Der US Court of Appeals hat heute, am 14. Juli 2016, im Berufungsverfahren zugunsten von Microsoft und gegen die US-Regierung entschieden (Urteil als PDF). Streitpunkt war im Wesentlichen die Frage, ob Microsoft verpflichtet ist, auf einen sog. Warrant der US-Regierung hin Daten (hier Emails eines Kunden) herauszugeben, die möglicherweise Aufschluss über strafbare Handlungen (hier Drogenhandel) geben könnten, die sich aber nicht in den USA befinden, sondern auf einem Microsoft-Server in Irland. Die Vorinstanz hatte Microsoft verpflichtet, auch solche Daten herauszugegeben.
Microsoft brachte im Verfahren unwidersprochen vor, dass die Emails jeweils auf Servern in der Region des Kunden gespeichert werden und dass Zwischenkopien auf Servern in den USA anschliessend gelöscht werden, so dass auf die betreffenden Daten anschliessend ausschliesslich vor Ort zugegriffen werden kann.
Das Urteil des Court of Appeals kann an den Supreme Court weitergezogen werden.
Der Court of Appeals beurteilte den Fall wie folgt:
Die Warrant-Bestimmungen des SCA sind nicht extraterritorial anwendbar
Der Court of Appeals hielt zunächst fest, dass der Stored Communications Act (SCA) – unbestrittenermassen die Rechtsgrundlage des Editionsbefehls der US-Regierung – keine extraterritoriale Anwendung vorsieht:
As observed above, the SCA permits the government to require service providers to produce the contents of certain priority stored communications “only pursuant to a
warrant issued using the procedures described in the Federal Rules of Criminal
Procedure (or, in the case of a State court, issued using State warrant procedures) by a
court of competent jurisdiction.” 18 U.S.C. § 2703(a), (b)(1)(a). The provisions in § 2703 that permit a service provider’s disclosure in response to a duly obtained warrant do
not mention any extraterritorial application, and the government points to no provision that even implicitly alludes to any such application. No relevant definition provided by either Title I or Title II of ECPA, see 18 U.S.C. §§ 2510, 2711, suggests that Congress
envisioned any extraterritorial use for the statute.When Congress intends a law to apply extraterritorially, it gives an “affirmative indication” of that intent. […]
The government asserts that “[n]othing in the SCA’s text, structure, purpose, or legislative history indicates that compelled production of records is limited to those
stored domestically.” Gov’t Br. at 26 (formatting altered and emphasis added). It emphasizes the requirement placed on a service provider to disclose customers’ data,
and the absence of any territorial reference restricting that obligation. We find this argument unpersuasive: It stands the presumption against extraterritoriality on its
head.
Das Gericht nennt in der Folge weitere Punkte, die gegen eine extraterritoriale Anwendung des SCA sprechen.
Wichtig war sodann die Unterscheidung zwischen einem Warrant – um den es hier ging – und einer Subpoena. Durch eine Subpoena kann eine Person verpflichtet werden, auch ausserhalb der USA liegende Dokumente zu edieren:
We reject the approach, urged by the government and endorsed by the District Court, that would treat the SCA warrant as equivalent to a subpoena. The District Court characterized an SCA warrant as a “hybrid” between a traditional warrant and a subpoena because — generally unlike a warrant — it is executed by a service provider rather than a government law enforcement agent, and because it does not require the presence of an agent during its execution. Id. at 471; 18 U.S.C. § 2703(a)-(c), (g). As flagged earlier, the subpoena-warrant distinction is significant here because, unlike warrants, subpoenas may require the production of communications stored overseas.
Das Gericht kommt damit zum Ergebnis, dass die Warrant-Bestimmungen des SCA keine extraterritoriale Anwendung erlauben. Fraglich war deshalb, ob es im konkreten Fall überhaupt um eine solche Anwendung ging.
Microsoft zur Herausgabe von Nutzerdaten in Irland zu zwingen, wäre eine verbotene extraterritoriale Anwendung
Ob eine ggf. verpönte extraterritoriale Anwendung eines Rechtsinstituts vorläge, hängt davon ab, ob die territorialen Bezüge des konkreten Falls innerhalb des Fokus’ des betreffenden Gesetzes liegen:
If the domestic contacts presented
by the case fall within the “focus” of the statutory provision or are “the objects of the
statute’s solicitude,” then the application of the provision is not unlawfully
extraterritorial. Morrison, 561 U.S. at 267. If the domestic contacts are merely
secondary, however, to the statutory “focus,” then the provision’s application to the
case is extraterritorial and precluded.
Die Frage lautete also, welches der Fokus der Warrant-Bestimmungen des SCA ist (anders formuliert: welches Kernanliegen der SCA hat). Das Gericht beantwortet das wie folgt:
The overall effect is the embodiment of an expectation of privacy in those
communications, notwithstanding the role of service providers in their transmission
and storage, and the imposition of procedural restrictions on the government’s (and
other third party) access to priority stored communications. The circumstances in
which the communications have been stored serve as a proxy for the intensity of the
user’s privacy interests, dictating the stringency of the procedural protection they
receive — in particular whether the Act’s warrant provisions, subpoena provisions, or its
§ 2703(d) court order provisions govern a disclosure desired by the government.
Accordingly, we think it fair to conclude based on the plain meaning of the text that the
privacy of the stored communications is the “object[] of the statute’s solicitude,” and the
focus of its provisions.
Da die Privatsphäre der Nutzer das Kernanliegen des SCA ist, läge eine extraterritoriale Anwendung der Warrant-Bestimmungen des SCA vor, wenn Microsoft verpflichtet wäre, Nutzerdaten aus Irland zu produzieren:
The information sought in this case is the content of the electronic
communications of a Microsoft customer. The content to be seized is stored in Dublin.
The record is silent regarding the citizenship and location of the customer.
Although the Act’s focus on the customer’s privacy might suggest that the customer’s
actual location or citizenship would be important to the extraterritoriality analysis, it is
our view that the invasion of the customer’s privacy takes place under the SCA where
the customer’s protected content is accessed — here, where it is seized by Microsoft,
acting as an agent of the government.
Because the content subject to the Warrant is
located in, and would be seized from, the Dublin datacenter, the conduct that falls
within the focus of the SCA would occur outside the United States, regardless of the
customer’s location and regardless of Microsoft’s home in the United States.
An diesem Ergebnis konnten auch die praktischen Erwägungen nichts ändern, dass ein US-Nutzer problemlos die Speicherung seiner Daten in Irland erwirken kann und dass der Weg über die Rechtshilfeabkommen (MLAT) beschwerlich ist.
Ergebnis
Das Gericht fasst das Ergebnis seiner Erwägungen selbst folgendermassen zusammen:
We conclude that Congress did not intend the SCA’s warrant provisions to apply
extraterritorially. The focus of those provisions is protection of a user’s privacy
interests. Accordingly, the SCA does not authorize a U.S. court to issue and enforce an
SCA warrant against a United States-based service provider for the contents of a
customer’s electronic communications stored on servers located outside the United
States. The SCA warrant in this case may not lawfully be used to compel Microsoft to
produce to the government the contents of a customer’s e-mail account stored
exclusively in Ireland. Because Microsoft has otherwise complied with the Warrant, it
has no remaining lawful obligation to produce materials to the government.