United States: What Controls: The Location Of The Data Or The Location Of The Searches For The Data?

The U.S. Supreme Court recently heard oral arguments in U.S. v. Microsoft, tackling the question of whether an organization can refuse to disclose foreign-stored data sought by the U.S. government through domestic warrants. Currently, the Second Circuit says yes while other circuits tend to say no.

While several district courts have concluded that it is not an extraterritorial seizure to enforce warrants that require organizations to produce U.S. users' account data stored in foreign servers, these decisions conflict with precedent from the Second Circuit Court of Appeals. The Second Circuit held that Microsoft could not be compelled to comply with a warrant if it meant producing foreign-stored data for use in a domestic case. Elsewhere in the United States, judges have rejected the Second Circuit's decision, ordering the production of foreign-stored data pursuant to domestic warrants. These decisions follow the reasoning that a court can order the production of anything that can be accessed and delivered within the United States. Accordingly, no relevant extraterritoriality concerns are implicated despite the storage of data in a foreign location. Outside of the Second Circuit, it is clear that courts are focusing on where the access to and disclosure of the stored data occurs (domestically) rather than the location of the data (internationally). Conversely, the Second Circuit's Microsoft decision focuses on the seizure of the data from a foreign location, which is where it locates the privacy violations and applies its extraterritoriality analysis.

Legislation could fix the differing interpretations, but despite near universal agreement that the Electronic Communications Privacy Act of 1986 needs to be updated and the repeated introduction of new legislation, Congress has been slow to act. Thus, both parties urged the Supreme Court to clarify the law during oral arguments in U.S. v. Microsoft, which focused on whether the search, retrieval, and disclosure of foreign-stored data constituted an extraterritorial act, and if so, how the law should apply.

The Second Circuit and Microsoft

The Second Circuit's decision in July 2016 held that Microsoft could not be forced to turn over emails stored on a server in Dublin, Ireland, for use in a domestic case.  This decision in In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation ("Microsoft Decision") reversed an April 2014 Southern District of New York ruling denying Microsoft's motion to quash a warrant issued under the Stored Communications Act ("SCA") directing Microsoft to disclose records within its control pertaining to a specific email account.  That court had determined that "an entity lawfully obligated to produce information" in its control "must do so regardless of the location of that information." The Second Circuit disagreed and concluded that the relevant focus of the SCA warrant provisions is on maintaining the privacy of users' stored communications, meaning that foreign-stored communications should not be disclosed, because "the invasion of the customer's privacy takes place" where the protected data is stored. In the Second Circuit's opinion, this means that Microsoft would be forced to perform a foreign seizure of the communications in question while "acting as an agent of the government."

The concurring opinion highlighted the potential slippery slope underpinning the logic of the dissenter's position concerning the location of the disclosure as dispositive.  Specifically, Judge Lynch expressed concern that, under the dissenter's logic, the door could be open for an SCA warrant to obtain content stored in Ireland in an account established in Ireland by an Irish citizen in violation of Irish law merely because the service provider has a branch office in the United States with access to the account.

Although Judge Lynch disagreed with the "majority's determination that the locus of the invasion of privacy is where the private content is stored," calling that determination "suspect when the content consists of emails stored in the 'cloud,'" he indicated that it was "at least equally persuasive that the invasion of privacy occurs where the person whose privacy is invaded customarily resides."  Despite this distinction, Judge Lynch concluded that the panel majority had reached the correct result because he felt that Congress had not "demonstrated a clear intention to reach situations of this kind in enacting" the SCA, especially "in the case (which could well be this one) of records stored at the behest of a foreign national on servers in his own country."

In January 2017, the Second Circuit denied rehearing of the Microsoft case in an evenly divided decision ("Microsoft II").  Three judges recused themselves and four judges separately dissented from the rehearing denial.  Notably, the dissenting judges believed that the conduct that is the subject of the warrant was the provider's disclosure of emails and not their access to customer data, and the disclosure to the DOJ would necessarily take place in the United States.  Further, the dissenting judges argued that "no extraterritorial reach is needed to require delivery in the United States of the information sought," because the warrant asked for data "already within the grasps of a domestic entity."  The dissent also acknowledged a theme that was present in the Second Circuit's 2016 opinion: the difficulty of applying a statute passed in 1986 to present technology.

The Rest of the United States

In analogous cases throughout the country—including the Eastern District of Pennsylvania, the Eastern District of Wisconsin, the Middle District of Florida, the Northern District of California, and the D.C. District Court—magistrate judges have rejected the Second Circuit's decision in Microsoft and ordered organizations to produce foreign-stored data pursuant to SCA warrants.  These decisions adhere to the principle that a court can order any organization that is subject to the court's jurisdiction to disclose anything it can access and deliver within the United States. Following this reasoning, no relevant extraterritoriality concerns are implicated by the foreign storage of user data.

In February 2017, U.S. Magistrate Judge Thomas Rueter in Philadelphia ordered Google Inc. ("Google") to comply with search warrants and transfer email from a foreign server to be reviewed locally, because there was "no meaningful interference" with the account holder's "possessor interest" in the data sought.  Judge Reuter reasoned that for the purposes of the warrant, the seizure of the information occurs where the search is conducted, and the "actual infringement of privacy occurs at the time of disclosure"; both in the United States.  U.S. District Judge Juan Sánchez upheld Judge Reuter's ruling in August 2017.  In his analysis, "the location of the provider and where it will disclose the data [is what] matter[s] in the extraterritoriality analysis."  Citing one of the dissents from Microsoft II, Sánchez distinguished "[t]he nature of electronic documents. Unlike paper documents, which have a tangible physical existence and location," electronic documents are "literally intangible" making their location on a foreign server "merely virtual."  This virtual presence is particularly relevant in regard to Google because, for network efficiency purposes, the company splits digital data into shards and relocates these pieces according to an algorithm between servers located around the globe in contrast to Microsoft, which stores data in fixed locations according to user proximity.

Also in February 2017, Magistrate Judge William E. Duffin in the Eastern District of Wisconsin ordered Yahoo! Inc. ("Yahoo") and Google to comply with search warrants.  Citing the "persuasive" "analysis of the four judges dissenting" from Microsoft II, Judge Duffin determined that the service provider's chosen storage location for customer data "is immaterial," and that "what matters is the location of the service provider" in the U.S., because that is where the data is accessed and turned over to the government.

In April 2017, Magistrate Judge Thomas B. Smith in the Middle District of Florida held that the SCA could be used to compel Yahoo to produce foreign-stored information.  Disagreeing with the Microsoft Decision, the judge said that the focus of the SCA is not on the privacy interests in stored communications but rather on the compelled disclosure. Because the compelled disclosure takes place in the United States, Yahoo must produce information pursuant to the SCA warrant even if that information is stored on a foreign server.

Also in April 2017, Magistrate Judge Laurel Beeler in the Northern District of California ordered Google to comply with a search warrant issued pursuant to the SCA for data "regardless of the data's actual location."  In her opinion, Judge Beeler accepted that SCA warrant provisions do not apply extraterritorially but concluded that warrants in this case should be viewed as "a domestic application of the SCA" rather than an extraterritorial one.  In August 2017, her opinion was reviewed de novo and affirmed, with U.S. District Court Judge Richard Seeborg ordering Google to produce "all content responsive to the search warrant that is accessible, searchable, and retrievable from the United States pursuant to the terms of the warrant" (emphasis added).  Currently, Google is refusing to produce materials stored abroad, despite federal prosecutors' calls for sanctions, and is seeking an appeal, pending the Supreme Court's decision in Microsoft.

In June 2017, Magistrate Judge G. Michael Harvey in the District of Columbia directed Google to comply with a warrant issued under the SCA for contents of a particular Google account.  Based on an interpretation of the SCA that emphasizes disclosure over privacy and access over seizure, and considering the contents of Google's user agreement, the court held that Google is not seizing data. Rather, it already has access.  Google users have no capacity to control the storage location of their data, because they agree to allow Google to access and transfer their data at will when registering for an account.  That is, the data sought by the SCA warrant is already in Google's possession, custody, and control, and Google can access it without further authorization.  U.S. District Court Judge Beryl A. Howell affirmed this ruling in July 2017.

Recently Proposed Legislative Solutions

At the end of May 2017, law enforcement access to data stored abroad was the subject of a Senate Judiciary Committee, Subcommittee on Crime and Terrorism hearing, which was in part another reconsideration of how to update the Electronic Communications Privacy Act of 1986 (ECPA), which created the SCA.  While it is acknowledged by members of Congress on both sides of the aisle that ECPA is seriously out of date, proposals to update it have generally failed.  In July 2017, S. 1671, the International Communications Privacy Act, was referred to the Senate Judiciary Committee. It aimed to clarify the SCA's warrant requirement as it pertains to "global electronic communications while respecting the data privacy laws of other countries" and had broad support from technology companies and industry groups. The House of Representatives held a corresponding hearing on the lawful access to and privacy protection of data stored abroad in June 2017, during which the Department of Justice in light of Microsoft II urged Congress reform the law.

More recently, Congress introduced the bipartisan Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018, which would make the argument at issue in Microsoft moot. In part, the CLOUD Act makes all data in the "possession, custody, or control" of the provider attainable under the SCA, regardless of where the data is physically stored. "Possession, custody, or control" of course has its own Circuit Court variances in definition, which could still create issues in applying the law uniformly. Several tech companies, including Apple, Facebook, Google, and Microsoft, authored a letter to the Senators who sponsored the CLOUD Act, stating that "if enacted, the CLOUD Act would be notable progress to protect consumers' rights and would reduce conflicts of law." The letter further comments that the CLOUD Act is a "logical solution for governing cross-border access to data." Privacy groups disagree, seeing the legislation as a "dangerous expansion" of "law enforcement's ability to target and access people's data across international borders" and saying it does not adequately protect the privacy of cloud storage.

Parsing the Current Landscape

Initially, the factual distinction between Microsoft's and Google's cloud storage solutions seemed to account for the differing outcomes in the Microsoft Decision and the subsequent Eastern District of Pennsylvania case involving Google.  Google breaks up emails, and freely and regularly transfers user data from one data center around the globe to another without the customer's knowledge.  Not only do such transfers not interfere with the customer's access or possessory interest in the user data, but this also means that data does not reside primarily in a single, identifiable foreign location.  Microsoft, on the other hand, does not freely transfer its data, but allocates its storage based on proximity to a location selected by the user during account registration, meaning that the Second Circuit could more easily determine that specific data resided primarily in a fixed jurisdictional location.  If Google's data lacks an alternate, identifiable jurisdictional location, no other foreign discovery options are readily available.

However, the subsequent opinions make it clear that the courts are focusing on the locations of the access to and disclosure of the stored data, which occur in the United States, rather than the location of the data itself.  Conversely, the Microsoft Decision focused on the seizure of the data from a foreign location, which is where it locates the privacy violations and applies its extraterritoriality analysis.

Clearly, all of these cases are criminal ones.  Civil litigants, however, may note the passing references in some opinions to possession, custody, or control, which seem to be the key to understanding how a court may analyze similar civil cases. For example, in the initial court order granting the warrants overturned in the Microsoft Decision, Magistrate Judge James C. Francis IV, determined that the SCA's warrant provisions were substantially similar to "those associated with a subpoena to produce information in [an organization's] possession, custody, or control regardless of the location of that information." The Second Circuit interprets possession, custody, or control broadly, requiring parties in civil litigation to preserve, collect, search, and produce all documents a party has the practical ability to obtain.

Producing foreign-stored documents whether compelled by a subpoena or a warrant may implicate the privacy laws of other countries, which can have their own consequences.  For example, under the European Union's General Data Protection Regulation (GDPR), which comes into effect in May 2018, simply complying with a U.S. search warrant may be unlawful without additional steps. Brad Smith, Chief Legal Officer of Microsoft, testified that "U.S. law enforcement will be significantly restricted in its ability to obtain digital information covered by the GDPR unless it issues demands through international processes, instead of using unilateral, U.S.-based warrants."

Developments at the Supreme Court Level

On June 23, 2017, the Department of Justice filed a petition for a writ of certiorari, asking the United States Supreme Court to overturn the Microsoft II decision blocking the warrant.  In its petition, the Department of Justice argues that the SCA's requirement to disclose information is a domestic application, not an extraterritorial one, and that the Second Circuit's decision conflicts with "unanimous holdings of courts that a domestic recipient of a subpoena is required to produce specified materials within the recipient's control, even if the recipient stores the materials abroad."  Microsoft argues in opposition that the focus of the SCA is properly on "communications in storage" and that it "applies where the communications are stored." Because the statute does not apply abroad, a point both parties agree on, "the SCA reaches only communications stored in the United States." The Supreme Court granted the petition on October 16, 2017.  This high-profile case has garnered attention from many interested parties, resulting in the filing of over 30 amicus briefs by organizations ranging from The New Zealand Privacy Commissioner and the European Commission on Behalf of the European Union to Members of Congress and IBM.

The Supreme Court heard argument on February 27, 2018, bringing us one step closer to a ruling that could give cloud storage providers and domestic users of their services much anticipated guidance as to how far the U.S. government can reach into their digital private lives. As the Second Circuit acknowledged, the Supreme Court is grappling with the application of "decades-old law to modern technology." The oral argument focused on the disclosure (which would happen in the United States) and search (of data currently stored in Ireland) aspects of the SCA. Justices Ginsberg and Gorsuch honed in on the physical characteristics of data storage abroad, which means that some act has to take place in a foreign location for the data to be retrieved. Microsoft argued that retrieving and disclosing the data constitutes an "extraterritorial act," even if a human being is not involved: "if you sent a robot into a foreign land to seize evidence, it would certainly implicate foreign interests." In opposition, the government stated that such a disclosure would be analogous to a federal court requiring a defendant to access foreign assets to pay a fine. Justice Roberts seemed skeptical of Microsoft's claims, stating that it is "not the government's fault that [the data is] located overseas" and suggesting that storing data overseas could be a way for providers to attract customers interested in keeping their data out of the government's grasp. Justice Alito seemed to share Justice Roberts' concerns. Conversely, Justice Sotomayor noted the potential to create "international problems" by expanding the SCA's extraterritorial reach. The government countered that "there is not an international problem here. This is largely a mirage that Microsoft is seeking to create." Justice Breyer attempted to find a compromise, suggesting that when faced with a government warrant, companies could ask a judge whether the warrant was enforceable in light of competing foreign law concerns. Other Justices inquired as to the government's ability to obtain said data outside of the SCA, for example through multi-lateral treaties (MLATs); concerns about foreign sovereignty; and whether they should wait for the CLOUD Act to be enacted. Justices Ginsburg and Sotomayor both appeared to believe that legislation rather than the Supreme Court should resolve the issue. Both parties asked the Supreme Court to decide upon the law as it currently stands without waiting for Congress to act. The Supreme Court's decision is anticipated before the end of June 2018, assuming Congress does not pass legislation to resolve the issue in the meantime.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Morrison & Foerster LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Morrison & Foerster LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions