data constituting the substantive content of the emails related to that account were stored on an email server located in Dublin, Ireland.  The warrant also required Microsoft to turn over metadata and other non-content information that was kept on servers located in the United States.  Microsoft partially complied with the warrant by disclosing the responsive information that was kept in the United States, but refused to disclose the substantive information that was stored on the Ireland server.  Microsoft moved Magistrate Judge Francis to quash the warrant with respect to the content located overseas.

Magistrate Judge Francis denied Microsoft’s motion to quash.  He reasoned that under the SCA, a warrant is “executed like a subpoena” and requires the person or entity upon whom it is served to produce information within its custody or control regardless of the physical location of that information.  Magistrate Judge Francis found that this conclusion was consistent with the text and legislative history of the SCA.  He also pointed to the “practical consequences” of holding that a warrant could not reach overseas email content.   Importantly, Magistrate Judge Francis identified as the “relevant place of seizure” the place where the Government would review the content: the United States, rather than the place where the content was stored: Ireland.  Chief Judge Loretta Preska affirmed Magistrate Judge Francis’s decision from the bench.

2. The Second Circuit Reverses

The Second Circuit reversed the District Court’s denial of Microsoft’s motion to quash and remanded the case to that court with instructions to quash the warrant with respect to the information stored outside of the United States.[1] 

Judge Carney’s majority opinion proceeded in two analytical parts.  Following the approach set forth in the Supreme Court’s 2010 decision addressing the extraterritorial application of a statute, Morrison v. National Australian Bank Ltd., 561 U.S. 247 (2010), the majority opinion first sought to determine whether the SCA’s warrant provision, § 2703, authorized the extraterritorial application of SCA warrants.  If the SCA did not authorize an extraterritorial application, Judge Carney determined that Morrison required the Court to ascertain whether compelling Microsoft’s disclosure of email content located on a server in Ireland constituted an impermissible extraterritorial application of the SCA.

Proceeding to the first step of the inquiry, the majority opinion determined that the SCA does not apply extraterritorially.  First, Judge Carney reasoned that the § 2703 lacks any mention of extraterritorial application, and that “[w]hen Congress intends that a law apply extraterritorially, it gives an ‘affirmative indication’ of that intent.”  She next pointed to the fact that § 2703 allows any state court to issue an SCA warrant, and determined that it was unlikely that Congress would have allowed state courts to issue extraterritorial warrants in light of the federal government’s interest in the uniform exercise of state power that impacts foreign relations.  Turning next to § 2703’s use of the term “warrant,” the majority opinion canvassed the history of the usage of the term and found that historically the term warrant has been tied to domestic, and not extraterritorial, notions of privacy.  The majority opinion noted, moreover, that Congress has since amended § 2703 several times without ever calling into question the traditional domestic scope of a “warrant” provision.  

The majority opinion also rejected the Government’s argument that the SCA contemplated extraterritorial application because the warrants issued pursuant to § 2703 are “akin to a subpoena,” which would compel the production of any material under Microsoft’s control, regardless of location,  Noting that warrants and subpoenas are “distinct legal instruments,” Judge Carney found that the  SCA used the terms “warrant” and “subpoena” purposefully, to provide varying levels of protection toward different forms of data, and that § 2703 intentionally used the term “warrant.”  She determined, therefore, that there was no basis to apply the law governing subpoenas in the context of an SCA warrant.  The majority opinion further found that, even if the law of subpoenas were to govern, there is no Second Circuit precedent for the use of a subpoena to compel a recipient to produce an item located overseas when “the recipient is merely a caretaker for another individual or entity” with a “protectable privacy interest” in the item.  Judge Carney distinguished instances in which banks have been required to turn over data stored overseas pursuant to a subpoena on the ground that, unlike with respect to substantive email communications, there is no protectable privacy interest in a bank’s records regarding an individual’s account. 

Having held that the § 2703 of the SCA does not have territorial application, the majority opinion next addressed whether compelling Microsoft to turn over communications stored on a server in Ireland would constitute an extraterritorial application of that provision.  In holding that it would, the majority reasoning was brief and somewhat cursory.  First, the majority opinion devoted seven pages to its determination that a focus of the SCA was on protecting user privacy.  Judge Carney noted that the operative language of § 2703 -- that “a government entity may require the disclosure . . . of the contents of a wire or electronic communication . . . only pursuant to a warrant issued using the rules described in the Federal Rules of Criminal Procedure”  --  “suggests a legislative focus on the privacy of stored communications” because Rule 41 of the Federal Rules of Criminal Procedure, under which warrants issue, is “undergirded by the Constitution’s protections of citizens’ privacy against unlawful searches and seizures.”  The majority opinion then pointed to other provisions of the SCA, as well as the SCA’s legislative history, as bolstering its conclusion that the protection of communications privacy was at the heart of the statute.

Having determined that the SCA focuses on user privacy, the majority opinion determined that the execution of the warrant would constitute an impermissible extraterritorial application of the statute because the customer’s privacy interest would be infringed in Ireland, and not the United States.  The majority opinion did not articulate its reasoning in detail for this significant conclusion, stating only that “[b]ecause the content subject to the Warrant is located in, and would be seized from, the Dublin datacenter, the conduct that falls within the focus of the SCA would occur outside the United States regardless of the customer’s location and regardless of Microsoft’s home in the United States.”  The majority opinion held, therefore, that Microsoft had fully complied with the lawful extent of the warrant and reversed the district court’s denial of Microsoft’s motion to quash the warrant insofar as it required Microsoft to produce data stored in Ireland.

Judge Lynch Concurs in the Judgment

Judge Lynch concurred in the judgment, but wrote separately to clarify his view as to the privacy interests at stake in the case and to urge Congress to amend the SCA to account for technological developments in the storage of electronic communications since the statute was enacted in 1986.

Judge Lynch rested his concurrence in the judgment on the presumption against the extraterritorial effect of statutes.   He concluded that it was likely that Congress had not “contemplated [extraterritorial] applications [of the SCA’s warrant provision] for a single moment” because the multi-national “cloud” storage of electronic data was unforeseeable to Congress in 1986.

Despite his agreement with the outcome reached by the majority, Judge Lynch wrote separately to clarify what he believed to be the privacy interests at stake in the case.  He explained that he disagreed with the position taken by Microsoft, and some amici, that to uphold the warrant would undermine basic privacy values.  Judge Lynch stressed that a person’s privacy interests in his or her electronic communications do not change depending on where those communications are stored.  Ultimately, Judge Lynch concluded, the case is not about privacy but about the extent of “the international reach of American law.”  He noted that Congress has plenary power to extend American laws extraterritorially, and that no special judicially imposed privacy constraints cabin its power to do so. 

Judge Lynch also noted that the geographic location in which the data-holder’s privacy interest is infringed was not as clear as the majority’s opinion made it seem.  He wrote that “[i]t seems at least equally persuasive that the invasion of privacy occurs where the person whose privacy is invaded” is located as where the data is stored. 

Finally, Judge Lynch urged Congress to amend the SCA to reflect the current multi-national “cloud” storage of electronic communications, and to strike a balance between the privacy interests and the law enforcement interests implicated by the current scheme.  He urged Congress to determine “whether the benefits of permitting [extraterritorial] subpoena-like orders of the kind issued here outweigh the costs of doing so.” 

4. Analysis and Implications

Until Congress amends the statute, Microsoft establishes that SCA warrants cannot reach communications data stored on servers abroad.  Some practical implications of the holding are evident.  Prosecutors and law enforcement will have to rely on the cooperation of foreign governments to gain access to communications stored on servers abroad.  In some places around the world, this should not be difficult, as international cooperation between the Department of Justice and other governments is routine.  But local law will be relevant:  the extent of the privacy protection afforded to those communications, therefore, will be governed by the privacy laws of the particular country in which the data is stored.  Many European countries have broader notions of data privacy than exist in the United States.  There is also the possibility that certain nations that are less dependent on the goodwill of the United States will tighten their privacy laws in order to attract server hosting business (somewhat akin to Delaware’s disproportionate role in setting corporate law in the United States). 

While the Microsoft decision provides a clear rule, the brief reasoning undergirding elements of the opinion makes it difficult to assess its impact on the future doctrinal direction of data privacy law in the Second Circuit.  Judge Lynch expressed concern that the opinion did not explain why the privacy interest of the person to whom the electronic communication belongs is infringed upon at the location where the data is stored.  He noted that one could equally argue that the privacy interest is invaded where the individual resides, or where the data is delivered to the Government in the United States.  One might ask why the issue of the extraterritorial application of the statute should turn on where the privacy interest is invaded at all, as opposed to other factors. 

Whether this decision is based on data privacy concerns is itself an open question.  Judge Lynch seems to think that it is not such a case.  He explained in his dissent that the decision is not really about the right to keep emails private – “the sole issue involved is whether Microsoft can thwart the government’s otherwise justified demand for the emails at issue by the simple expedient of choosing—in its own discretion—to store them on a server in another country.”  Judge Lynch also explained that “neither privacy interests nor the needs of law enforcement vary depending on whether a private company chooses to store records here or abroad—particularly when the ‘records’ are electronic zeros and ones that can be moved around the world in seconds, and will be so moved whenever it suits the convenience of commercial purposes of the company.”  In that sense, the decision can be viewed as more limited, involving extraterritoriality rather than data privacy.

Indeed, the decision may be cited more often in the growing body of post-Morrison case law concerning the extra-territorial application of United States law.  The Supreme Court’s recent decision in Morrison and RJR Nabisco Inc. v. European Cmty., 136 S. Ct. 2090 (2016), suggest a general trend against the extraterritorial application of United States law.  See, e.g., Kiobel v. Royal Dutch Petro. Co., 133 S. Ct. 1659, 1669 (2013) (presumption against extraterritoriality applied in context of the Alien Tort Statute); Liu Meng-Lin v. Siemens AG, 763 F.3d 175, 183 (2d Cir. 2014) (no extraterritorial application of whistleblower anti-retaliation provision of Dodd-Frank Act).  Whether this is driven in part by a concern about the increasing focus of the Department of Justice on defendants with little or no contact with the United States is a matter of debate.

Ultimately, however, the doctrinal limitations set out in Microsoft may be of little practical import.  The Court has set a clear rule, and it will be followed at least within this Circuit. It will ultimately be up to Congress to establish the extent of the Government’s access to data stored on servers located abroad.