Second Circuit Limits Government Access to Data Overseas
In a case closely watched by Silicon Valley and privacy advocates alike, the Second Circuit Court of Appeals recently ruled that the Stored Communications Act, 18 U.S.C. §§ 2701 et seq. (SCA), does not authorize federal investigators to compel U.S.-based companies to turn over customer emails stored on servers outside American borders.
In the case Microsoft v. United States of America, Microsoft appealed from a district court order denying its motion to quash a warrant issued under section 2703 of the SCA. The warrant directed Microsoft to seize and produce customer data, including the content of emails held exclusively on a company server in Ireland. Microsoft objected to the production and argued that the SCA, one of the component statutes in the Electronic Communications Privacy Act (ECPA), was not intended to provide federal law enforcement with such authority and threatens user privacy. Microsoft further argued that if they are compelled to turn over the emails stored abroad, the company may face similar requests from foreign governments (e.g., China) requesting records stored in the United States under similar legal reasoning. On the other side, the United States argued that it has authority to require the disclosure of records, wherever it is located, as long as it is under the company's control or custody.
In ruling that the Justice Department could not rely on the SCA to require Microsoft to produce data stored overseas, the court noted that Congress did not intend the SCA's warrant provisions to apply so broadly and that a warrant for digital data turns on where that data are stored. Indeed, the Court noted: "Because the content subject to the warrant is located in, and would be seized from, the Dublin data center, the conduct that falls within the focus of the SCA would occur outside the United States, regardless of the customer's location and regardless of Microsoft's home in the United States."
Notably, what makes this ruling particularly interesting is that it has broad implications regarding the government's ability to compel companies to turn over information in an era of cloud computing. This ruling essentially shows that warrants authorized by the SCA statute at issue are similar to ordinary search warrants in that they can only be executed in the United States. The digital information sought in this case, however, differs from other physical evidence – which is likely located in a specific location – in that the information sought by the Justice Department could have been easily accessed by Microsoft and just as easily moved to the United States with only a few strokes at a keyboard.
Additionally, this ruling shows the tension companies now face using technologies that did not exist thirty years ago when the SCA was enacted. Companies are expected to both uphold user privacy while also responding to lawful requests from the government. Thus, while the ruling, based on the physical location of the data, may have been legally correct in its application of the law, it clearly illustrates how laws governing access to electronic records have not kept pace with technology. The increasing complexities of the digital world coupled with the fast evolving legal landscape means having experienced counsel on your side matters. Selman can be your partner in navigating this unique environment.