United States v. Microsoft will be practically significant for its effect on law enforcement’s ability to access data stored abroad, and it has the potential to be doctrinally significant as the latest in a line of recent cases including Morrison, Kiobel, and RJR Nabisco in which the Supreme Court has finessed the presumption against extraterritoriality.
But these important issues in some ways mask the even broader significance of the case. While the Supreme Court is a perfectly reasonable venue for deciding the statutory interpretation question presented, it is a poor fit for addressing the bigger issues behind the courtroom clash: how do the powers of different states interact to govern cyberspace, and how should the balance between state and corporate power in cyberspace be struck? These are hard questions, and ones unlikely to be settled by statutory interpretation canons. Here, good canons may make bad law.
The fact that balance-of-power questions underlie the overt clash between Microsoft and the U.S. government becomes evident when examining the voices making themselves heard in the case. There are many, including civil society groups, U.S. states, and former government officials. But I want to focus on two types of actors, namely foreign sovereigns and tech companies.
Several foreign governments, including Ireland, the United Kingdom, and the European Commission, as well as the New Zealand Privacy Commissioner filed amicus briefs. All of the foreign sovereign briefs were filed in support of neither party, which is a somewhat unusual posture for foreign sovereign amici. As I have previously noted, of the 68 foreign sovereign amicus briefs filed from the 1978 Term through the 2013 Term, only four were filed in support of neither party; the rest chose a side. And in extraterritoriality cases, foreign sovereigns typically support whichever side opposes extraterritorial application of U.S. laws.
Why the ambivalence about picking a side in this case? The answer likely stems from the fact that an important piece of information is not discernible in the pleadings: whose emails is Microsoft being asked to disclose? Is the owner a national or resident of the United States, Ireland, or some other country? If the answer is the United States, then the countries are likely more sympathetic to the U.S. position and may well want the same sort of access to data of their own nationals. But if the answer is Ireland or another country, then the foreign sovereigns may be substantially less supportive of the U.S. position. Instead of the all-or-nothing approaches taken by the Second Circuit and advocated by the parties, the Supreme Court may be able to chart a middle course that would use a comity analysis to take into account the specific facts at issue in particular cases. But for now, it’s complicated.
It’s also important to note which foreign sovereigns are speaking to the Court. The United Kingdom and the European Commission are among the most frequent filers, with the United Kingdom leading the pack. Notably, the foreign sovereign amici are also, especially in the case of the United Kingdom, among the countries most likely to be covered by future bilateral agreements that would allow governments to request data directly from the tech companies. Missing are cyberpowers like China and Russia whose deployment of the rule urged by the United States would be regarded as more problematic. Microsoft’s brief to the Court (p.39) argues, for example:
The United States would be outraged if . . . Chinese officers investigating leaks to the foreign press descended on a service provider in Beijing with a warrant commanding it to access the emails of a U.S. reporter stored in the United States.
Moreover, it’s no coincidence that it is a global company bringing up the possibility of reciprocal claims and focusing on the behavior of China. The tech companies are in some ways less parochial than the governments involved in the case because they operate in worldwide markets and are on the front lines to receive demands from governments around the world.
Microsoft, supported by many other major U.S. tech companies, picked this fight because, Microsoft argues, the U.S. “approach . . . presents an existential threat to the multibillion-dollar U.S. cloud-computing industry.” And this case is serving as an action-forcing event. It is spurring consideration in Congress of bills to amend the Stored Communications Act and to further negotiation of bilateral agreements to resolve cross-border data access questions.
For companies that need a resolution, finding ways to move government policy-making along may be crucial at a time when Congress is generally gridlocked, one of the main venues for international discussions of cyberspace policy—the U.N. Group of Governmental Experts—has collapsed, and the Trump Administration has downgraded the role of the State Department Cyber Coordinator, the official previously charged with leading U.S. cyberspace diplomacy.
The debates about power in cyberspace won’t be settled by the Supreme Court’s decision or even Congress’s passage of a bill to revise the Stored Communications Act. The Court’s opinion in the Microsoft case may alter the presumption against extraterritoriality, and it will likely set a default rule about government access to data. That rule will be subject, though, to overriding by later congressional action. And the ultimate resolution to debates among governments and between private and public powers about control over cyberspace won’t be found in the U.S. Reports.