In a case closely watched by privacy advocates, on July 14, the Second Circuit Court of Appeals held that the Stored Communications Act (“SCA”) does not authorize U.S. law enforcement authorities to order U.S.-based companies to turn over customer e-mail content that is stored exclusively outside the United States.
In the case, Microsoft v. United States of America, Microsoft challenged a warrant requiring it to turn over customer data, including the content of emails, held on a company server in Ireland. The company argued that the SCA, one of the component statutes of the Electronic Communications Privacy Act (“ECPA”), was not intended to provide U.S. law enforcement authorities with such extraterritorial authority. The United States argued that it has authority to require the disclosure of such content, wherever it is located, as long as it is subject to the company’s custody or control.
Microsoft has argued that the U.S. Government’s position threatens user privacy both internationally and domestically, noting that foreign governments could make similar requests for content stored on U.S.-based servers. Microsoft has also called on the United States to utilize existing legal processes, including Mutual Legal Assistance Treaties, when seeking data stored outside the United States.
In today’s decision, the Second Circuit held that:
[W]e think that Microsoft has the better of the argument. When, in 1986, Congress passed the Stored Communications Act as part of the broader Electronic Communications Privacy Act, its aim was to protect user privacy in the context of new technology that required a user’s interaction with a service provider. Neither explicitly nor implicitly does the statute envision the application of its warrant provisions overseas. Three decades ago, international boundaries were not so routinely crossed as they are today, when service providers rely on worldwide networks of hardware to satisfy users’ 21st–century demands for access and speed and their related, evolving expectations of privacy.
This case has been closely watched by many companies who have already felt the business impacts of international mistrust of U.S.-based cloud service providers. Twenty-eight companies and twenty-three trade associations signed on to amicus briefs in support of Microsoft’s position.
The Second Circuit’s decision observes that “[i]n enacting the SCA, Congress expressed a concern that developments in technology could erode the privacy interest that Americans traditionally enjoyed in their records and communications.” Thirty years later, the case highlights many of the challenges faced by companies using technologies not contemplated at the time that the laws governing access to electronic information were drafted. Companies are expected to uphold user privacy rights, while also abiding by lawful requests from governments. Ultimately, the Second Circuit’s decision may bolster the arguments of advocates on both sides who are pushing Congress to reform ECPA.