For the moment it depends who you ask. In recent weeks, we have heard talk of walls and borders. But some at the Department of Justice are working to break down barriers and convince the courts that they can gain access to a person's data regardless of where it is ultimately stored. In this post I address two recent cases that reached completely different results on whether the government can enforce a warrant that seeks data from a U.S. company but that is stored in a foreign country.
In both cases the government sought and obtained warrants under the Stored Communications Act (the SCA, 18 U.S.C. § 2701 et seq.) for data from two Internet Service Providers (ISP's) – Microsoft and Google. Section 2703 of the SCA regulates what procedures the government must follow when seeking stored electronic communications. For instance, if the government is only seeking basic subscriber information it must only issue an administrative subpoena. Conversely, if the government wants to obtain the contents of stored communications from the ISP, it must seek a warrant in accordance with the Federal Rules of Criminal Procedure. The two cases discussed here dealt with the latter situation, where the government obtained warrants for the contents of email communications.
Microsoft v. U.S.
In Microsoft v. United States, federal law enforcement obtained a warrant during a criminal narcotics investigation. The warrant ordered the seizure of the content of certain stored communications from a Microsoft email account believed to belong to the targets of the investigation. In response, Microsoft produced information that was stored on servers within the United States but refused to disclose the content of the email communications the warrant sought on the ground that the servers where the communications were stored were located in Ireland.
Though the district court upheld the warrant and ordered Microsoft to turn over the data stored in Ireland, the Second Circuit reversed. The court concluded that Section 2703 of the SCA does not apply extraterritorially and therefore does not require an ISP to produce data stored on a foreign server. Specifically, the Court held that the SCA "does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer email stored exclusively on a foreign server." The case was widely followed and resulted in dozens of amicus briefs filed by technology and media companies, trade associations, computer scientists and even the government of Ireland in support of Microsoft's position.
Recently the Second Circuit denied en banc rehearing by a 4-4 vote. Thus, absent a decision from the U.S. Supreme Court or new legislation, the Microsoft decision is controlling throughout the Second Circuit.
Google v. United States
Meanwhile, in USA v. Information Associated With Google Accounts More Fully Described in Attachment A ("Google v. U.S.") a federal magistrate in the Eastern District of Pennsylvania reached the exact opposite conclusion. Like Microsoft, the Google case also involved a warrant obtained pursuant to the SCA for the content of stored communications. In response Google raised the same objections as Microsoft and relied heavily on the Microsoft case as support for its position. Unlike Microsoft, however, the magistrate in Google upheld the warrant.
With respect to the SCA's reach, the court in Google drew the line in a very different place than Microsoft. In Microsoft, the court reasoned that the warrant could not reach the data because the data was in another country. Conversely, the magistrate in Google held that the end location of the data did not matter because the ultimate seizure would take place in the U.S. once the company transferred the responsive data back to its American servers. The Google court reasoned "[e]lectronically transferring data from a server in a foreign country to Google's data center in California does not amount to a 'seizure' because there is no meaningful interference with the account holder's possessory interest in the user data." In support of its decision the court pointed to cases where courts held that "photocopying documents or taking photographs of materials did not constitute a "seizure" because such actions did not meaningfully interfere with the owners' possessory interest."
The court also distinguished Microsoft on the facts, noting that the way Google stored its information differed significantly from Microsoft. In Microsoft the data did not leave Ireland. Conversely, in Google the company could not actually tell the magistrate where its data was stored. This was because Google regularly moves data between its global network of servers for efficiency. Thus, as the court noted, it would be almost impossible in the context of Google to determine which country's sovereignty would be implicated. Microsoft, on the other hand, did not have that problem.
What's Next?
Obviously this issue is not going away any time soon. A company may decide to store data in the U.S. or abroad for a number of reasons including cost, efficiency and the privacy protections available in certain countries. Further, while the line drawn in Microsoft makes sense at first blush, it may not be workable for a company that stores data like Google. According to Google, it intends to appeal the Pennsylvania decision. While there is no telling what the Third Circuit will do (or the District Court for that matter), we may be in for our first big circuit split of 2017.
This post first appeared in Frankfurt Kurnit's Focus on the Data blog (www.focusonthedata.com). It provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
