Client Alert

Second Circuit Rules that Emails Stored Outside of the United States May be Beyond the Government’s Reach

22 Aug 2016

Microsoft recently emerged victorious in a much-discussed and closely followed case about the scope of the U.S. government’s authority with regard to search warrants issued pursuant to the Stored Communications Act, 18 U.S.C. § 2701 et seq. (SCA). For now, at least, this ruling means that the U.S. government likely can no longer compel, via warrant, U.S.-based companies to produce stored communications, such as emails, that are stored in a physical location outside of the United States. Instead, the government will need to rely on Mutual Legal Assistance Treaties, which provide a framework for states to obtain assistance from one another to, among other things, obtain and execute search warrants in their respective jurisdictions. Nevertheless, it is likely that the U.S. government will seek an alternative, which could include appealing the case to the Second Circuit en banc or possibly pursuing legislation in Congress to amend and update the SCA in light of new digital realities.

Background on the SCA and the Microsoft Dispute

The SCA limits how service providers that store user data, such as Microsoft, can disclose that information. In particular, a service provider can disclose certain information to the government, such as information about a customer’s email account and the stored content of a customer’s emails, only if the government obtains a warrant requiring the service provider to disclose such information. See id. at § 2703(b)(1). In Microsoft v. United States, No. 14-2985 (2d. Cir. Jul. 14, 2016),the government did obtain a warrant, pursuant to the SCA, seeking information about an email account, including the emails stored in the account itself and the emails sent from the account.

Microsoft challenged the scope of the warrant—or, in other words, what it was compelled to disclose in light of the warrant that the government duly obtained.[1] Microsoft had produced information that it stored in the United States, but—having determined that the email account itself was hosted in Dublin and that the contents of the emails were thus stored there—moved to quash the warrant on the grounds that the SCA, and therefore the warrant, did not authorize a search and seizure outside of the territory of the United States.

Summary of the Second Circuit Ruling

The Second Circuit reached its decision by essentially answering three questions:

  • What is a warrant under the SCA? Is it like a quasi-subpoena that would require a company to produce documents or information under the company’s control, regardless of where the information may be physically located? Or is it truly a warrant that only provides the governmentthe right to conduct a search or obtain documents or information based on the statutory authority underlying the warrant (i.e., the scope of the SCA itself)?
  • What is the scope of the SCA?  If the scope of the warrant is limited to the scope of the SCA, then the next and vitally important question is whether the authority of the SCA is limited to the United States or extends extraterritorially.  If the SCA does not extend beyond the borders of the United States, then the warrant would not either.
  • What action was required pursuant to the warrant, and did that action take place in the United States? Even assuming the SCA is confined to the territory of the United States and the warrant is therefore limited by the scope of the SCA, the court still had to address where the seizure of the emails would actually occur. Microsoft had the technical ability to access the emails from the United States, but the court addressed where the emails themselves were actually located, i.e., in the United States or in Dublin, a foreign jurisdiction.

The court agreed with Microsoft and found that the warrant was not enforceable outside of the boundaries of the United States, and that because the emails were stored outside of the United States and would need to be accessed outside of the United States, they could not be extracted from Dublin under the SCA.

The Scope of an SCA Warrant

First, Microsoft argued that the warrant contemplated by the SCA is not a “hybrid” of a warrant and a subpoena but, rather, purely a warrant. This distinction mattered because a subpoena may require the production of communications stored overseas, while a warrant may be more limited. A subpoena can be served on a company and call for materials within the company’s possession and control, regardless of where the information may be physically located.[2] A warrant, by contrast, only provides the government with a right to conduct a search or obtain documents or information.[3] That right cannot extend beyond the scope of the statutory authority forming the basis for the warrant. And, because the warrant was authorized under the SCA, if it were truly a warrant, it would therefore only encompass the authority to obtain information covered by the SCA (as opposed to all information within Microsoft’s possession).

The district court had reasoned that the SCA warrant was like a subpoena because, as characterized by the Second Circuit, “it is executed by a service provider rather than a government law enforcement agent, and because it does not require the presence of an agent during its execution.” In other words, the government apparently simply served the warrant to Microsoft, and Microsoft then searched for and provided relevant materials to the government (albeit withholding some of them). The government does not execute an SCA warrant itself by conducting a search and seizing the emails directly in the same way that it may search a house and seize a personal computer, for example.

In any event, the Second Circuit reasoned that the warrant called for by the SCA—the warrant required for a service provider to make a disclosure to the government under the SCA—is, indeed, the term of art “warrant.” As a result, the court concluded that no law developed in the subpoena context could be imputed into the SCA warrant, and the scope of the search would be limited by the scope of the SCA’s authority. Therefore, the fact that Microsoft was physically located in the United States and subject to the jurisdiction of the SCA generally was not relevant. Instead, the operative issue is what conduct—what services—provided by Microsoft are subject to the SCA and thus subject to a warrant issued under the SCA.

The court then turned to question of the scope of the SCA. If the SCA does not reach outside of the United States, the court reasoned, the warrant could not reach outside of the United States either. The court concluded that the SCA does not “contemplate or permit extraterritorial application.” The court reasoned that the “focus” of the SCA’s warrant provisions as “protecting the privacy of the content of a user’s stored electronic communications.” Microsoft at *33. In other words, the SCA is intended to protect the privacy of individuals in connection with the seizure of the emails, and that privacy protection is intended to apply within the United States. As a result, the activity permitted pursuant to any SCA warrant—i.e., a search of emails in spite of those privacy protections—also must apply only within the United States. Based on this analysis, the court had “little trouble” concluding that executing the warrant with respect to the emails stored abroad would constitute “an unlawful extraterritorial application” of the SCA. Id. at *39.

Third, the court confirmed that the activity at issue would, indeed, occur outside of the United States. The government had argued, and the magistrate judge had agreed, that the warrant imposed obligations on Microsoft to act only within the United States. Microsoft technicians sitting at their desks in the United States had the physical and technological capability to access the emails stored on servers outside the United States and then provide them to the government as authorized by the warrant. The court disagreed, reasoning (in part) that “the data is stored in Dublin, that Microsoft will necessarily interact with the Dublin datacenter in order to retrieve the information for the government’s benefit, and that the data lies within the jurisdiction of a foreign sovereign [i.e., Ireland].” Id. at *40. In other words, even if Microsoft accessed the emails from a U.S. workstation, the actual seizure of the emails would occur on a server in Dublin—outside of the United States—and the SCA warrant authorizing the seizure cannot apply to that information because it applies only to information stored within the United States.

Aftermath and Implications

The case was closely watched because of privacy concerns raised by other governments, particularly in the European Union, and by interested advocacy groups. A number of U.S.-based technology and media companies, as well as trade associations, advocacy groups, and the government of Ireland itself, filed amicus briefs in favor of Microsoft’s position in the case. In particular, the Irish government’s brief argued that Ireland facilitates cooperation with other states in fighting crime, has enacted legislation giving effect to a large number of international treaties and instruments providing for mutual legal assistance in criminal matters, and that the government would consider, as expeditiously as possible, a request for assistance under such a treaty. In return, the brief argued, “[f]oreign courts are obliged to respect Irish sovereignty.”

This ruling will provide comfort for U.S. companies that provide stored communications services, such as email, on a global basis. For now, at least, the information held by U.S.-based service providers belonging to individuals that indicate they are not located in the United States does not appear to be directly accessible to U.S. law enforcement through the use of warrants under the SCA—provided that the information is not stored in servers within the territory of the United States. Even with this ruling, however, debates about cross-border data transfers and data access are far from resolved. In particular, while U.S.-based cloud services providers will have stronger arguments that information in data centers based in European Union countries is less exposed to U.S. government access, the SCA is just one of many mechanisms by which the U.S. government can access information; there are other mechanisms that are, indeed, subpoena-based and thus not subject to the same strict territorial analysis.

Furthermore, the court did, however, leave open how the SCA warrant provisions would apply to data stored abroad but related to U.S. citizens or residents. In light of this issue, while the U.S. legal regime has typically been territorially based, in the cloud-based digital age, a bright territorial line may not be viable. One possibility, therefore, would be for the United States to transition to a regime roughly analogous to the European approach, which would change the focus from the physical location of the data to the physical location of the data subject (i.e., where the individual resides, as opposed to where the emails reside). Otherwise, a singular focus on the location of the information itself may spur more governments to implement data localization requirements to ensure that those governments can access information about their residents. In turn, increased localization requirements can undermine the ability to deliver cloud‑based services, including email services, and thus, ironically, would be just as detrimental to service providers as the prospect of a globalized SCA was prior to the Second Circuit’s decision.

In light of these considerations, it remains to be seen how the U.S. Justice Department, as well as other governments and industry, will respond. In the near term, possibilities include a legislative fix or an appeal, which would most likely be to the Second Circuit en banc in light of the current eight-member Supreme Court and the possibility of a 4-4 split decision, which would leave the Second Circuit’s ruling in place. Regardless of what happens, it is clear that we have not seen the end of the debate over the reach of government authority in the digital age, nor over the concept of jurisdiction and territoriality when information can move across borders—and be moved across borders—in the blink of an eye.

[1] Microsoft did not prevail on its motion before a magistrate judge nor before a district court judge in the Southern District of New York. See In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 15 F. Supp. 3d 466 (S.D. N.Y. 2014).

[2] Relevant precedent provides that “a defendant subject to the personal jurisdiction of a subpoena-issuing grand jury could not ‘resist the production of [subpoenaed] documents on the ground that the documents are located abroad’,” Microsoft at *30, citing Marc Rich & Co., A.G. v. United States, 707 F.2d 663, 667 (2d Cir. 1983)).

[3] As some commentators have noted, this entire dispute elides some peculiar assumptions about the SCA. For instance, a warrant authorizes a search and seizure, but it does not operate to compel a party to produce information. All of the parties to this dispute appear to assume that Microsoft was compelled to produce information in response to the warrant, but it is never entirely clear why a warrant would operate of its own force on a private entity. And, while the SCA bars a service provider from making certain disclosures, if the information ostensibly stored outside of the United States is not subject to a warrant issued under the SCA, it would appear to follow logically that the information itself is not subject to the SCA, including its restrictions on disclosures.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.