The Second Circuit has handed down its long-awaited decision in the Ireland warrant case, In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation. The holding: If a U.S. company stores customer email outside the United States, whether of U.S. or foreign customers, the government cannot use a domestic search warrant to compel the disclosure of the email. If the data is stored outside the United States, the government has to find some other way to compel the email other than a traditional search warrant.
This post will cover the reasoning of the opinion, and in another post I’ll address its implications and what happens next.
A brief recap: The government obtained a search warrant inside the United States compelling Microsoft inside the United States to disclose email it had stored on a server in Ireland. The court assumed, following the briefing of the parties, that the Stored Communications Act, if it applied, would require Microsoft to comply with the warrant. Everyone in the case agreed that the Stored Communications Act applied only inside the United States. The big issue was whether the Act’s territoriality was governed by where the disclosure occurs (inside the United States) or where the data is stored (outside the United States).
The court ruled that the Act’s territoriality is governed by the location of the data. Because Microsoft stored the data outside the United States, Microsoft doesn’t have to comply with the warrant. As I read the majority opinion, authored by Judge Susan Carney, the core reasoning of the opinion largely boils down to a single sentence on Page 39. After reasoning at length that the Act is focused on user privacy, Carney announces the follow conclusion: “it is our view that the invasion of the customer’s privacy takes place under the SCA where the customer’s protected content is accessed — here, where it is seized by Microsoft, acting as an agent of the government.”
This strikes me as a conclusion that needs explanation, although the opinion doesn’t appear to provide it. Yes, the statute focuses on privacy. But what is the territorial location of a privacy invasion? Is that where the disclosure occurs? Where the access occurs? Where the person is located? There are lots of different ways to answer this. It’s what the case was fundamentally about. At least based on my initial read of the opinion, however, the majority doesn’t actually develop an explanation of that choice.
Concurring in the judgment, Judge Gerard Lynch points out the gap:
Privacy, however, is an abstract concept with no obvious territorial locus; the conclusion that the SCA’s focus is privacy thus does not really help us to distinguish domestic applications of the statute from extraterritorial ones. “The real motor of the Court’s opinion,” Morrison, 561 U.S. at 284 (Stevens, J., concurring in the judgment), then, is less the conclusion that the statute focuses on privacy than the majority’s further determination that the locus of the invasion of privacy is where the private content is stored – a determination that seems to me suspect when the content consists of emails stored in the “cloud.” It seems at least equally persuasive that the invasion of privacy occurs where the person whose privacy is invaded customarily resides.
The closest the majority comes to explaining why the invasion of privacy takes place where the information is accessed may be in this paragraph on Page 40:
The magistrate judge suggested that the proposed execution of the Warrant is not extraterritorial because “an SCA Warrant does not criminalize conduct taking place in a foreign country; it does not involve the deployment of American law enforcement personnel abroad; it does not require even the physical presence of service provider employees at the location where data are stored. . . . [I]t places obligations only on the service provider to act within the United States.” In re Warrant, 15 F. Supp. 3d at 475– 76. We disagree. First, his narrative affords inadequate weight to the facts that the data is stored in Dublin, that Microsoft will necessarily interact with the Dublin datacenter in order to retrieve the information for the government’s benefit, and that the data lies within the jurisdiction of a foreign sovereign. Second, the magistrate judge’s observations overlook the SCA’s formal recognition of the special role of the service provider vis‐à‐vis the content that its customers entrust to it. In that respect, Microsoft is unlike the defendant in Marc Rich and other subpoena recipients who are asked to turn over records in which only they have a protectable privacy interest.
I’m not sure this actually explains why the invasion of privacy is in Dublin, but I think that’s as close as the court comes to explaining the decision to focus on data location. (One thing that puzzles me about the opinion: Let’s say that the content provisions of the Stored Communications Act were never enacted, and that Congress just relied on Fourth Amendment protections for email privacy. Would the result in the case be any different? Is the court really interpreting the SCA, or is it really just discussing the territorial limits of warrants generally?)
While I found Carney’s majority opinion a bit puzzling, I thought Lynch’s concurrence in the judgment was excellent. The last line gives you a flavor: “For these reasons, I concur in the result, but without any illusion that the result should even be regarded as a rational policy outcome, let alone celebrated as a milestone in protecting privacy.”
And here’s Lynch’s opening:
I am in general agreement with the Court’s conclusion that, in light of the presumption against extraterritorial application of congressional enactments, the Stored Communications Act (“SCA” or the “Act”) should not, on the record made by the government below, be construed to require Microsoft to turn over records of the content of emails stored on servers in Ireland. I write separately to clarify what, in my view, is at stake and not at stake in this case; to explain why I believe that the government’s arguments are stronger than the Court’s opinion acknowledges; and to emphasize the need for congressional action to revise a badly outdated statute.
I read Lynch’s approach as ultimately hinging on the burden of proof. “If we frame the question as whether Congress has demonstrated a clear intention to reach situations of this kind in enacting the Act,” he writes, “I think the better answer is that it has not, especially in the case (which could well be this one) of records stored at the behest of a foreign national on servers in his own country.” Where Congress hasn’t clearly intended to regulate an extraterritorial set of facts, the statute should be presumed not to apply to it.
Lynch also writes:
Despite ultimately agreeing with the result in this case, I dwell on the reasons for thinking it close because the policy concerns raised by the government are significant, and require the attention of Congress. I do not urge that Congress write the government’s interpretation into the Act. That is a policy judgment on which my own views have no particular persuasive force. My point is simply that the main reason that both the majority and I decide this case against the government is that there is no evidence that Congress has ever weighed the costs and benefits of authorizing court orders of the sort at issue in this case. The SCA became law at a time when there was no reason to do so. But there is reason now, and it is up to Congress to decide whether the benefits of permitting subpoena-like orders of the kind issued here outweigh the costs of doing so.
I think that’s exactly right. From a policy perspective, there was no good answer to the question of territoriality in the current state no matter how it was read. Congress will need to revisit the statute either way. We just needed a ruling on the current statute to showcase the problem and spark congressional action.