As readers no doubt already know, the Second Circuit today issued a surprise ruling in the Microsoft Ireland warrant case — siding with Microsoft. The result: location of data controls, at least for purposes of warrant jurisdiction. US-issued warrants can no longer be relied on to compel the production of stored communications (such as emails) located outside the United States’ territorial jurisdiction. Rather, the United States must make a diplomatic request for extraterritorially located data via a mutual legal assistance treaty (or other avenue if no such treaty is in place) — and then wait for the foreign partner to respond. This is the case even if the target of the investigation is a US citizen and the provider that controls the data can access it from the United States. (It’s an issue I’ve written about extensively here, here, and here.)
It seems almost certain that the government will appeal the ruling. But a lot less certain that the Supreme Court will take certiorari. In the meantime, we can expect, and hope for, much more executive branch engagement with Congress on the issue.
Here are three quick takeaways to keep in mind.
#1: Read Judge Lynch’s concurring opinion. He gets it exactly right in all key respects. First, this is not a privacy case, although it does have important privacy implications. The government, after all, is proceeding by a warrant issued based on probable cause. No one would think this is a privacy violation if the data were stored in Redding, Washington. It thus does not become a privacy violation because the data is stored in Ireland. Second, nothing in the text or legislative history of the statute suggests that Congress considered or intended the possibility that SCA warrants would have transnational reach; particularly given the Supreme Court’s recent reaffirmation of the presumption against extraterritorially, they should not. Third, this is a wholly unsatisfactory result, even if correct as a matter of statutory interpretation and the application of Supreme Court doctrine. It means that US law enforcement can no longer compel, via a lawfully obtained warrant, a US-based provider to turn over the emails of a US citizen being investigated in connection with a New York City murder if his or her data happens to be stored on a server outside the United States territory. Rather, it must make a diplomatic request for the data in whatever place the data happens to be stored. And then wait — perhaps months or longer — for a response. This makes little sense. Fourth, Congress should engage. (More on this in point #3 below.)
#2: Electronic communications are not the same as business and bank records. The court squarely rejects the analogy (which had been heavily relied on by the government) between this case and prior Second Circuit cases in which the court ordered corporations and banks to, in response to lawfully obtained subpoenas, produce records subject to their control but outside the territorial jurisdiction of the United States. In the words of Judge Carney:
Microsoft convincingly observes that our Court has never upheld the use of a subpoena to compel a recipient to produce an item under its control and located overseas when the recipient is merely a caretaker for another individual or entity and that individual, not the subpoena recipient, has a protectable privacy interest in the item.
To sum up, individual users do not lose their “protectable privacy interest” in their emails simply because they entrust them with an Internet Service Provider (ISP) “caretaker.” Here, the Second Circuit seems to be suggesting that the heightened privacy interests in personal, electronic communications require a new set of rules — and implicitly rejecting the idea that one loses his or her privacy interests in one’s emails simply because they have been entrusted with a third-party ISP.
#3: The ultimate result in the case concerning. (I also would have said the same if the government had won; as I’ve written before, both sides’ positions in this case were unsatisfactory.) If left to stand as is, it will provide a strong incentive for mandatory data localization as a means of both ensuring and controlling governmental access to sought-after data. This has negative consequences for the innovative potential of the Internet, for US-based companies (who are likely to be increasingly subject to competing sets of legal obligations), and for privacy rights of both American and foreign-based users. After all, the US requirement that law enforcement officials obtained warrant issued by a neutral magistrate based on a standard of probable cause before accessing the content of stored communications is as high of a standard as one will find anywhere; data localization mandates are likely to result in foreign governments being able to compel the production of data — including of Americans — based on a much lower standard than what would apply if the data were sought by the United States.
Congressional action is thus key. And this is not just me and Judge Lynch saying so. Even Microsoft’s President and Chief Legal Officer Brad Smith urged Congress to reform the law in the same breadth that he welcomed and praised the ruling. The bipartisan International Communications Privacy Act — which explicitly authorizes law enforcement to obtain, via warrant, the data of US citizens and other persons located in the United States, regardless of the location of the data — offers an approach to be considered. A comprehensive piece of legislation that address the reciprocal problem — of foreign governments seeking access to data of their own citizens and residents that happens to be located in the United States (an issue discussed here, here, and here) would be an even better response. Ultimately, neither the United States’ nor foreign governments’ ability to access sought-after communications should turn exclusively on where data happens to be located at any given moment. It’s now up to Congress to make this change. As a means of protecting our economy, our security, and our privacy.
This post also appears the American Constitution Society’s site.