August 4, 2014
On July 31, 2014, Chief U.S. District Judge Loretta A. Preska of the Southern District of New York ruled that the government can use a search warrant issued under the Stored Communications Act ("SCA") to gain access to digital information within the control of a U.S.-based internet service provider but stored on a foreign server. Under Judge Preska’s ruling, service providers must comply with SCA warrants regardless of where the information is actually stored. Specifically, Chief Judge Preska’s ruling adopts the findings of Magistrate Judge James C. Francis IV, who rejected a bid by Microsoft Corp. to quash an SCA warrant directing Microsoft to produce customer email content stored on a server located in Ireland.
Chief Judge Preska’s ruling is limited on its face to the Fourth Amendment context of government search and seizure, but the issues raised have potentially far-reaching implications for companies storing large amounts of digital information, especially those that store such information abroad. Because of the novelty and importance of the issues raised, Chief Judge Preska stayed her ruling pending Microsoft’s appeal to the Second Circuit.
I. Background
According to the decision, Microsoft stores email message data, including both content information (e.g., the substance of an email and its subject line) and non-content information (e.g., the sender’s email address, recipient’s email address, and the date and time of transmission), at datacenters in various locations in the United States and abroad. Where a particular user’s information is stored depends on a number of factors. But because the quality of service degrades the farther a user is from the datacenter housing his or her account, efforts are made to assign each account to the datacenter nearest to the email subscriber’s location. Certain non-content information remains in the United States, however, regardless of whether an account is stored abroad.
In September 2010, Microsoft began to store data for certain web-based email accounts in a datacenter in Dublin, Ireland, which is leased and operated by Microsoft’s wholly owned Irish subsidiary. Microsoft alleges that user content information for Outlook.com accounts stored in Dublin resides on a specific server in the Dublin datacenter, and that it does not exist in any form in the United States. Regardless of where the email message data is stored, however, it is accessible to Microsoft’s employees in the United States.
On December 4, 2013, the Magistrate Judge issued a search warrant under the SCA in response to an application from the United States. The warrant directs Microsoft to search for and produce information associated with a specific Microsoft web-based email account "anywhere in the world." After receiving the warrant, Microsoft determined that the content data associated with the target account was hosted in Microsoft’s Dublin datacenter. Microsoft produced to the government the non-content information and address book data that was located in the U.S., but did not produce the user content located in Dublin.
On December 18, 2013, Microsoft moved to quash the warrant to the extent it purported to authorize a search and seizure of the content located in Ireland. On April 25, 2014, the Magistrate Judge denied Microsoft’s motion, and on May 6, Microsoft appealed to the District Court, which reviewed the Magistrate Judge’s Order de novo.
II. The Parties’ Arguments
Microsoft argued, first, that neither the Electronic Communications Privacy Act ("ECPA") nor any other source of law authorizes the court to issue a search warrant for information outside the United States. Interpreting the ECPA to authorize searches and seizures outside the United States would, Microsoft argued, violate both the Morrison presumption against extraterritoriality and the Charming Betsy requirement of some "affirmative expression of congressional intent to abrogate the United States’ international obligations" before construing a statute to do so. Congress has never expressed any such intent with respect to the ECPA, according to Microsoft. Microsoft also argued, second, that in any event, the warrant violates the Fourth Amendment’s requirement that all warrants specify with particularity the place to be searched and the things to be seized by purporting to require that Microsoft search all digital information within Microsoft’s possession anywhere in the world.
Microsoft’s position was supported by amicus curiae briefs from other major digital service providers, including Verizon Communications, Inc., AT&T Inc., Cisco Systems, Inc., and Infor, as well as privacy group the Electronic Frontier Foundation. Amici argued, among other things, that (1) the SCA should not be given extraterritorial effect; (2) the Magistrate Judge’s ruling would harm American businesses–especially U.S. technology companies, undermine international agreements and understandings, and spur retaliation by foreign governments; (3) a search and seizure takes place where the data is stored and from where the data is obtained, not where the data is observed, reviewed, or analyzed by law enforcement; and (4) international law, international comity, conflicts of law, state sovereignty, and U.S. agreements and treaties–including existing Mutual Legal Assistance Treaties ("MLATs")–must be considered.
In response, the government argued that the warrant properly requires Microsoft to disclose data under its control, regardless of where Microsoft has chosen to store the data. As the government argued, Section 2703 of the SCA–enacted as part of the ECPA in 1986–empowers the government to require the disclosure of records by electronic communications service providers such as Microsoft by subpoena, order, or warrant. If it proceeds under an SCA warrant, the government can require the disclosure of all email data from an account that is within the possession and control of a U.S.-based company, so long as the company is served with appropriate legal process. Microsoft’s position, the government argued, is contrary to the plain text and structure of the SCA, which reflects Congress’ intention that SCA warrants operate as a form of compulsory process–functionally similar to subpoenas, rather than physical search warrants issued under Rule 41 of the Federal Rules of Criminal Procedure.
With respect to the issue of extraterritorial application, the government argued, first, that nothing in the legislative history of the SCA indicates Congress intended to impose territorial limits on SCA warrants. To the contrary, since the warrant is a form of compulsory process, it is not limited by the physical location of the records and may not be resisted on the ground that the requested materials are located abroad. In the government’s view, there is no reason to believe that Congress intended the SCA to abrogate longstanding precedent holding that a recipient of compulsory process in a federal criminal investigation may be compelled to produce documents under its control regardless of location. Second, the government argued, the warrant does not even implicate the presumption against extraterritoriality or Charming Betsy because it does not criminalize or regulate any conduct in a foreign country, it merely compels Microsoft to disclose responsive materials within its control to law enforcement agents located in the United States. In other words, the government argued that the relevant territory is the location of the ISP, not the location of the data.
Finally, the government argued that the warrant satisfies any possible application of the particularity requirement by specifying a particular email account to be searched. In the government’s view, the requirement that a warrant particularly describe the "place to be searched," like other provisions of the Fourth Amendment, is "practical and not abstract" and therefore must be applied in a "commonsense and realistic fashion," which in this case required no more than identification of the electronic account containing the data to be reviewed.[1]
III. The Court’s Findings
During the hearing, Chief Judge Preska repeatedly asked how the case before her was different from cases applying the Bank of Nova Scotia doctrine, which permits the government to use a subpoena to compel a bank that does business in the U.S. to turn over records held by a branch of the same bank in a foreign country. Microsoft argued that the bank records cases were distinguishable because they involved customer data maintained by the banks as business records. Amici argued that the more appropriate analogy is serving a warrant on the U.S. branch of a bank to compel the production of a safe deposit box stored in foreign branch because emails are owned by the subscriber, not the ISP. On the other hand, the government argued that the distinction was immaterial, and that relevant inquiry is whether the respondent has control over the records in–and can produce them from–its location in the U.S.
Chief Judge Preska agreed with the government’s position, and adopted Magistrate Judge Francis’s findings from the bench. With respect to Congress’ intent regarding whether SCA warrants are intended to reach material stored abroad, Chief Judge Preska noted that the "structure [and] language [of the SCA], [the] legislative history, [and] Congressional knowledge of precedent, including the Bank of Nova Scotia doctrine, all lead to the conclusion that Congress intended in this statute for ISPs to produce information under [the warrant recipient’s] control, albeit stored abroad, to law enforcement in the United States." In Chief Judge Preska’s view, "[I]t is a question of control, not a question of the location of that information," which is consistent with Magistrate Judge Francis’s ruling that the relevant inquiry for a SCA warrant is the same as a nonparty subpoena under Federal Rule of Civil Procedure 45, i.e., the party’s custody or control over the documents is determinative.
Chief Judge Preska also concluded that the warrant did not represent "an extraterritorial application of United States law." Chief Judge Preska also found that the warrant would not be an intrusion on a foreign sovereign, quoting a passage in the Restatement (Third) of Foreign Relations Law § 442(1)(a), which states that "[a] court or agency in the United States, when authorized by statute or rule of court" is empowered to "order a person subject to its jurisdiction to produce documents, objects, or other information relevant to an action or investigation, even if the information or the person in possession of the information is outside the United States."
IV. Implications
Though the decision is based in the government search and seizure context, it potentially has substantial implications for technology and other companies hosting customer data both inside and outside the United States. Cloud computing and web-based email services are growing in importance, and U.S. and foreign companies, governments, and individuals are housing vast quantities of valuable, sensitive, and confidential data in locations around the world. Many of these storage centers are located in jurisdictions with different or even incompatible regulations and laws protecting the privacy of digital information. Chief Judge Preska’s holding has potential implications for the way data privacy protections intersect with the practices of U.S. and foreign companies that store, access, and protect digital information. The anticipated appeal to the Second Circuit should provide further guidance regarding the transnational reach and data privacy implications of SCA warrants.
________________________
[1] The question of specificity of SCA warrants in the age of email is another issue currently dividing federal courts. Some magistrate judges have declined to issue warrants for all emails in a particular account without any additional limitations, such as date ranges, key words, targets of communication, and the like. See, e.g., In re [REDACTED]@gmail.com, Case No. 5:14-mj-60655-PSG, Dkt. 2 (N.D. Cal. May 9, 2014). In the context of civil litigation, using search terms and dates to limit the volume of e-discovery is common-practice and the magistrate judges appear to be borrowing from their experience of resolving civil discovery disputes to limit the volume of electronic data that the government may obtain pursuant to a SCA warrant. Interestingly, in the present case, Magistrate Judge Francis also looked to the Federal Rules of Civil Procedure to determine the extraterritorial reach of SCA warrants. This raises the question of which aspects of civil discovery courts will look to when determining the scope of SCA warrants as the prevalence of electronic data in criminal proceedings finally catches up to its civil litigation cousin.
* * * * *
Gibson Dunn attorneys Orin Snyder, Alexander H. Southwell, Thomas G. Hungar, and Jane Kim represented Amicus Curiae Infor.
Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact any member of the Gibson Dunn team, the Gibson Dunn lawyer with whom you usually work, or the co-chairs of the firm’s Transnational Litigation Practice Group or its Information Technology and Data Privacy Practice Group:
Transnational Litigation Practice Group:
Randy M. Mastro – New York (+1 212-351-3825, [email protected])
Theodore J. Boutrous, Jr. – Los Angeles (+1 213-229-7000, [email protected])
Scott A. Edelman – Los Angeles (+1 310-557-8061, [email protected])
Andrea E. Neuman – New York (+1 212-351-3883, [email protected])
William E. Thomson – Los Angeles (+1 213-229-7891, [email protected])
Perlette Michèle Jura – Los Angeles (+1 213-229-7121, [email protected])
Information Technology & Data Privacy Practice Group:
M. Sean Royall – Dallas (+1 214-698-3256, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
© 2014 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.