Microsoft Corp. v. United States
Microsoft Corp. v. United States, known on appeal to the U.S. Supreme Court as United States v. Microsoft Corp., was a data privacy case involving the extraterritoriality of law enforcement seeking electronic data under the 1986 Stored Communications Act, Title II of the Electronic Communications Privacy Act of 1986 (ECPA), in light of modern computing and Internet technologies such as data centers and cloud storage.
|Microsoft Corp. v. United States|
|Court||United States Court of Appeals for the Second Circuit|
|Full case name||In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation|
|Argued||September 9, 2015|
|Decided||July 14, 2016|
|Subsequent action(s)||Vacated by the U.S. Supreme Court as United States v. Microsoft Corp., No. 17-2, 584 U.S. ___ (2018), after the controversy was mooted by passage of the CLOUD Act (March 2018)|
|Reversed. Warrant quashed and civil contempt ruling vacated|
|Judge(s) sitting||Susan L. Carney, Gerard E. Lynch, Victor A. Bolden (District Judge)|
|Stored Communications Act of 1986|
In 2013, Microsoft challenged a warrant by the federal government to turn over email of a target account that was stored in Ireland, arguing that a warrant issued under Section 2703 of the Stored Communications Act could not compel American companies to produce data stored in servers outside the United States. Microsoft initially lost in the Southern District of New York, with the judge stating that the nature of the Stored Communication Act warrant, as passed in 1986, was not subject to territorial limitations. Microsoft appealed to the United States Court of Appeals for the Second Circuit, who found in favor of Microsoft by 2016 and invalidated the warrant. In response, United States Department of Justice appealed to the Supreme Court of the United States, which decided to hear the appeal.
While the case was pending in the Supreme Court, Congress passed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which amended the SCA to resolve concerns from the government and Microsoft related to the initial warrant. The Supreme Court, following agreement from both the government and Microsoft, determined the passage of the CLOUD Act and a new warrant for the data filed under it made the case moot and vacated the Second Circuit's decision.
As part of the investigation into a drug-trafficking case in December 2013, a United States magistrate judge in the United States District Court for the Southern District of New York issued a warrant under the Stored Communications Act of 1986 (SCA) requiring Microsoft to produce all emails and information associated with an account they hosted. While the information was held on Microsoft's United States servers, the emails were stored on a server in Dublin, Ireland, one of numerous servers Microsoft operates located around the world.
Microsoft complied with providing the account information but refused to turn over the emails, arguing that a U.S. judge has no authority to issue a warrant for information stored abroad. Microsoft moved to vacate the warrant for the content held abroad on December 18, 2013. In May 2014, a federal magistrate judge, reviewing the history of the SCA (which had not been amended since its passage), disagreed with Microsoft and ordered it to turn over the emails, reasoning that unlike a typical warrant, SCA warrants function as both a warrant and a subpoena, and thus are not restricted by territorial constraints. The magistrate judge considered that Microsoft had control of the material outside the United States, and thus would be able to comply with the subpoena-like nature of the SCA warrant.
Second Circuit opinionEdit
Microsoft then appealed to the Second Circuit. Several United States-based technology, publishers, and individuals submitted amicus briefs supporting Microsoft's position. The Irish government also filed a brief in support of neither party. The Irish government considered that the U.S. government's action violated both the European Union's Data Protection Directive and Ireland's own data privacy laws, and maintained the emails should be disclosed only on request to the Irish government pursuant to the long-standing mutual legal assistance treaty (MLAT) between the U.S. and Ireland formed in 2001; the government offered to consider such a request in an expedited manner for this case. Jan Philipp Albrecht of the European Parliament filed an amicus brief in support of Microsoft, stating that should the court grant execution of the warrant, it could "extend the scope of this anxiety to a sizable majority of the data held in the world’s data centers outside the U.S."
In the appeal to the Second Circuit, the three-judge panel unanimously overturned the lower court's ruling in July 2016, and invalided the government's warrant. The panel primarily focused on the extraterritoriality of the SCA, using a two-pronged test. Circuit Judge Susan L. Carney wrote the opinion of Court with District Court Judge Victor A. Bolden. Circuit Judge Gerard E. Lynch wrote a concurring opinion. The court relied heavily on the United States Supreme Court's 2010 ruling in Morrison v. National Australia Bank that the "longstanding principle of American law that legislation of Congress, unless a contrary intent appears, is meant to apply only within the territorial jurisdiction of the United States" applies in all cases. The Second Circuit found no mention of extraterritorial application in the SCA nor in its legislative history. The court said the SCA's use of the term "warrant", as a term-of-art, suggested a specific territory. It also concluded that the primary focus of the SCA was protecting the privacy of users of electronic services.
In his concurrence, Judge Lynch noted that there was nothing in the record to indicate whether the owner of the e-mails being sought was a U.S. citizen or resident. He agreed with the government that the term "warrant" only implied the need for issuance under Fourth Amendment standards, rather than suggesting it was a search warrant with a specific place. He also noted that Microsoft chose to store the e-mails in Ireland based on the account holder's unverified statement of residence and on Microsoft's business interest in minimizing network latency. No one disputed that if Microsoft had chosen to store the emails in the U.S., the warrant would have been valid. While he agreed with the majority that the presumption against extraterritoriality, as clarified in Morrison, was decisive in this case, he did not believe it to be an optimal policy outcome and called on Congress to clarify and modernize the SCA.
The U.S. government filed a petition for an en banc rehearing by the Second Circuit in October 2016. In January 2017, the full court split 4-4 on a vote to rehear the case, leaving in place the judgement in favor of Microsoft. Circuit Judge Jose Cabranes, who wrote in dissent, wrote that the held decision "has substantially burdened the government’s legitimate law enforcement efforts; created a roadmap for the facilitation of criminal activity; and impeded programs to protect the national security of the United States and its allies", and called on a higher court or the U.S. Congress to rectify the outdated language of the SCA.
Separately from its appeal, the U.S. Government has had at least one other ruling in its favor, and specially against the decision of the Second Circuit Court, for similar extraterritorial requests under the SCA. In February 2017, federal magistrate judge, presiding over a District Court within the Third Circuit, ruled that Google must comply with a government warrant to turn over data from foreign servers. The magistrate judge rejected Google's reliance on the current standing from the Microsoft case, and stated in his opinion that the scope of the invasion of privacy for the case was entirely within the United States, and not where the electronic transfer of the data occurs, making the SCA warrant enforceable.
The U.S. Department of Justice filed an appeal with the Supreme Court in June 2017. Deputy Solicitor General Jeffrey Wall argued that the Second Circuit's order has led Microsoft, Google, and Yahoo! to deny law enforcement officials with requested information stored on servers outside the United States, hampering numerous criminal investigations. The Department was joined by 33 states in support. Microsoft argued that the Court should not take the case, and instead that Congress should deal with updating the language of the outdated 1986 law.
Recording of oral arguments before the Supreme Court.
Problems playing this file? See media help.
The Supreme Court granted certiorari in October 2017. The case, United States v. Microsoft Corp., was heard by the Court on February 27, 2018 with a ruling originally expected by the end of the Court's term in June 2018.
While the case was being decided by the Supreme Court, Congress introduced the Clarifying Lawful Overseas Use of Data Act ("CLOUD Act") shortly after the oral hearings. Among other provisions, the CLOUD Act modified the SCA to specifically include cloud storage considerations of communication providers in the United States regardless of where the cloud servers may be located. The bill was supported by both the DOJ and Microsoft. In March 2018, Congress passed the CLOUD Act as part of an omnibus government spending bill, which was signed into law by President Donald Trump on March 22. By the end of March, the DOJ had issued a request for a new warrant for the original emails from the 2013 investigation under the new authority granted by the CLOUD Act, and no longer seeking resolution of the original warrant. It also requested that the Court vacate the case and remand it back to the Second Circuit, where the matter could then be rendered moot due to the passage of the CLOUD Act. Microsoft agreed with the DOJ's position. On April 17, 2018, the Court issued a per curiam opinion stating that the case was rendered moot and vacating and remanding the case back to the lower courts to dismiss the lawsuit.
References and sourcesEdit
- Barnes, Robert (October 16, 2017). "Supreme Court to consider major digital privacy case on Microsoft email storage". The Washington Post. Retrieved October 16, 2017.
- "In re Warrant to Search a Certain Email Account Controlled & Maintained by Microsoft Corp". harvardlawreview.org. Harvard Law Review.
- "Microsoft Ireland Case: Can a US Warrant Compel A US Provider to Disclose Data Stored Abroad?". cdt.org. Center for Democracy and Technology.
- "The "Microsoft Ireland" Case (Amicus Brief)". brennancenter.org. Brennan Center for Justice.
- "In re Warrant for Microsoft Email Stored in Dublin, Ireland". eff.org. Electronic Frontier Foundation.
- Scott, Mark (December 24, 2014). "Ireland Lends Support to Microsoft in Email Privacy Case". The New York Times. Retrieved April 4, 2018.
- Brier, Jr., Thomas (2017). "Defining the Limits of Governmental Access to Personal Data Stored in the Cloud: An Analysis and Critique of Microsoft Ireland". Journal of Information Policy. 7: 327–371. doi:10.5325/jinfopoli.7.2017.0327. JSTOR 10.5325/jinfopoli.7.2017.0327.
- Porter, Kathleen. "Microsoft versus the Federal Government; Round Three". jdsupra.com. JD Supra.
- "Brief For Ireland As Amicus Curiae In Support Of Neither Party". Electronic Frontier Foundation. December 23, 2014. Retrieved April 4, 2018.
Ireland Is Willing To Apply The MLAT Process To This Warrant...Ireland would be pleased to consider, as expeditiously as possible, a request under the treaty, should one be made.
- "Microsoft wins: Court rules feds can't use SCA to nab overseas data". Ars Technica. Retrieved October 16, 2017.
- Microsoft Wins Appeal on Overseas Data Searches, Nick Wingfield, Cecilia Kang, New York Times, July 14, 2016
- "Microsoft Corp. v. United States". Harvard Law Review. December 9, 2016. Retrieved October 16, 2017.
- "PETITION OF THE UNITED STATES OF AMERICA FOR REHEARING AND REHEARING EN BANC" (PDF). Retrieved December 8, 2016.
- "Court ruling stands: US has no right to seize data from world's servers". Ars Technica. Retrieved August 17, 2017.
- Stempel, Jonathan (January 24, 2017). "Microsoft victory in overseas email seizure case is upheld". Reuters. Retrieved October 16, 2017.
- Kerr, Orin (February 3, 2017). "Google must turn over foreign-stored emails pursuant to a warrant, court rules". The Washington Times. Retrieved October 17, 2017.
- "Does US have right to data on overseas servers? We're about to find out". Ars Technica. Retrieved July 20, 2017.
- Stohr, Greg (October 16, 2017). "Microsoft Email-Access Fight With U.S. Gets Top Court Review". Bloomberg Businessweek. Retrieved October 16, 2017.
- "Court adds four new cases to merits docket". SCOTUSBlog. Retrieved October 16, 2017.
- Jeong, Sarah (February 26, 2018). "What's at stake in the Microsoft Supreme Court case". The Verge. Retrieved February 26, 2018.
- Breland, Ali (August 1, 2017). "Senate bill would ease law enforcement access to overseas data". The Hill. Retrieved March 23, 2018.
- Brandom, Russell; Lecher, Colin (March 22, 2018). "House passes controversial legislation giving the US more access to overseas data". The Verge. Retrieved March 23, 2018.
- Stohr, Greg (March 31, 2018). "Justice Department Asks Court to Drop Microsoft Email Case". Bloomberg Businessweek. Retrieved April 2, 2018.
- Nakashima, Ellen (March 31, 2018). "Justice Department asks Supreme Court to moot Microsoft email case, citing new law". The Washington Post. Retrieved April 2, 2018.
- Hurley, Lawrence (April 3, 2018). "Microsoft calls for dismissal of U.S. Supreme Court privacy fight". Reuters. Retrieved April 4, 2018.
- "Supreme Court rules that Microsoft email privacy dispute is moot". Reuters. April 17, 2018. Retrieved April 17, 2018.
- SCOTUSblog page - contains links to briefs filed
- Microsoft's Brief to the Court of Appeals for the Second Circuit