In one of the most important decisions of the summer, the Second Circuit Court of Appeals held that the U.S. government could not compel Microsoft to disclose user data stored exclusively in its Dublin, Ireland datacenter pursuant to a warrant issued according to the Stored Communications Act (“SCA”, 18 U.S.C. § 2701 et seq.). In reaching this conclusion, the Second Circuit considered whether the SCA authorizes courts to issue warrants for the seizure of user content stored on non-U.S. servers and enforce these warrants against U.S. providers. Below are some of the highlights from the decision.
1. This decision is powerful but narrow.
The court limited its holding to SCA warrants for email content, when the provider is certain that the data is exclusively stored abroad. This type of data localization for each customer may be more common for providers of business and enterprise services than direct-to-consumer services. If a service provider were to receive an SCA warrant for user data which is known to be stored exclusively on non-U.S. servers, the provider should evaluate its options and obligations with counsel before complying.
2. The fight isn’t over yet.
It remains to be seen how the DOJ will attempt to challenge or mitigate this result (such as by moving to compel providers to comply with SCA warrants in other Circuits, appealing this decision to SCOTUS, and/or attempting to affect legislative change), but there will almost certainly be a challenge. The government thinks this result is untenable for law enforcement because this opinion means that a U.S. court cannot compel a provider to disclose communications content that is stored overseas in any situation. That is, it does not matter whether there are alternative means to obtain the information, or whether U.S. law is consistent with laws of the country where the data is located. This decision may also create some urgency for the government to improve the Mutual Legal Assistance Treaty (MLAT) process, because the U.S. government may now need to utilize this process to obtain data stored on foreign servers more frequently. The decision will also give increased urgency to efforts by the U.S. and U.K. governments to put in place an agreement allowing each government to serve legal process on providers located in the other country.
3. Location of compliance employees is irrelevant.
Since the data at issue was exclusively stored abroad, the Second Circuit found it insignificant that Microsoft’s compliance team was located in California and Washington, even though those employees had the ability to remotely collect the data from Ireland using a database management program. It is not clear that other courts would necessarily agree with that conclusion.
4. Citizenship of the target is also irrelevant.
Whether or not the government knows the citizenship of the account-holder whose data is sought pursuant to an SCA warrant, the court held that citizenship is not relevant to determining the warrant’s validity. Instead, the court found that “the invasion of the customer’s privacy” occurs when the target’s protected content is accessed, at the location of the datacenter where the target’s protected content is stored – and therefore the datacenter location is the critical factor.
5. Electronic communications and remote computing service providers play a special role.
The government had argued in favor of applying the Marc Rich line of cases to the SCA warrant/service provider context, since those cases held that financial institutions could not escape their obligation to respond to a grand jury subpoena on the basis that the responsive records were stored abroad. The court rejected that argument. Instead, it held that under the SCA, service providers may be distinct from other categories of subpoena recipients because providers are caretakers of their users’ data, and the users (rather than the service providers) may have a protectable privacy interest in the data. The court suggests (but does not hold) that users’ content may be protected by the 4th Amendment even when it is held by a provider.