You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

United States v. Microsoft

Whether the Stored Communications Act authorizes warrants for personal data stored outside of the United States

Summary

The Supreme Court has agreed to review an important case concerning the search and seizure of personal data stored outside the United States. The case raises the question of whether the Stored Communications Act, 18 U.S.C. § 2703, authorizes a court in the United States to order a service provider to produce personal data stored abroad. The lower court held that Congress did not intend the SCA’s warrant provision to apply to data stored outside the United States, and the Supreme Court has agreed to review the case. The warrant under review was issued to Microsoft in 2013, but the company challenged on the grounds that the e-mails sought under the warrant were stored on its servers in Dublin, Ireland.

Question Presented

Given the presumption against applying federal law in other countries and the Government’s concession that Congress did not intend to apply the Stored Communications Act outside the United States, are private electronic communications stored in Ireland outside the scope of the Stored Communications Act’s interlocking provisions?

Background

This case arises from a criminal investigation into a drug-trafficking case in December 2013. A magistrate judge in the U.S. District Court for the Southern District of New York issued a warrant under the Stored Communications Act (SCA) ordering Microsoft to produce all emails and information associated with a certain account. Some information was held on Microsoft’s United States servers; however, the emails themselves were stored on a server in Dublin, Ireland. In response to the warrant, Microsoft complied with providing the account information but moved to quash the order to produce the emails. Microsoft argued that the court does not have authority to issue a warrant for electronic communications stored abroad under the SCA.

Procedural History

U.S. District Court for the Southern District of New York

On December 18, 2013, Microsoft moved to quash the warrant requiring production of electronic communications stored abroad. In May 2014, a federal magistrate judge denied Microsoft’s motion to quash the warrant. The judge ordered Microsoft to turn over the emails, reasoning that unlike a typical warrant, an SCA warrant is similar to a subpoena. Courts have previously held that companies can be required to produce overseas business records in response to a subpoena. The court reasoned that, because Microsoft had control over the material outside of the U.S., it must comply with the subpoena-like SCA warrant.

Microsoft sought review in the District Court of the Southern District of New York, which upheld the magistrate judge’s ruling and issued a civil contempt order against Microsoft for failure to comply with the warrant. Microsoft appealed the district court’s order to the Second Circuit.

U.S. Court of Appeals for the Second Circuit

On appeal, a three-judge panel unanimously reversed the lower court’s ruling, vacated the contempt order, and ordered the lower court to quash the warrant “insofar as it demands user content stored outside of the United States.” The court relied heavily on the Supreme Court’s ruling in Morrison v. National Australian Bank Ltd., 561 U.S. 247 (2010), affirming the “longstanding principle of American law that legislation of Congress, unless a contrary intent appears, is meant to apply only within the territorial jurisdiction of the United States.” The Second Circuit found that Congress did not intend for the warrant provisions in the SCA to apply outside the United States. The SCA’s use of the term “warrant” suggested a domestic application and the primary focus of the SCA was to protect the privacy of users of electronic services.

The Irish government and a number of other organizations and individuals filed amicus briefs in support of Microsoft in the Second Circuit.

The U.S. government filed a petition for rehearing en banc, which was denied in January 2017, by a split vote (4-4) of the Second Circuit.

Supreme Court of the United States

Following the denial of rehearing en banc, the U.S. Department of Justice filed a Petition for a Writ of Certiorari in the U.S. Supreme Court. In the Petition, the Government argued against the Second Circuit’s interpretation of the SCA. The Government argued that the issuance of a warrant ordering Microsoft to turn over e-mails is “a domestic application” of the SCA, and that Congress enacted the SCA “against the background principle that subpoena recipients must produce all records within their control.” The Government also argued that the Second Circuit’s rule would be “impractical and detrimental to law enforcement” and that the use of the SCA to obtain user data stored abroad would respect “the United States’ international obligations.” The Supreme Court granted the Petition on October 16, 2017, and will hear the case in 2018.

EPIC's Interest

Promotion of International Privacy Norms

EPIC has vigorously supported international privacy norms. In 2010, 29 members of the EPIC advisory Board wrote to then Secretary Hillary Clinton, urging US ratification of Council of Europe Convention 108 (the "Privacy Convention"). EPIC stated, "The protection of privacy is a fundamental human right. In the 21st century, it may become one of the most critical human rights of all." An adverse decision by the Supreme Court in the Microsoft case could undermine efforts to establish an international framework for data protection.

EPIC also express support for the Madrid Declaration, a substantial document that reaffirms international instruments for privacy protection, identifies new challenges, and calls for concrete actions. Among other points, the Madrid Declaration calls for "the establishment of a new international framework for privacy protection, with the full participation of civil society, that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions."

EPIC recently supported a Common Position on Standards for data protection and personal privacy in cross-border data requests for law enforcement purposes of the International Working Group (IWG). The Common Position is intended to offer recommendations to the existing legal framework and current activities governing law enforcement access to cross-border data. The recommendations ensure that any cross-border law enforcement data requests accord with international human rights norms.

EPIC joined the European Digital Rights (EDRI) in a statement to the Council of Europe regarding criminal investigations. The "Global Civil Submission" endorses human rights principles and data protection standards for transnational data transfers. Several years ago, EPIC opposed the U.S. ratification of the Convention of Cybercrime citing its sweeping expansion of law enforcement authority.

EPIC also participated as amici in one of the most important international privacy cases in recent history. In Schrems v. Data Protection Commissioner, an Austrian privacy advocate, Max Schrems, challenged the transfer of his data (and the data of EU citizens' generally) to the United States by Facebook, which is incorporated in Ireland. The first Schrems case (Schrems I) led the Court of Justice of the European Union to invalidate the Safe Harbor arrangement, which governed data transfers between the E.U. and the U.S. After that case was remanded to the Irish data protection authority, the Commissioner filed a second suit (Schrems II) in the Irish High Court to determine whether the "standard contractual clauses" used by Facebook to authorize the transfer of personal data to the U.S. post-Safe Harbor provide adequate protection for E.U. citizens. EPIC was selected by the Irish High Court to provide an amicus submission in Schrems II to "counterbalance" the submission of the U.S. Government. EPIC provided a detailed assessment of U.S. privacy law, and the Court ultimately found insufficient legal protections for the transfer of data to the United States.

Related EPIC ECPA Amicus Briefs

EPIC also has an interest in the privacy and security of communications that are transmitted domestically and abroad. The primary form of electronic communication is e-mail. Unlike at the time the Electronic Communications Privacy Act was passed in 1986, the majority of e-mail is now stored and accessible remotely in cloud-based services. Yet protecting the privacy of e-mail messages, as EPIC has noted in the past, is still one of the core purposes of ECPA.

EPIC filed an amicus brief in Jennings v. Broome, a case concerning the scope of protections for stored e-mail under ECPA. EPIC argued that given the central importance of e-mail to our economic and social activities, it is critical to clarify the application of current electronic privacy rules. Furthermore, “privacy protection enables the free exchange of ideas as well as the growth of online commerce;” thus, the “Court needs to act to provide clarity in the application of federal privacy law to digital communications.”

In United States v. Councilman, a case involving a criminal prosecution under the Wiretap Act for interception of e-mail. EPIC joined a coalition of civil liberties organizations in an amicus brief authored by Professor Orin Kerr. EPIC argued that an email can be simultaneously in “electronic storage” and subject to interception under the Wiretap Act. Several EPIC advisory board members who are technical experts and leading authorities on Internet architecture, email communications, and computer privacy also filed an amicus brief in Councilman, arguing that “ECPA was intended to deal precisely with the improper capture of information by one party that is intended solely for delivery to other(s) . . . .” Senator Patrick Leahy, one of the authors of ECPA, also filed an amicus brief in the case arguing that the definition of “electronic storage” was “designed to distinguish the SCA from ordinary computer crime statutes covering unauthorized system access unrelated to the communications process,” and that the definition should not “cast doubt upon Title III’s protection of electronic communications” during the transmission phase.

EPIC also filed an amicus brief in Bunnell v. MPAA, a civil wiretap act case involving a question substantially similar to that in Councilman. EPIC’s brief argued that Congress added “electronic storage” to the definition of wire communications to expand protections for voicemail, not to lessen protections for stored e-mail.

Legal Documents

United States Supreme Court, No. 16-402

Merits Stage

Petition Stage

U.S. Court of Appeals for the Second Circuit, No. 14-2985

U.S. District Court for the Southern District of New York, No. 12-20218

Resources

EPIC Resources

News

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security