Micro­soft is not obli­ged to hand over user data loca­ted out­side the USA to the US government

The U.S. Court of Appeals today, July 14, 2016, ruled in favor of Micro­soft and against the U.S. government on appeal (Judgment as PDF). The main issue in dis­pu­te was whe­ther Micro­soft is obli­ged to hand over data (in this case, a customer’s emails) in respon­se to a war­rant issued by the U.S. government that could pos­si­b­ly pro­vi­de infor­ma­ti­on about cri­mi­nal acts (in this case, drug traf­ficking), but which are not loca­ted in the U.S. but on a Micro­soft ser­ver in Ire­land. The lower court had obli­ged Micro­soft to hand over such data as well. 

Micro­soft argued in the pro­ce­e­dings, without being con­tra­dic­ted, that the emails are in each case stored on ser­vers in the customer’s regi­on and that inter­me­dia­te copies on ser­vers in the USA are sub­se­quent­ly dele­ted, so that the data in que­sti­on can sub­se­quent­ly be acces­sed only locally.

The Court of Appeals’ ruling may be appealed to the Supre­me Court.

The Court of Appeals asses­sed the case as follows:

The war­rant pro­vi­si­ons of the SCA are not app­li­ca­ble extraterritorially

The Court of Appeals first held that the Stored Com­mu­ni­ca­ti­ons Act (SCA) – undis­puted­ly the legal basis of the U.S. government’s edi­ti­on order – does not pro­vi­de for extra­ter­ri­to­ri­al application:

As obser­ved abo­ve, the SCA per­mits the government to requi­re ser­vice pro­vi­ders to pro­du­ce the con­t­ents of cer­tain prio­ri­ty stored com­mu­ni­ca­ti­ons “only pur­suant to a
war­rant issued using the pro­ce­du­res descri­bed in the Federal Rules of Criminal
Pro­ce­du­re (or, in the case of a Sta­te court, issued using Sta­te war­rant pro­ce­du­res) by a
court of com­pe­tent juris­dic­tion.” 18 U.S.C. § 2703(a), (b)(1)(a). The pro­vi­si­ons in § 2703 that per­mit a ser­vice provider’s dis­clo­sure in respon­se to a duly obtai­ned war­rant do
not men­ti­on any extra­ter­ri­to­ri­al app­li­ca­ti­onand the government points to no pro­vi­si­on that even impli­ci­tly alludes to any such app­li­ca­ti­on. No rele­vant defi­ni­ti­on pro­vi­ded by eit­her Tit­le I or Tit­le II of ECPA, see 18 U.S.C. §§ 2510, 2711, sug­gests that Congress
envi­sio­ned any extra­ter­ri­to­ri­al use for the statute.

When Con­gress intends a law to app­ly extra­ter­ri­to­ri­al­ly, it gives an “affir­ma­ti­ve indi­ca­ti­on” of that intent. […] 

The government asserts that “[n]othing in the SCA’s text, struc­tu­re, pur­po­se, or legis­la­ti­ve histo­ry indi­ca­tes that com­pel­led pro­duc­tion of records is limi­ted to those
stored dome­sti­cal­ly.” Gov’t Br. at 26 (for­mat­ting alte­red and empha­sis added). It empha­si­zes the requi­re­ment pla­ced on a ser­vice pro­vi­der to dis­c­lo­se custo­mers’ data,
and the absence of any ter­ri­to­ri­al refe­rence restric­ting that obli­ga­ti­on. We find this argu­ment unper­sua­si­ve: It stands the presump­ti­on against extra­ter­ri­to­ria­li­ty on its
head.

The court goes on to iden­ti­fy other points that argue against extra­ter­ri­to­ri­al app­li­ca­ti­on of the SCA.

It was then important to distin­guish bet­ween a war­rant – which was the issue here – and a sub­poe­na. A sub­poe­na can obli­ge a per­son to redact docu­ments loca­ted out­side the USA:

We reject the approach, urged by the government and endor­sed by the District Court, that would tre­at the SCA war­rant as equi­va­lent to a sub­poe­na. The District Court cha­rac­te­ri­zed an SCA war­rant as a “hybrid” bet­ween a tra­di­tio­nal war­rant and a sub­poe­na becau­se-gene­ral­ly unli­ke a war­rant-it is exe­cuted by a ser­vice pro­vi­der rather than a government law enfor­ce­ment agent, and becau­se it does not requi­re the pre­sence of an agent during its exe­cu­ti­on. Id. at 471; 18 U.S.C. § 2703(a)-(c), (g). As flag­ged ear­lier, the sub­poe­na-war­rant distinc­tion is signi­fi­cant here becau­se, unli­ke war­rants, sub­po­e­nas may requi­re the pro­duc­tion of com­mu­ni­ca­ti­ons stored overseas. 

The court thus con­clu­des that the war­rant pro­vi­si­ons of the SCA do not per­mit extra­ter­ri­to­ri­al app­li­ca­ti­on. It was the­re­fo­re que­stion­ab­le whe­ther such an app­li­ca­ti­on was at all at issue in the spe­ci­fic case.

For­cing Micro­soft to hand over user data in Ire­land would be a pro­hi­bi­ted extra­ter­ri­to­ri­al application

Whe­ther an extra­ter­ri­to­ri­al app­li­ca­ti­on of a legal insti­tu­ti­on would be pro­scri­bed depends on whe­ther the ter­ri­to­ri­al refe­ren­ces of the con­cre­te case lie wit­hin the focus of the law in question:

If the dome­stic con­ta­cts presented 
by the case fall wit­hin the “focus” of the sta­tu­to­ry pro­vi­si­on or are “the objects of the 
statute’s soli­ci­tu­de,” then the app­li­ca­ti­on of the pro­vi­si­on is not unlawfully 
extra­ter­ri­to­ri­al. Mor­ri­son, 561 U.S. at 267. If the dome­stic con­ta­cts are merely 
secon­da­ry, howe­ver, to the sta­tu­to­ry “focus,” then the provision’s app­li­ca­ti­on to the 
case is extra­ter­ri­to­ri­al and precluded. 

The que­sti­on, then, was what is the focus of the SCA’s war­rant pro­vi­si­ons (put ano­t­her way, what is the core con­cern of the SCA). The court ans­we­red this as follows:


The over­all effect is the embo­di­ment of an expec­ta­ti­on of pri­va­cy in those 
com­mu­ni­ca­ti­ons, not­with­stan­ding the role of ser­vice pro­vi­ders in their transmission 
and sto­rage, and the impo­si­ti­on of pro­ce­du­ral restric­tions on the government’s (and 
other third par­ty) access to prio­ri­ty stored com­mu­ni­ca­ti­ons.
 The cir­cum­stan­ces in 
which the com­mu­ni­ca­ti­ons have been stored ser­ve as a pro­xy for the inten­si­ty of the 
user’s pri­va­cy inte­rests, dic­ta­ting the strin­gen­cy of the pro­ce­du­ral pro­tec­tion they 
recei­ve-in par­ti­cu­lar whe­ther the Act’s war­rant pro­vi­si­ons, sub­poe­na pro­vi­si­ons, or its 
§ 2703(d) court order pro­vi­si­ons govern a dis­clo­sure desi­red by the government. 
Accord­in­gly, we think it fair to con­clu­de based on the plain mea­ning of the text that the 
pri­va­cy of the stored com­mu­ni­ca­ti­ons is the “object[] of the statute’s soli­ci­tu­de,” and the 
focus of its pro­vi­si­ons

Becau­se user pri­va­cy is the core con­cern of the SCA, the­re would be an extra­ter­ri­to­ri­al app­li­ca­ti­on of the war­rant pro­vi­si­ons of the SCA if Micro­soft were requi­red to pro­du­ce user data from Ireland:

The infor­ma­ti­on sought in this case is the con­tent of the electronic 
com­mu­ni­ca­ti­ons of a Micro­soft custo­mer. The con­tent to be sei­zed is stored in Dublin. 
The record is silent regar­ding the citi­zenship and loca­ti­on of the customer. 
Alt­hough the Act’s focus on the customer’s pri­va­cy might sug­gest that the customer’s 
actu­al loca­ti­on or citi­zenship would be important to the extra­ter­ri­to­ria­li­ty ana­ly­sis, it is 
our view that the inva­si­on of the customer’s pri­va­cy takes place under the SCA where 
the customer’s pro­tec­ted con­tent is acces­sed-here, whe­re it is sei­zed by Microsoft, 
acting as an agent of the government.

Becau­se the con­tent sub­ject to the War­rant is 
loca­ted in, and would be sei­zed from, the Dub­lin dat­a­cen­ter, the con­duct that falls 
wit­hin the focus of the SCA would occur out­side the United Sta­tes, regard­less of the 
customer’s loca­ti­on and regard­less of Microsoft’s home in the United States. 

This result could not be chan­ged by the prac­ti­cal con­si­de­ra­ti­ons that a U.S. user can easi­ly obtain sto­rage of his or her data in Ire­land and that the rou­te through the Mutu­al Legal Assi­stance Trea­ties (MLAT) is burdensome.

Result

The court its­elf sum­ma­ri­zes the result of its con­si­de­ra­ti­ons as follows:

We con­clu­de that Con­gress did not intend the SCA’s war­rant pro­vi­si­ons to apply 
extra­ter­ri­to­ri­al­ly. The focus of tho­se pro­vi­si­ons is pro­tec­tion of a user’s privacy 
inte­rests. Accord­in­gly, the SCA does not aut­ho­ri­ze a U.S. court to issue and enfor­ce an 
SCA war­rant against a United Sta­tes-based ser­vice pro­vi­der for the con­t­ents of a 
customer’s elec­tro­nic com­mu­ni­ca­ti­ons stored on ser­vers loca­ted out­side the United 
Sta­tes. The SCA war­rant in this case may not law­ful­ly be used to com­pel Micro­soft to 
pro­du­ce to the government the con­t­ents of a customer’s e‑mail account stored 
exclu­si­ve­ly in Ire­land. Becau­se Micro­soft has other­wi­se com­plied with the War­rant, it 
has no remai­ning law­ful obli­ga­ti­on to pro­du­ce mate­ri­als to the government.