In an order issued on October 16, 2017, the U.S. Supreme Court granted certiorari in United States v. Microsoft Corporation, a case with potentially far-reaching implications for the privacy of electronic data maintained by technology companies across the globe.
The case, which Robinson+Cole has previously discussed here, here, and here, arises from a warrant obtained by the Department of Justice (DOJ) under the Stored Communications Act (SCA).[1] The SCA was enacted in 1986 to protect the privacy of electronic communications, including by extending privacy protections to electronic records analogous to those afforded under the Fourth Amendment to the U.S. Constitution.[2] In relevant part, the SCA requires a governmental entity in most instances to secure a warrant in accordance with the Federal Rules of Criminal Procedure to compel disclosure of electronic communications stored by a service provider.[3]
In this case, the DOJ warrant directed Microsoft to seize and produce the contents of a Microsoft user’s email account in connection with a drug trafficking investigation. In response, Microsoft produced non-content data stored on servers within the United States, but refused to produce the contents of the user’s account stored on a server located in Dublin, Ireland.[4] After a federal district court ordered Microsoft to produce the records stored in Ireland, in July 2016 a unanimous panel of the U.S. Court of Appeals for the Second Circuit quashed the warrant, finding that the DOJ’s attempt to procure the contents of emails stored on a server in Ireland constituted an impermissible extraterritorial application of the SCA.[5]
In reaching its decision, the Second Circuit panel cited the “very different” technological context in which the SCA was passed in 1986 as a factor affecting the panel’s construction of the SCA, and also noted the “strong and binding” presumption against extraterritorial application of U.S. statutes endorsed by the U.S. Supreme Court.[6] Under the Supreme Court’s extraterritoriality framework, the analysis turned on whether the conduct compelled by the SCA warrant – the production of the contents of the records (representing the invasion of the user’s privacy) – occurs within the United States or in Ireland. The DOJ argued that because Microsoft can disclose the records in question from the United States, the warrant does not represent an extraterritorial application of the SCA, and should be interpreted consistent with precedents governing subpoenas that require delivery of records within a recipient’s control, regardless of the location of the records.[7] The Second Circuit panel determined that “the invasion of the customer’s privacy takes place under the SCA where the customer’s protected content is accessed—here where it is seized by Microsoft, acting as an agent of the government,” and sided with Microsoft in concluding that “an SCA warrant may reach only data stored within United States boundaries.”[8]
In January 2017, the Second Circuit rejected a request for an en banc rehearing of the case in an evenly divided vote. That denial was accompanied by dissents that focused on the alleged deleterious effects the panel’s decision would have on law enforcement investigations under the SCA, as well as a need to update the SCA to confront the realities of information privacy in the digital age. Notably, Circuit Judge Cabranes argued that the panel’s decision “indisputably and severely… restricted” an important investigative tool and “substantially burdened the government’s legitimate law enforcement efforts” without serving any “serious, legitimate, or substantial privacy interest.”[9] He further stated that the relevant conduct regulated by the SCA is the service provider’s “disclosure or non-disclosure of emails to third parties, not a provider’s access to a customer’s data,” and because Microsoft here could disclose the records in question to the DOJ from its offices within the United States, the warrant represented a domestic application of the SCA.[10]
Although the Supreme Court has not yet scheduled oral arguments in this case, the Court is expected to hear it in early 2018, and to issue a decision by June, 2018. The merits brief for the government will be due within 45 days of the Court’s order granting cert (by November 30, 2017), and Microsoft’s brief on the merits will then be due 30 days after the government’s brief is filed, provided that these deadlines are subject to change.
Given the stakes in this case for technology companies, government officials and law enforcement, and more broadly for the information privacy of all users of electronic systems, interested parties may seek to bring particularly important issues to the attention of the Supreme Court via submission of an amicus curiae brief. An interested third party from the United States or abroad must obtain the written consent of all parties to the case to file an amicus curiae brief, although the Court customarily will allow submission of an amicus curiae brief without the consent of all parties to a case upon receipt of a motion for leave to file an amicus curiae brief. An amicus curiae brief generally must be submitted within seven days after the brief of the party supported by the amicus curiae is filed, or if no party is supported within seven days of the deadline for the petitioner’s or appellant’s brief, and is subject to certain additional requirements set forth by Rule 37 of the Rules of the Supreme Court of the United States.
Robinson+Cole will continue to closely monitor this case as it is reviewed by the U.S. Supreme Court.
[1] 18 U.S.C. § 2703.
[2] Microsoft Corp. v. United States (In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp.), 829 F.3d 197, 206 (2d Cir. 2016).
[3] 18 U.S.C. § 2703(a), (c).
[4] Microsoft, 829 F.3d 197, 200.
[5] Id. at 222.
[6] Id. at 206, 209 (citing Morrison v. National Austl. Bank Ltd., 561 U.S. 247, 255 (2010)).
[7] Microsoft, 829 F.3d 197, 201.
[8] Id. at 220-221.
[9] Order of Denial of Request for Rehearing En Banc (Cabranes, J., dissenting), at 1-2.
[10] Id. at 9-10.
[View source.]