Skip to Main Content.
  • Second Circuit Says Federal Warrant Cannot Be Used to Obtain Customer Data Stored Overseas in Cloud

On July 14, the Second Circuit ordered a lower court to quash a government warrant demanding that Microsoft turn over a user’s emails that resided on servers located in Ireland.  See Microsoft Corporation v. United States of America, No. 14-2985 (S.D.N.Y. July 14, 2016). 

The dispute concerned emails stored by a user of Microsoft’s web-based email service, outlook.com, which the government believed would show that the user was involved in drug trafficking.  A U.S. magistrate judge found probable cause and issued a warrant under Section 2703 of the Stored Communication Act (SCA).  Although Microsoft produced certain non-content information stored on its United States servers in response to the warrant, it filed a motion to quash the warrant as it pertained to the user’s emails which were stored on Microsoft’s servers located in Dublin, Ireland.

Even though the emails were stored in Ireland, Microsoft acknowledged that it could access and retrieve the data from its United States offices. The lower court denied Microsoft’s motion to quash and held Microsoft in contempt when it still refused to turn over the emails.  On appeal, the Second Circuit reversed the lower court’s decision, ordering the lower court to quash the warrant insofar as it called for Microsoft to produce user content stored outside the United States.

In its ruling, the Second Circuit concluded that the SCA’s warrant provisions were applicable only to searches conducted within the United States—that an SCA warrant had no extraterritorial application.  In so holding the Second Circuit relied on Rule 41 of the Federal Rules of Criminal Procedure (which are referenced by the SCA), which generally restricts the geographical reach of a warrant to within the United States. In addition, the court cited the presumption against extraterritorial application of United States laws unless there is a “clear indication”—not found here— that Congress intended extraterritorial application of the law.

Next, the court considered whether execution of the SCA warrant would be an extraterritorial application at all, given that “it is a rare case of extraterritorial application that lacks all contact with the territory of the United States.” In considering this question, the court first determined that Congress’s primary “focus” in enacting the SCA was on protecting privacy and content of a user’s stored electronic communications. Having determined this, the court concluded that requiring Microsoft to produce its customer’s emails would constitute an unlawful extraterritorial application of the SCA:

Because the content subject to the Warrant is located in, and would be seized from, the Dublin datacenter, the conduct that falls within the focus of the SCA would occur outside the United States, regardless of the customer’s location and regardless of Microsoft’s home in the United States.

Whether a court would prohibit enforcement of a subpoena (which are generally extraterritorial) for data located outside the United States remains to be seen.  The government had urged that an SCA warrant should be treated more like a subpoena since Microsoft, and not the government, would be the one actually conducting the search of its servers. The Second Circuit rejected the government’s argument, finding that “when the government compels a private party to assist it in conducting a search or seizure, the private party becomes an agent of the government.”  However, the court raised doubt as to whether even if treated as a subpoena, the search would be enforced noting that Microsoft had:

convincingly observe[d] that our Court had never upheld the use of a subpoena to compel a recipient to produce an item under its control and located overseas when the recipient is merely a caretaker for another individual or entity and that individual, not the subpoena recipient, has a protectable privacy interest in the item.

Takeaways from the case include the following:

  • The ability to access and retrieve data from within the United States is not dispositive.  The government had argued—and the lower court had agreed—that execution of the warrant did not require extraterritorial application of the SCA since the data could be accessed and retrieved from computers located within the United States. The court rejected this approach, noting that the data was physically located within the boundaries of a foreign sovereign.
  • The customer’s location and citizenship is not dispositive. The court noted several times throughout the opinion that the record was silent as to the citizenship and location of the customer. It acknowledged that the SCA’s focus on customer’s privacy might suggest that the customer’s actual location of citizenship would be important to the extraterritoriality analysis.  However, in the court’s view the invasion of the customer’s privacy takes place where the customer’s protected content is accessed—the location of the servers on which the data is stored—in this case, Ireland.

 

Practice Tip:  When responding to a government warrant requesting customer data, cloud service providers should carefully consider whether to turn over data stored on servers outside the United States.  In the Second Circuit at least—which includes Connecticut, New York, and Vermont—service providers are not required to turn over customer data located on servers outside the United States, even if the customer is located within the United States and even if the data is accessible and retrievable from computers located within the United States.  It remains to be seen whether other courts outside the Second Circuit will follow the Second Circuit’s lead.

For more information, contact Joe Dehner, or any other member of Frost Brown Todd’s Privacy & Data Security Team.