Second Circuit Microsoft Ruling: A Plea for Congressional Action

*This article originally appeared in Law360 on August 1, 2016.

On July 14, 2016, the U.S. Court of Appeals for the Second Circuit issued a long-awaited decision that — to the surprise of many observers — rejected the government’s construction of the Stored Communications Act and instead embraced a more restrictive view that Microsoft Corp. had advanced, backed by much of the tech industry and many privacy groups. The decision holds that electronic communications that are stored exclusively on foreign servers cannot be reached by U.S. prosecutors under the SCA’s warrant provisions — not even where the warrant is served on a U.S. provider that can access the foreign-stored information, and deliver it to U.S. officials, entirely by using computers and personnel based here in the United States. Microsoft Corp. v. USA, In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation (2d Cir. July 14, 2016)( Docket No. 14‐2985).

The case assumed a high profile in both international and tech circles because of concerns over the data privacy interests of foreign customers of U.S. electronic communications providers. As is well known, the European Union has expressed reservations about information flows to the U.S. because of perceptions (fair or otherwise) about government surveillance — impressions or misimpressions that were exacerbated by the Snowden leaks of 2013 and the decision of the EU’s Court of Justice in October 2015 to invalidate the U.S.-EU digital “Safe Harbor.” The U.S. government and tech community have made a concerted effort since then to respond to EU concerns. In short, this litigation presented an opportunity to apply the long-standing presumption against extraterritoriality in a manner to help “avoid the international discord that can result when U. S. law is applied to conduct in foreign countries.” RJR Nabisco Inc. v. European Community, 579 U.S. __ (2016)(slip op. at 7-8).

The case began when federal prosecutors asked a judge in New York to issue a warrant requiring Microsoft to produce the communications of one of its web-based email customers. The judge found probable cause to believe the account was linked to drug trafficking activity, and so issued the warrant. Microsoft disclosed all relevant U.S.-stored information, but objected that all of the email content information (which, presumably, is what the government really was after) was stored on a server in Ireland. In Microsoft’s view, that foreign storage placed the information beyond the proper reach of the U.S. warrant, and required U.S. prosecutors to work with Irish authorities to secure the information in a manner consistent with Irish laws. The government disagreed, emphasizing Microsoft’s concession that the company could pull information from any of its servers, anywhere in the world, from certain offices in the United States. The district court sided with the government, and Microsoft appealed.

The case largely turned on a dispute about how to characterize the government’s collection activities. Microsoft emphasized the foreign storage location, contending that to require it to collect information in Ireland for disclosure in New York would implicate Ireland’s interests in ensuring and regulating data privacy. The government, in turn, emphasized that the human aspects of the collection would all take place in the United States: U.S.-based Microsoft personnel would use data management programs to access and collect the information and deliver it to U.S. prosecutors in the United States.

This battle of framing was central because of a U.S. legal principle called the presumption against extraterritoriality. As the name suggests, the presumption tells courts that they should treat U.S. statutes as though they apply only to domestic matters unless the statute is clearly intended to apply abroad as well. Everyone agreed that the SCA was not intended to govern foreign matters, so the case came down to whether the government’s disclosure demand in essence concerned something foreign (collection of email contents in another country) or something domestic (disclosures in the U.S. by a U.S. company to a U.S. official). Reasoning that “the relevant provisions of the SCA focus on protecting the privacy of the content of a user’s stored electronic communications,” [Op. 33], the court sided with Microsoft and held the warrant could not be used to compel disclosure of information in Ireland.

The decision is the latest in a string of high-profile U.S. court decisions that rigorously apply the “presumption that United States law governs domestically but does not rule the world,” Microsoft Corp. v. AT&T Corp., 550 U.S. 437, 454 (2007), and on that basis limit the reach of federal law to matters that have a significant foreign link. In recent years, for example, the courts have constrained the reach of U.S. human rights litigation (Kiobel v. Royal Dutch Petroleum Co., 133 S. Ct. 1659 (2013), securities laws (Morrison v. National Australian Bank, Ltd., 561 U.S. 247 (2010), anti-corruption laws (RJR Nabisco, Inc. v. European Cmty., 579 U.S.__ (June 30, 2016), and antitrust laws (F. Hoffmann-La Roche Ltd. v. Empagran S. A., 542 U.S. 155 (2004)). The trend line is clear.

Less clear is whether the strict territorial approach adopted by the court will prove workable. A test that asks where electronic information is stored at the moment a warrant issues is sure to encounter practical difficulties (if the information moved, when precisely, did it move?) and conceptual objections as well, in light of the modern reality that most electronic data is accessible from virtually everywhere. If a U.S. citizen’s information is stored on a foreign server that is accessible from the U.S. at all times by both the citizen and a U.S. company, the conclusion that a U.S. warrant is ineffective because the government is improperly seeking foreign information may seem thin. Conversely, if information that belongs to a foreign citizen or company and is ordinarily stored abroad becomes subject to U.S. warrants if it is temporarily transferred to the U.S. (say, because of the provider’s technical processing needs), the claim that U.S. authorities are concerned only with “domestic” matters in seizing that data may also fail to persuade many observers, who will believe the U.S. government should be required to show a more meaningful connection before applying U.S. laws to seize such information. The prospect raises reciprocal concerns as well. If the U.S. government asserts that U.S. law alone governs disclosure of information with such thin ties to the U.S., we can be sure foreign countries will demand the same manner of production from local companies. The natural result could be an erosion of data privacy protections all around the world. After all, the U.S. is not the only government interested in compelling the production of electronic communications — and others can be even more aggressive.

Notably, Judge Gerard Lynch urged in a concurring opinion that Congress should adopt a “more complex balancing exercise” in place of the “all-or-nothing” approach that emerged from the court’s analysis. [Lynch Op. 14, 18] Judge Lynch’s concurrence suggested that additional factors beyond the server location should be controlling:

I am skeptical of the conclusion that the mere location abroad of the server on which the service provider has chosen to store communications should be controlling, putting those communications beyond the reach of a purely “domestic” statute. That may be the default position to which a court must revert in the absence of guidance from Congress, but it is not likely to constitute the ideal balance of conflicting policy goals. Nor is it likely that the ideal balance would allow the government free rein to demand communications, wherever located, from any service provider, of whatever nationality, relating to any customer, whatever his or her citizenship or residence, whenever it can establish probable cause to believe that those communications contain evidence of a violation of American criminal law, of whatever degree of seriousness. Courts interpreting statutes that manifestly do not address these issues cannot easily create nuanced rules: the statute either applies extraterritorially or it does not; the particular demand made by the government either should or should not be characterized as extraterritorial. Our decision today is thus ultimately the application of a default rule of statutory interpretation to a statute that does not provide an explicit answer to the question before us. It does not purport to decide what the answer should be, let alone to impose constitutional limitations on the range of solutions Congress could consider. [Lynch Op. 17-18]

His opinion was in effect a plea for Congress to hash out the right policy balance rather than leaving these issues to the courts. Judge Lynch may take some comfort in knowing that a bipartisan group of legislators, led by Sens. Orin Hatch, R-Utah, Christopher Coons, D-Del., and Dean Heller, R-Nev., has already joined to sponsor a proposed law known as the International Communications Privacy Act (ICPA). In addition to amending Electronic Communications Privacy Act to require a search warrant to obtain the content of all electronic communications stored with electronic communication and remote computing service providers, the ICPA would make clear that U.S. prosecutors can only use U.S. law to seize data located abroad if the data belongs to a U.S. person or entity or, in the case of a foreign person, where the relevant country does not object or does not have a law enforcement cooperation agreement with the U.S. ICPA would also reform the mutual legal assistance treaty process by providing greater accessibility, transparency and accountability. In addition, the bill expresses the sense of Congress that data providers should not be subject to data localization requirements.

The amicus brief we filed in support of Microsoft advanced an argument that the courts should apply a multifactor balancing test requiring a showing of a “substantial nexus” with the U.S. in order to conclude that execution of the search warrant was properly domestic, rather than impermissibly extraterritorial. The relevant factors under that approach could include, in addition to the key factor of the location of the servers hosting the data, locus of the customer relationship, citizenship of the customer, nature and extent of where the data is accessed, or other case-specific indicia of ties to the United States.

A multifactor, “substantial nexus” test has roots in the framework for analysis established by the Second Circuit in Mastafa v. Chevron Corp., 770 F.3d 170 (2d Cir. 2014). There, the court observed that determining whether conduct is “domestic,” in terms of “the presumption’s application to a particular case,” requires consideration of the “particular combination of conduct in the United States,” id. at 182, 190-91, and judicial “delineation” of the specific contacts that would make a particular application of a statute domestic rather than extraterritorial. Liu Meng-Lin v. Siemens AG, 763 F.3d 175, 179 (2d Cir. 2014).

The U.S. Supreme Court’s June 20, 2016, decision in RJR Nabisco Inc. v. European Community, 579 U.S. __ (2016), confirms the propriety of applying a nuanced approach in this context. In its recent decision, which involved a foreign entity’s suit under the Racketeer Influenced and Corrupt Organizations Act, the court carefully parsed the particulars of the statute and the various relevant factual predicates, and found that while certain applications of RICO’s substantive prohibitions applied extraterritoriality, others did not.

Significantly, the court noted in RJR Nabisco that “[t]here are several reasons for this presumption” against extraterritoriality, but “[m]ost notably, it serves to avoid the international discord that can result when U. S. law is applied to conduct in foreign countries,” (slip op. at 7-8); and, “[a]lthough ‘a risk of conflict between the American statute and a foreign law’ is not a prerequisite for applying the presumption against extraterritoriality, where such a risk is evident, the need to enforce the presumption is at its apex.” (Slip op. at 21.) Likewise, the Court was sensitive to issues of consistency and reciprocity between U.S. and foreign states, noting that “[a]fter all, in the law, what is sauce for the goose is normally sauce for the gander.” (Slip op. at 22)(quoting Heffernan v. City of Paterson, 578 U. S. ___, ___ (2016) (slip op., at 6)). This is important in the Microsoft search warrant context because if the U.S. insists on the power to force transfer of data to the U.S. from foreign servers, other countries — including those more aggressive than the U.S. — will insist on a reciprocal right. This could of course diminish the privacy rights of Americans.

Another possible area for future development is in enhancing the mutual legal assistance treaty process that allows U.S. prosecutors to obtain information located abroad in cooperation with our allies and trading partners. Concerns have been raised, both by the government and by advocacy groups, that this process often moves too slowly, thus impeding law enforcement activities here and abroad. Here too, the Second Circuit’s decision — and Judge Lynch’s invitation for congressional guidance — may lead to creativity and cooperative efforts among government officials, service providers and privacy advocates. The bipartisan ICPA legislation may be a step in this direction.

On July 15, 2016, Attorney General Loretta Lynch submitted legislation to Congress for the purpose of streamlining the MLAT process and enhancing information sharing with certain European governments. In the same letter, the attorney general stated that “[i]f this [Microsoft] decision stands, or is extended to other parts of the country, the U.S. would not have … access to data necessary to advance important U.S. investigations that protect the safety of Americans and could not obtain reciprocal benefits from other countries.” She indicated that the administration would “promptly” submit legislation “to address the significant public safety implications of the Microsoft decision.”

In sum, the policy debate on international data transfers for law enforcement purposes is hardly over.