In February 2018, the Supreme Court will hear argument in United States v. Microsoft Corporation on the issue of whether a U.S. email provider must comply with a warrant issued pursuant to Section 2703 of the Stored Communications Act (“SCA”) by making disclosure in the United States of electronic communications stored exclusively on servers at datacenters abroad.[1]  Recently the parties submitted briefing on the merits to the Court, and a number of amici weighed in to support Microsoft Corp. (“Microsoft”). [2]   Through more than twenty amicus briefs, major tech giants like Google, Apple, and Amazon, along with members of Congress, European lawmakers, European legal groups, and foreign sovereigns, expressed concern about the Government’s interpretation of the SCA. [3] As this interest demonstrates, the Court’s decision is expected to have far reaching implications for the treatment of foreign data protection laws in U.S. courts.

Background

The case began in 2013 when the Government applied for a Section 2703 warrant under the SCA requiring Microsoft to disclose email communications for a particular user believed to be involved in illegal drug activity.  Microsoft operates web-based email services that are free to the public.  Data associated with these services (i.e. email communications) are stored on servers at Microsoft datacenters around the world.  In this particular case, the user’s email content was stored on a server at a datacenter based exclusively in Dublin, Ireland.  The Government served Microsoft at its corporate headquarters in Redmond, Washington, and in response Microsoft disclosed certain responsive account information that was stored in the United States.  Microsoft, however, refused to turn over the user’s email content stored in Dublin, and moved to quash the warrant, arguing that the SCA does not apply extraterritorially to data stored outside the United States.  The district court ruled in favor of the Government, holding that because the data was disclosed in the United States, this application of the SCA is not extraterritorial, even though the data was originally stored outside the United States. [4]   The Second Circuit ultimately reversed, holding that the warrant for information abroad constituted an impermissible extraterritorial application of the SCA. [5]

The Government’s Position 

Before the Supreme Court, the Government argues that Section 2703 of the SCA permits the Government to compel U.S. service providers to disclose to authorities inside the United States electronic communications within their control, regardless of whether the providers store the communications in the United States or abroad.[6]   Although the Government does not contend that Congress intended the SCA to apply extraterritorially, according to the Government, this is not an extraterritorial application of the SCA because the conduct relevant to the statute’s “focus” – in its view, the disclosure of the communications to U.S. authorities – occurred in the United States.[7]  The Government argues that Section 2703 focuses on disclosure of electronic information, not on where the information is stored, and that such disclosure constitutes domestic conduct.  The Government maintains that “[a] user has no right under the SCA to have his data stored in one location or another, or even to know where it is stored.  Instead, any invasion of privacy occurs only when Microsoft divulges a user’s communications to the government and the government examines those communications for evidence of a crime.”[8]

According to the Government, a more restrictive reading of Section 2703 would undermine an important tool for law enforcement and “introduce arbitrariness into the statutory scheme.”[9]  For example, it says that a service provider like Microsoft could move all of its information about U.S. customers beyond the reach of law enforcement by building its servers outside of the United States.  The Government also argues that Microsoft has exaggerated the potential international comity implications of its position.

Microsoft’s Position

Microsoft contends that Congress never intended for Section 2703 of the SCA to apply extraterritorially, and that the Government’s position amounts to an extraterritorial application of the SCA.  Microsoft interprets the SCA’s “focus” to be protecting the privacy and security of electronic communications that customers entrust to third-party service providers.[10]  Microsoft agrees that “there may be an ill fit between the SCA and today’s globally connected world.  But that is for Congress to address.”[11]

Microsoft also argues that compelling the disclosure of electronic information stored abroad creates a direct conflict with foreign laws protecting data privacy.  The SCA warrant requires the search and seizure of emails on a physical computer server at a datacenter in Dublin, where Irish and EU law protects them.  The emails would therefore be subject to a “seizure” in Ireland.  According to Microsoft, “[t]hat the government has outsourced this activity to a service provider does not change the location of the law enforcement operation or mitigate the intrusion on foreign sovereignty.  It is a government initiated intrusion upon the account owner’s property rights all the same.”[12]  Microsoft further points to the “international outcry [the] warrant has sparked” with “[l]eaders across Europe [lambasting] the government’s attempt to circumvent existing [mutual legal assistance treaties] and interfere with the territorial sovereignty of an EU member state.”[13]

Microsoft argues that “[t]he most straightforward reading of the SCA is that it protects domestically stored communications (wherever disclosed), not domestically disclosed communications (wherever stored).”[14]  The focus of the SCA is not on disclosure and where disclosure occurs, but rather the focus is on protecting the security of electronic communications that customers entrust to third parties like Microsoft.

Data Privacy Implications

Microsoft President and Chief Legal Officer Brad Smith has written that “the U.S. Department of Justice’s attempt to seize foreign customers’ emails from other countries ignores borders, treaties, and international law, as well as the laws those countries have in place to protect the privacy of their own citizens.”[15]  While the Government denies that its interpretation of Section 2703 interferes with foreign sovereignty and conflicts with international data privacy laws, many tech companies, legal experts, European lawyers associations, and sovereigns have submitted amicus briefs in support of Microsoft, warning that such disregard of global comity is likely to have international consequences.[16]

As these briefs generally point out, there are substantial differences between U.S. and EU privacy and data protection regulations.  Notably, unlike the United States, the European Union recognizes the protection of personal data and privacy as fundamental individual rights,[17] and EU laws and regulations impose comprehensive obligations for the protection of personal data stored in the EU.[18] In particular, the General Data Protection Regulation (“GDPR”), which comes into full effect in May 2018, generally prohibits transfers of personal data to non-EU countries absent a showing of compliance with data protection standards essentially equivalent to the EU standards, and imposes substantial penalties for noncompliance.[19]

Some amici have expressed concern that the Government’s position, if adopted, will result in direct conflict between SCA warrants and other countries’ domestic regulation of data privacy, including European data protection and privacy laws, leaving companies in an irreconcilable position.[20]  For example, amici argue that SCA warrants may not supply an adequate legal basis for EU companies to process the personal data sought by the warrant (e.g., by collecting the data from their servers), or to transfer the personal data sought by the SCA warrant to the United States for disclosure to authorities.  The stakes are potentially high for European companies, which under the GDPR, could face significant monetary penalties and possible civil or criminal liability for non-compliance.  These amici contend that the Government’s position forces companies like Microsoft to choose between complying with an SCA warrant or complying with other countries’ strict data privacy laws.  As Microsoft and other tech companies have acknowledged, this conflict leaves “tech companies and consumers caught in the middle.”[21]

These amici have argued that this disregard of competing legal obligations is disruptive of global comity, which could ultimately jeopardize the rights of U.S. citizens in foreign legal proceedings.  Where the Government chooses to intrude upon the sovereignty of other nations, so too may other governments similarly disregard the laws the of the United States.  Several amici urged the Court to apply to this case the comity framework established in Société Nationale Industrielle Aérospatiale v. United States in connection with U.S. civil discovery requests for cross-border disclosure, and to further clarify the role comity plays in defining the scope of the Government’s authority to compel production of electronic communications stored on servers located outside the United States.[22]  The factors recognized in Aérospatiale include:

1) the importance to the . . . litigation of the documents or other information requested;     2) the degree of specificity of the request; 3) whether the information originated in the    United States; 4) the availability of alternative means of securing the information; and 5) the extent to which noncompliance with the request would undermine important interests of the United States, . . . or of the state where the information is located.[23]

In their amicus briefs, for example, the European Company Lawyers Association (“ECLA”) and the Council of Bars and Law Societies of Europe each argue that the Aérospatiale factors should be applied to SCA warrants like those in this case, which seek data stored outside the United States.[24]  The ECLA, in particular, contended that the fifth Aérospatiale factor should “preclude issuance of an SCA warrant in appropriate circumstances [to] accord proper respect to the European Union’s expressed intention under the GDPR to protect individuals’ right to the protection of personal data, . . . and to the fact that data protection is considered a fundamental right in the European Union.”[25]  At the same time, the fifth factor would not preclude the Government from using an SCA warrant in cases where the data was not otherwise available and there were no significant foreign interests implicated.[26]

Whatever the outcome, the Court’s ruling stands to influence compliance with data privacy laws around the world.  We will continue to follow developments in this important case.

Cleary Gottlieb filed amicus briefs in this matter on behalf of the European Company Lawyers Association and the Council of Bars and Law Societies of Europe.


[1]United States v. Microsoft Corp., No. 17-2 (cert granted Oct. 16, 2017).

[2] Brief for the United States on Writ of Certiorari, United States v. Microsoft Corp., No. 17-2, 2017 WL 6205806 (December 6, 2017) (“Government’s Brief”); Brief for Respondent on Writ of Certiorari, United States v. Microsoft Corp., No. 17-2, 2018 WL 447349 (January 11, 2018) (“Respondent’s Brief”).

[3] United States v. Microsoft, Complete List of Amici Signatories, https://blogs.microsoft.com/datalaw/wp-content/uploads/sites/149/2018/01/Complete-List-of-Amici-Signatories_FINAL-4.pdf (last visited January 24, 2018).

[4] In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 15 F. Supp. 3d 466 (S.D.N.Y. 2014).

[5] Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197 (2d Cir. 2016).

[6] Government’s Brief at 12.

[7] Government’s Brief at 17; Morrison v. Nat’l Australia Bank Ltd., 561 U.S. 247, 249 (2010) (the Court will consider the “focus” of the statute to determine whether a particular application is extraterritorial in nature).

[8] Government’s Brief at 14.

[9] Id. at 15.

[10] Respondent’s Brief at 11.

[11] Id. at 14.

[12] Id. at 12.

[13] Id. at 13.

[14] Id. at 11.

[15] Brad Smith, Something Extraordinary Happened in Washington, D.C. Yesterday, Microsoft On the Issues (Jan. 19, 2018), https://blogs.microsoft.com/on-the-issues/2018/01/19/something-extraordinary-happened-washington-d-c-yesterday/.

[16] Supra note 3.

[17] Article 8 of the European Union’s Charter of Fundamental Rights, 2012 O.J. (C. 326) 391.

[18] European Union Data Protection Directive of 1995, Europ. Parl. and Coun. Directive 95/46, 1995 O.J. (L. 281) 31; General Data Protection Regulation, Europ. Parl. and Coun. Reg. 2016/679, 2016 O.J. (L. 119) 1 (fully applicable May 2018).

[19] Id.

[20] See Brief for Amicus Curiae European Company Lawyers Association in Support of Respondent, United States v.  Microsoft Corp., No. 17-2 (Jan. 18, 2018) (“ECLA Brief”); Brief of the Council of Bars and Law Societies of Europe as Amicus Curiae in Support of Respondent, United States v. Microsoft Corp., 17-2 (Jan. 18, 2018) (“CCBE Brief”).

[21] Smith, supra note 15.

[22] 482 U.S. 522 (1987).

[23] Id. at n.28.

[24] ECLA Brief at 30-31; CCBE Brief at 23-24.

[25] ECLA Brief at 30-31.

[26] Id. at 31.