On October 16, 2017, the Supreme Court made a surprising grant of review in a case which may have far reaching consequences for tech companies and litigants generally. The case, United States v. Microsoft Corp., involves a subpoena issued in a domestic drug trafficking investigation, which the Second Circuit quashed on the ground that the Stored Communications Act, 18 U.S.C. 2703 (“SCA”), does not apply extraterritorially. Although the Second Circuit did not create any circuit split, the Supreme Court granted certiorari, possibly setting the stage for a decision with major implications for data storage practices, privacy, and the role played by tech companies in law enforcement and dealing with conflicting international rules on privacy.
Electronic communications providers such as Microsoft store vast amounts of data and information, which can be kept on servers anywhere in the world and often are stored far from where the stored communications originated or were sent. In December 2013, a magistrate judge in the S.D.N.Y. issued a warrant under the SCA for information concerning an individual who used an msn.com email account. The warrant was served on Microsoft in the United States. Microsoft handed over the information stored in the United States, but objected to providing communications stored in a data center in Ireland, even though the information was electronically available to Microsoft from the United States. When Microsoft moved to quash the latter aspect of the warrant, the magistrate judge denied the motion, and the district court affirmed. On appeal, however, the Second Circuit overturned the decision and ordered the warrant quashed.
In overturning the lower court, the Second Circuit relied not only on the SCA’s text and the practice relating to it, but also on the presumption against applying American law extraterritorially. The court of appeals noted that the SCA uses the language of warrants, which have historically been territorially-limited, and that the boilerplate language on the SCA warrant in the case contemplated the searching of premises and the seizure of materials and things rather than production of materials under Microsoft’s control, as a subpoena would. In addition, the Second Circuit invoked the presumption endorsed by the Supreme Court in Morrison v. Nat’l. Australia Bank, N.A., 561 U.S. 2869 (2010), and recently reaffirmed in RJR Nabisco, Inc. v. European Community, 136 S. Ct 2090 (2016), that American laws apply only within United States territory unless explicit statutory language extends the law’s reach extraterritorially.
As the Second Circuit acknowledged, refusal to apply the SCA extraterritorially will significantly impact law enforcement. The government’s ability to timely investigate and prosecute cases as varied as drug trafficking, child sexual exploitation, and terrorism will be hampered if law enforcement officials are unable to obtain information from electronic communications providers using a valid warrant simply because the provider has elected, usually for economic reasons, to store the information in data centers outside the country. Indeed, when the United States government petitioned for review of the Second Circuit’s decision in Microsoft, more than thirty states filed an amicus brief supporting the petition. This amicus brief described the challenges law enforcement would face under the Second Circuit’s decision, including delays in accessing time-sensitive information and resource-intensive applications to foreign bodies for data, as well as avoidable tensions created by involving foreign governments in the seizure of data that may be protected in countries with more restrictive privacy laws when an engineer in the United States can access the data on a foreign server without complication.
In addition to these important law enforcement considerations, the Microsoft case also implicates broader issues of widespread importance. The SCA was enacted in 1986 before the Internet had assumed its current, ubiquitous role, before the advent of cloud computing technology, and before the rise of social media and other new means and forms of communication. As a result, the SCA is badly outdated and in need of modernization. However, despite bipartisan recognition of the need to reform the SCA, Congress has failed to act, leaving the courts to administer a law increasingly out of tune with contemporary circumstances. The Supreme Court’s grant of review in the Microsoft case may indicate a willingness to intervene in adapting laws such as the SCA to changing technology. Or, alternatively, the Supreme Court may decide that courts should refrain from attempting to do so. Many foreign countries, particularly in Europe, have data privacy laws of their own, and many are more stringent than American laws. A broad interpretation of the SCA might bring American law enforcement efforts into conflict with those laws, creating international tensions. Especially in light of those potential problems, the Supreme Court may decide that it should leave the problem of adapting the SCA to modern circumstances to the political braches, which are better suited to deal with such considerations.
Whatever route the Supreme Court takes, its decision in the Microsoft case may have a profound impact. If the Court affirms the Second Circuit’s decision and holds that the SCA does not apply extraterritorially, communications providers will be forced to formulate their practices at the intersection of public policy and technology without clear legal proscription or guidance. This will force them to become the gatekeepers of both the privacy of their customers’ communications and the public safety interests raised by the government and their amici. Thus, in deciding where to store communications, communications providers will be forced to consider not only the economic advantages of storing communications in data centers outside the United States, but also their impact on law enforcement activities—a responsibility heightened by recent revelations about Russian use of social media in the last presidential election.
If the Supreme Court overturns the Second Circuit’s decision, communications providers will be relieved of much of this responsibility. But if they are required to produce communications that are stored in foreign countries, they will face another problem: they will have to deal with foreign privacy laws, which may bar the production of such communications. As a consequence, communications providers will be forced to create policies and procedures for data storage allowing them to comply with their obligations under both the SCA and foreign privacy laws. In addition, many customers undoubtedly will take the different solutions reached by communications providers into account in choosing and utilizing communications providers.
And the Microsoft decision may have even greater impact if the Supreme Court overturns the Second Circuit’s decision on broad grounds. While the Court might overturn on narrow grounds relating solely to law enforcement concerns, the Supreme Court’s grant of cert in Microsoft may also indicate that the Court is rethinking the presumption against extraterritoriality in light of the increasing interconnectedness of global economies and global technologies. The Court may decide that presuming that law ends at territorial limits makes no sense in dealing with legal concerns raised by technologies that know no such limits. Such a ruling could impact many statutes as well as the requirements of and limits on document production from foreign jurisdictions in civil cases. For example, if communications stored in foreign countries are deemed to be under the control of communications providers because they can be accessed from the United States, litigants may be deemed to control any information that they access from United States and may be required to produce that information in discovery.
In short, no matter how it is decided, the Microsoft case may have far-reaching consequences and therefore should be followed carefully.