On Thursday, July 14, 2016, the Second Circuit effectively quashed a judicially authorized search warrant by which the U.S. Government had sought to obtain customer data that Microsoft stored overseas.
Microsoft Corp. v. United States, No. 14-2985, slip op. (2d Cir. July 14, 2016). In doing so, the Second Circuit held that the Government cannot obtain a search warrant under the Stored Communications Act (SCA) to obtain electronic customer data located exclusively on foreign servers, even where a U.S. corporation has custody and control of that data.
In
Microsoft, the Second Circuit was asked to review a Southern District of New York decision denying a motion to quash a search warrant that required Microsoft to turn over all records associated with a specific email address. A United States magistrate judge had issued the warrant based on a finding that there was probable cause to believe that the account was being used in furtherance of narcotics trafficking. Microsoft agreed to produce all responsive data that was stored in the United States, but refused to produce the customer content that it stored and maintained in Ireland. The District Court denied Microsoft’s motion to quash, holding that the SCA applied extraterritorially and that Microsoft was required to produce all responsive information over which it had custody and control, regardless of location.
In reversing the district court’s denial of the motion to quash, the Second Circuit held that the SCA’s search warrant provisions do not apply extraterritorially. Citing the Supreme Court’s 2010
Morrison decision, the Second Circuit stated that extraterritorial application of the relevant provisions would violate the “longstanding principle” that U.S. laws only apply within the territorial jurisdiction of the United States unless expressly stated otherwise. In the Second Circuit’s view, the SCA does not envision, either explicitly or implicitly, the application of its warrant provisions overseas. Instead, the SCA’s primary focus is to protect “users’ privacy interest in stored communications,” and a search warrant’s “distinctly territorial way” of protecting privacy weighs against implicit extraterritorial application.
This decision has the potential to have wide-ranging impact. First, the Second Circuit explicitly noted in its decision that the mere fact that a “service provider has a base of operations within the United States” does
not justify the application of the search warrants pursuant to the SCA on a worldwide basis. Instead, the inquiry is properly focused on the location of the data sought by the search warrant, rather than the location of the person or entity impacted by the search. This principle provides strong protection and clarity to companies that opt to store customer data overseas. Second, the decision implicitly respects the legal protections and rights placed on data in foreign jurisdictions; it therefore has the potential to prompt further strengthening of foreign data protection laws and will likely prod multinational companies to think further about how to structure their international data storage. Finally, this decision could serve as a significant limitation on the Government’s surveillance powers overseas, which in turn could spur a drive to modernize the SCA and other related electronic privacy laws. Especially if companies start moving data overseas in an apparent effort to shield such data from domestic disclosure, the Government may seek legislative changes or at least further cooperation from foreign regulators.
For a more detailed analysis of the
Microsoft case, consult a recent publication co-authored by the Litigation and Privacy & Data Protection groups of Shearman & Sterling LLP, available
here.
