By:
Gregory P. Bufithis, Esq.
Founder/CEO
20 July 2016 – First, a brief recap:
The Microsoft Ireland case began in December 2013 when a district court judge in New York issued a warrant asking Microsoft to produce all emails and other private information associated with a certain account. I have read all the briefs in the case, including 10 of the amicus (“friends of the court”) briefs. Taken together, a Masterclass in cloud services, data protection, mutual legal assistance treaties, subpoenas, warrants, etc.
Most of the user’s data happened to be stored in an Ireland datacenter — one of many datacenters Microsoft maintains around the world to improve the speed of its network for foreign users. Microsoft produced account information kept on servers in the United States, but refused to produce any data stored on servers in Ireland, arguing the government’s warrant does not apply extraterritorially. Microsoft moved to vacate the warrant, but the district court found in favor of the government and ordered Microsoft to disclose the data held in Ireland. Microsoft appealed that decision to the U.S. Court of Appeals for the Second Circuit.
The court assumed, following the briefing of the parties, that the Stored Communications Act (SCA), if it applied, would require Microsoft to comply with the warrant. Everyone in the case agreed that the SCA applied only inside the United States. The big issue was whether the Act’s territoriality was governed by where the disclosure occurs (inside the United States) or where the data is stored (outside the United States).
The court ruled that the Act’s territoriality is governed by the location of the data. Because Microsoft stored the data outside the United States, Microsoft doesn’t have to comply with the warrant.
As I read the majority opinion, authored by Judge Susan Carney, the core reasoning of the opinion largely boils down to a single sentence on page 39 of the opinion. After reasoning at length that the Act is focused on user privacy, Carney announces the follow conclusion:
“it is our view that the invasion of the customer’s privacy takes place under the SCA where the customer’s protected content is accessed — here, where it is seized by Microsoft, acting as an agent of the government.”
Like many, I was a bit surprised by the Microsoft Ireland decision. Our view was … procedurally … a seizure of the data takes place in the U.S. and therefore the warrant would not be exercised extraterritorially. Alas, these worthy judges did not agree with us. That’s fine but the majority opinion is not very clear on why the court thinks that the execution takes place in Ireland where the data is, and not in the U.S. where a Microsoft employee is served with the warrant, or where he/she places her fingers on the keyboard to extract the responsive information, or where the law enforcement official ultimately reviews the data. I think it goes to the issue that most courts still think that data is a “thing”, an “item”, some kind of “property” with a physical presence. An indication of this from the opinion:
“[O]ur Court has never upheld the use of a subpoena to compel a recipient to produce an item under its control and located overseas when the recipient is merely a caretaker for another individual or entity and that individual, not the subpoena recipient, has a protectable privacy interest in the item.”
I think the concurring opinion of Judge Gerard Lynch is the better opinion to read. It is much clearer than Judge Susan Carney’s majority opinion. Lynch gets to the same result as the majority opinion albeit via a different route but focuses very clearly on proof/legislative intent:
“If we frame the question as whether Congress has demonstrated a clear intention to reach situations of this kind in enacting the Act. I think the better answer is that it has not, especially in the case (which could well be this one) of records stored at the behest of a foreign national on servers in his own country.”
He is clear: where Congress hasn’t clearly intended to regulate an extraterritorial set of facts, the statute should be presumed not to apply to it. And he goes further:
“My point is simply that the main reason that both the majority and I decide this case against the government is that there is no evidence that Congress has ever weighed the costs and benefits of authorizing court orders of the sort at issue in this case. The SCA became law at a time when there was no reason to do so. But there is reason now, and it is up to Congress to decide whether the benefits of permitting subpoena-like orders of the kind issued here outweigh the costs of doing so.”
I think he gets it perfect. From a policy perspective, there was no good answer to the question of territoriality. It was the court saying “Hey: Congress will need to revisit the statute either way. All we did was showcase the problems in order to spark congressional action”.
NOTE: for a masterful review of the case and a summary of the major issues at play in the decision I recommend Chris Dale’s post which you can access here. An excellent commentary blending quotes from some of the major “opinions on the opinion”. I want to focus on a few points made by Richard Falkenrath, Orin Kerr, Andrew Woods and others on the “downstream effects” of the case.
Localization. I have no doubt this case will incentivize localization policies or find other ways to get data that is extraterritorial and therefore – under the logic of this case – beyond the state’s jurisdictional reach. So now added to the technological barriers (such as encryption) and jurisdictional barriers (such as blocking statutes) we have a legal precedent. We already know how governments have a desire to look for solutions “elsewhere”, including backdoors and mandatory localization requirements. This will accelerate. We even see it in the e-discovery space where two vendors (that I know of) are configuring Relativity and language translation appliances that function totally outside the U.S. on EU-based clouds.
Why this was a win for Microsoft but not the tech industry as a whole. Yes, Microsoft had an “A List” of technology firms that filed amicus briefs in support of its position. They are listed in the first few pages of the decision: Apple, AT&T, eBay, H-P, Verizon, etc.
But note the two Goliaths missing: Facebook and Google. Why? Ah. Now you have the crux of data and globally distributed networks, a point made by Andrew Woods and Orin Kerr. If you read the majority opinion and the concurring opinion what you have is a statement that states have the authority to regulate the data stored on disks in their territory … but nothing beyond that. I spend a lot of time in the TMT zone (technology-media-and-telecommunications) and this is called the “data-location-centric test”. Highly welcome if your network is structured around state lines – AT&T, Verzion, Microsoft’s country-specific cloud offerings (which will now increase), etc.
Ah. But what about those networks independent of state lines? How about those networks where the data is located in the U.S. or Europe of “somewhere in the network”. You know: firms like Google and Facebook. Such a rule as I outlined hurts them because they structure their network largely independent of state lines. There are scores of legal cases in Europe (and elsewhere) where U.S. tech firms have argued that their data is in the U.S., even if it is really pinging around a globally distributed network. They rely on a control test to determine jurisdiction. This case rejects such a test and thereby gives a competitive edge to firms, like Microsoft, that have built networks along country lines. There is an excellent law review article (just published) titled “Against Data Exceptionalism” by Andrew Woods which addresses these issues of how major Internet companies like Google and Facebook argue that “data is different”. Data is “un-territorial,” they argue, and therefore incompatible with existing territorial notions of jurisdiction.
Separate data agreements will flourish, as will legislative rewrites. As noted by Chris Dale in his post, the separate US-UK negotiations regarding cross-border access to data [you can read more about those negotiations in a Washington Post article here] will certainly move up the list of importance, as will other similar agreements. Because as of this ruling the DOJ can access the emails it seeks from Microsoft only if it receives mutual legal assistance (MLA) from Ireland, a laborious process. So, what is the alternative? Strike a deal with Ireland … and every other country … to get around the MLA process.
And clearly the Microsoft Ireland case will mean the Electronic Communications Privacy Act (ECPA) gets a relook. ECPA was passed in 1986, and Congress could not have fully understood the privacy implications, or the jurisdiction implications, of the Internet at that time. There has been a lot of internet chatter on how to modernize it vis-a-vis law enforcement needs for a search warrant based on probable cause, etc. before it can read our email or track our physical location—though these have not progressed in Congress. Now with this case Congress will likely take up ECPA again.
Plus, one expects more focus on a new bill that has been floating around Congress – the International Communications Privacy Act. Except Google won’t be on board with this one because it would complicate their own hoovering up of everything about you.
I suspect the Microsoft Ireland case may be a short-term victory for privacy advocates, but its larger implications are far more complex. The policy and legal decisions made in its wake will determine whether the opinion is ultimately an advancement of or a blow to privacy and innovation on a global Internet. Ultimately, this decision may have more impact on Internet innovation than it does on preserving privacy.
