Victory for Digital Privacy in Microsoft Warrant Case: US Court Confirms that US Data Warrants Do Not Apply Overseas
On 14 July 2016, Microsoft won an important appeal against the US government over a US search warrant that aimed to force the company to hand over certain customer data stored exclusively in Ireland.
The decision will be much welcomed by US technology companies, who over recent years have become embroiled in a power struggle with the US government over when and if public or law enforcement authorities should gain access to their digital data. The decision also has important global implications, particularly for cloud service providers, who increasingly find themselves subject to court orders from foreign courts demanding access to their customer data. Had the US government prevailed, it may have set a dangerous precedent by supporting a government's right to embark on unilateral law enforcement incursions into another sovereign country without regard for international law.
The outcome also represents an important victory for individual privacy and for the principle that people around the world should be able to rely on the privacy protections of their own government and laws.
Background
The case centered around a warrant that was issued by US prosecutors in December 2013 in connection with a drug's investigation being run by the US government. This warrant compelled Microsoft to disclose to the US government private emails and personal information stored in a customer's email account, even though that email account was stored by Microsoft on servers located in the US and in Dublin, Ireland.
Whilst Microsoft complied with the warrant in relation to the data held in the US, it refused to comply in relation to data held extraterritorially in Ireland. Microsoft argued that the government should instead pursue traditional bilateral law enforcement and diplomatic channels and collaborate with the relevant Irish and EU authorities to gain lawful access to such data.
This argument was however initially batted away by a magistrate judge in April 2014, who sided firmly in favor of the US government and the extraterritorial application of American law (namely the SCA [Stored Communications Act] passed as part of the Electronic Communications Privacy Act 1986). Microsoft's attempt to repeal this decision was also rejected by the District Court in July 2014, leading Microsoft to file an appeal in the 2nd Circuit Court of Appeals on 8 December 2014.
Last week, the 2nd Circuit unanimously overturned the District Court's July 2014 decision. In the 43-page decision, the panel concluded that: "The focus of those provisions is protection of a user’s privacy interests. Accordingly, the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States." (emphasis added).
This decision will likely be welcomed and applauded by the industry giants, including the 28 technology and media companies (including (amongst others), Apple, AT&T, Cisco and Verizon), 35 leading computer scientists and the government of Ireland, all of whom actively supported and contributed to the appeal in support of Microsoft's case. Microsoft president Brad Smith said in a statement that he "welcomes" the decision:
“It makes clear that the U.S. Congress did not give the U.S. Government the authority to use search warrants unilaterally to reach beyond U.S. borders. As a global company we’ve long recognized that if people around the world are to trust the technology they use, they need to have confidence that their personal information will be protected by the laws of their own country, ” said Smith.
The Government's Case for National Security
Arguing in defense of national security interests, the US DoJ argued that the warrant should be enforced as the SCA regulates providers within the US, therefore that it is the location of the corporate versus the data, which should determine the application of the SCA. If territorial restrictions applied to SCA warrants it would be very easy for criminals to evade investigations, the government said. Moreover, having to rely on international treaties (like MLAT's) to enforce the SCA, would dramatically slow down and undercut investigations and a country can deny assistance to a nation with which it has a treaty for a variety of political, security or other reasons.
However, speaking on behalf of the 2nd Circuit Court of Appeals, Judge Carney rejected these arguments: “When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user’s interaction with a service provider. Neither explicitly nor implicitly does the statute envision the applications of its warrant provisions overseas.” The ruling therefore confirms that data's location, rather than corporate's, controls the application of the SCA.
Microsoft's Case for Privacy
In the case for privacy, Microsoft's lawyers urged the court to consider the foreign policy issues at stake, arguing that siding with the US government would result in a dangerous extension in the overseas reach of US law enforcement, with the potential to unleash an "international firestorm" by giving a green light for other countries to enact their own SCA –like statues, requiring US companies to surrender consumer data. “If the Government prevails here,” wrote the company’s lawyers in their pre-argument briefs, “the United States will have no ground to complain when foreign agents—be they friend or foe—raid Microsoft offices in their jurisdictions and order them to download U.S. citizens’ private emails from computers located in this country.”
In addition to the newly adopted EU-U.S. Privacy Shield agreement, Microsoft also cited the EU General Data Protection Regulation, due to go into effect in May 2018, to support its claim that the U.S. government should use inter-governmental agreements rather than a warrant to require technology companies to turn over data stored in the EU that are required for an investigation.
The Bigger Political Picture
Microsoft's foreign policy concern about a potential "international firestorm" may not be unwarranted. Governments around the world have recently been stepping up their legislative efforts to increase their ability to gain greater access to data to support criminal investigations and in the interests of national security.
Indeed, only a day after the Microsoft decision, the US government published its draft legislation for cross border data requests, The legislation aims to remove US legal barriers to direct access to US communications providers by foreign government that have entered into executive agreements with the US to help support criminal investigations. In fact, the US government’s cover letter explains that it is going forward with this proposal despite the Microsoft ruling.
The government also explains that its first specific implementation of the legislation would be a bilateral agreement between the UK and US, which would permit US companies to provide electronic data in response to UK orders for targeting non-US persons located outside the US, whilst affording the US reciprocal rights regarding the electronic data of companies stored in the US.
In a similar vein, the UK parliament recently passed the controversial draft Investigatory Powers Bill (dubbed the "snoopers charter"), which significantly broadens out the scope of the powers UK authorities have to access communications data by (amongst other things) forcing companies, including overseas companies with a UK presence, to install encryption backdoors.
With law enforcement agencies around the world are demanding greater access to data, some critics argue that the Microsoft ruling could in fact drive governments to push for data localization rules that would require companies to store data within their borders. Russia already enforces a data localization rule, and Brazil and France have considered similar legislation.
This issue is therefore not going away anytime soon and it remains to be seen how long the Microsoft decision will remain without being challenged and undermined by the wider legislative efforts to facilitate and enable cross border data requests. For the moment, the case represents an important victory for privacy, international law and the sovereignty of national laws.