Microsoft-Ireland Oral Argument Preview: Will the Supreme Court Stave Off Data Localization?

On Tuesday, the Supreme Court will hear oral argument in United States v. Microsoft Corp., a case that will carry broad consequences for our digital lives. The issue to be resolved is whether a warrant obtained under the Stored Communications Act (SCA) can compel a U.S. company to produce information under its control but stored outside the United States. If the Supreme Court answers that question affirmatively, some commentators warn that authoritarian governments will compel American companies with a presence in their borders to produce similar information. But if the court says no, others fear that governments will pass so-called “data localization” laws requiring companies to preserve copies of their data within the judiciary’s jurisdictional reach.

In preparation for oral argument tomorrow, this piece summarizes what’s happened in the lower courts, what each side has argued, and what Lawfare’s writers have said.

***

In 2013, a federal judge in New York granted a government application for a warrant under 18 U.S.C. §2703 of the SCA to obtain email content and information from Microsoft about a suspected drug trafficker. Microsoft produced responsive metadata held in American data centers but declined to produce content data held in Ireland. The company argued that because the SCA lacks extraterritorial application, the warrant does not apply to data stored abroad.

A federal judge in the southern district of New York ruled against Microsoft and held the company in civil contempt. Microsoft appealed to the Second Circuit, which reversed the district court’s denial of Microsoft’s motion to quash and contempt order in July 2016. It ruled, as Andrew Keane Woods described for Lawfare, that:

1. Because the SCA is silent as to its territorial reach, it must be read consistent with the presumption against extraterritoriality and therefore does not apply abroad; and
2. The relevant territorial question for the purposes of determining the warrant’s reach is “where is the data stored?” rather than other possible inquiries, such as “where is the company located when they are served with the warrant?” or “can the company access the data from the U.S.?” Because the data in this case is stored in Ireland, a U.S. warrant delivered in Washington operates in Ireland for the purposes of the SCA, and therefore is an impermissibly extraterritorial application of that statute.

The government sought Supreme Court review. Its cert petition first argues that the act of disclosure to the government, which would occur in the United States if Microsoft were to comply with the warrant, is the “conduct relevant to the [SCA’s] focus,” not the location of the data at any given moment. Second, it cites a series of banking cases in which courts have forced financial institutions to comply with subpoenas for foreign-held records regardless of where the bank chose to store them. Last, the government argues that companies should not be empowered to circumvent proper legal process through the instantaneous decision to store data outside that country’s jurisdiction.

Microsoft’s opposition brief argues that the court should deny cert on three grounds:

First, Congress is actively considering legislation to allow limited extraterritorial application of the SCA, and the statutory vehicle offers more nuanced remedies than those available to the court. Second, it argues that the Second Circuit’s ruling correctly views the location of the data as the relevant focus of the SCA. And last, it argues the court should wait until other circuit courts consider the issue to see whether other appellate jurisdictions come to different conclusion. Without a “circuit split,” the court should deny cert.

In September, the government filed its reply brief. The court granted cert on Oct. 16.

Merits Briefs

The government’s merits brief argues that the relevant provision of the SCA regulates “providers’ disclosure of electronic information to the government, not providers’ storage of that information.” Because that disclosure occurs within the United States, the law applies domestically and does not trigger the presumption against extraterritoriality. Even if the Second Circuit were right that the SCA focuses on “user privacy,” the government argues, “any invasion of privacy occurs within the United States” when Microsoft produces it to the government for examination, not when Microsoft transfers data to a U.S. server.

Microsoft rejects the government’s theory, arguing that the easiest reading of the law is that the SCA protects communications stored in the U.S. It’s the “Stored Communications Act”, after all; its focus is on storage. Microsoft argues that Section 2703 in particular focuses on protecting “communications in electronic storage” from government intrusion. In this case, that intrusion occurs overseas, but it violates foreign sovereignty and “is a Government-initiated intrusion upon the account owner’s property rights all the same.”

Microsoft also makes an institutional point. Because the government’s view would potentially cause conflicts with foreign laws and sow international discord, Congress is the better suited to address this issue than the courts. The government responds by saying that Microsoft’s concerns about international comity are overstated.

There is also a dispute about nomenclature. Microsoft points to the fact that the SCA refers to “warrants” and concludes that this order cannot operate abroad, since warrants in criminal investigations generally do not. The government responds by noting that this “warrant” actually functions more like a subpoena; the government is not rooting around Microsoft’s servers the way they would under a traditional warrant, but instead relying on Microsoft’s compliance, much in the way the firm might comply with a subpoena. If the production order operates like a subpoena, the government says, the relevant “test for the production of documents is control, not location.”

There is also a dispute about the policy implications of the case. The government argues that allowing corporations to place data outside the purview of law enforcement would “introduce arbitrariness to the statutory scheme” and pose an “insurmountable barrier to U.S. law enforcement’s securing of critical evidence.” Microsoft’s rejoinder, as it alludes in its cert petition, is that Congress, not the court, should resolve the government’s concerns about “the ill fit between the SCA and today’s globally interconnected world.” It references pending legislation considering the matter, notably the International Communications Privacy Act and a proposal from the Justice Department that evolved into the CLOUD Act.

A number of Lawfare writers have analyzed the case. Orin Kerr wrote that Microsoft should have challenged the government over the All Writs Act, not the SCA, and last Friday, shared final thoughts before the argument. Over at SCOTUSBlog, Andrew Keane Woods foretold of three themes present in Microsoft that won’t go away with the Supreme Court’s decision. Sharon Bradford Franklin previewed the congressional debate that is likely to ensue. Authors have also covered related topics: Dillon Reisman laid out the technical underpinnings of data localization, and Woods and Peter Swire assessed the CLOUD Act, the Senate’s latest proposal to fix cross-border data problems—and one that would moot Microsoft.

We’ll continue to cover the case through the court’s decision; stay tuned.