The U.S. Court of Appeals today, July 14, 2016, ruled in favor of Microsoft and against the U.S. government on appeal (Judgment as PDF). The main issue in dispute was whether Microsoft is obliged to hand over data (in this case, a customer’s emails) in response to a warrant issued by the U.S. government that could possibly provide information about criminal acts (in this case, drug trafficking), but which are not located in the U.S. but on a Microsoft server in Ireland. The lower court had obliged Microsoft to hand over such data as well.
Microsoft argued in the proceedings, without being contradicted, that the emails are in each case stored on servers in the customer’s region and that intermediate copies on servers in the USA are subsequently deleted, so that the data in question can subsequently be accessed only locally.
The Court of Appeals’ ruling may be appealed to the Supreme Court.
The Court of Appeals assessed the case as follows:
The warrant provisions of the SCA are not applicable extraterritorially
The Court of Appeals first held that the Stored Communications Act (SCA) – undisputedly the legal basis of the U.S. government’s edition order – does not provide for extraterritorial application:
As observed above, the SCA permits the government to require service providers to produce the contents of certain priority stored communications “only pursuant to a
warrant issued using the procedures described in the Federal Rules of Criminal
Procedure (or, in the case of a State court, issued using State warrant procedures) by a
court of competent jurisdiction.” 18 U.S.C. § 2703(a), (b)(1)(a). The provisions in § 2703 that permit a service provider’s disclosure in response to a duly obtained warrant do
not mention any extraterritorial applicationand the government points to no provision that even implicitly alludes to any such application. No relevant definition provided by either Title I or Title II of ECPA, see 18 U.S.C. §§ 2510, 2711, suggests that Congress
envisioned any extraterritorial use for the statute.When Congress intends a law to apply extraterritorially, it gives an “affirmative indication” of that intent. […]
The government asserts that “[n]othing in the SCA’s text, structure, purpose, or legislative history indicates that compelled production of records is limited to those
stored domestically.” Gov’t Br. at 26 (formatting altered and emphasis added). It emphasizes the requirement placed on a service provider to disclose customers’ data,
and the absence of any territorial reference restricting that obligation. We find this argument unpersuasive: It stands the presumption against extraterritoriality on its
head.
The court goes on to identify other points that argue against extraterritorial application of the SCA.
It was then important to distinguish between a warrant – which was the issue here – and a subpoena. A subpoena can oblige a person to redact documents located outside the USA:
We reject the approach, urged by the government and endorsed by the District Court, that would treat the SCA warrant as equivalent to a subpoena. The District Court characterized an SCA warrant as a “hybrid” between a traditional warrant and a subpoena because-generally unlike a warrant-it is executed by a service provider rather than a government law enforcement agent, and because it does not require the presence of an agent during its execution. Id. at 471; 18 U.S.C. § 2703(a)-(c), (g). As flagged earlier, the subpoena-warrant distinction is significant here because, unlike warrants, subpoenas may require the production of communications stored overseas.
The court thus concludes that the warrant provisions of the SCA do not permit extraterritorial application. It was therefore questionable whether such an application was at all at issue in the specific case.
Forcing Microsoft to hand over user data in Ireland would be a prohibited extraterritorial application
Whether an extraterritorial application of a legal institution would be proscribed depends on whether the territorial references of the concrete case lie within the focus of the law in question:
If the domestic contacts presented
by the case fall within the “focus” of the statutory provision or are “the objects of the
statute’s solicitude,” then the application of the provision is not unlawfully
extraterritorial. Morrison, 561 U.S. at 267. If the domestic contacts are merely
secondary, however, to the statutory “focus,” then the provision’s application to the
case is extraterritorial and precluded.
The question, then, was what is the focus of the SCA’s warrant provisions (put another way, what is the core concern of the SCA). The court answered this as follows:
The overall effect is the embodiment of an expectation of privacy in those
communications, notwithstanding the role of service providers in their transmission
and storage, and the imposition of procedural restrictions on the government’s (and
other third party) access to priority stored communications. The circumstances in
which the communications have been stored serve as a proxy for the intensity of the
user’s privacy interests, dictating the stringency of the procedural protection they
receive-in particular whether the Act’s warrant provisions, subpoena provisions, or its
§ 2703(d) court order provisions govern a disclosure desired by the government.
Accordingly, we think it fair to conclude based on the plain meaning of the text that the
privacy of the stored communications is the “object[] of the statute’s solicitude,” and the
focus of its provisions.
Because user privacy is the core concern of the SCA, there would be an extraterritorial application of the warrant provisions of the SCA if Microsoft were required to produce user data from Ireland:
The information sought in this case is the content of the electronic
communications of a Microsoft customer. The content to be seized is stored in Dublin.
The record is silent regarding the citizenship and location of the customer.
Although the Act’s focus on the customer’s privacy might suggest that the customer’s
actual location or citizenship would be important to the extraterritoriality analysis, it is
our view that the invasion of the customer’s privacy takes place under the SCA where
the customer’s protected content is accessed-here, where it is seized by Microsoft,
acting as an agent of the government.
Because the content subject to the Warrant is
located in, and would be seized from, the Dublin datacenter, the conduct that falls
within the focus of the SCA would occur outside the United States, regardless of the
customer’s location and regardless of Microsoft’s home in the United States.
This result could not be changed by the practical considerations that a U.S. user can easily obtain storage of his or her data in Ireland and that the route through the Mutual Legal Assistance Treaties (MLAT) is burdensome.
Result
The court itself summarizes the result of its considerations as follows:
We conclude that Congress did not intend the SCA’s warrant provisions to apply
extraterritorially. The focus of those provisions is protection of a user’s privacy
interests. Accordingly, the SCA does not authorize a U.S. court to issue and enforce an
SCA warrant against a United States-based service provider for the contents of a
customer’s electronic communications stored on servers located outside the United
States. The SCA warrant in this case may not lawfully be used to compel Microsoft to
produce to the government the contents of a customer’s e‑mail account stored
exclusively in Ireland. Because Microsoft has otherwise complied with the Warrant, it
has no remaining lawful obligation to produce materials to the government.