Article: Decision Holds That Search Warrant Cannot Compel Data Stored Overseas, Morgan, Lewis & Bockius, July 2016
Authors: Mark Krotoski，Ellie Chapman
Can law enforcement issue legal process in its home country to compel the production of data on a server in another country? Given the global sharing of data, this novel issue is particularly important in antitrust cases as international companies often store data in different jurisdictions.
On July 14, 2016, Microsoft and other US-based internet service providers prevailed at the US Court of Appeals for the Second Circuit, which held that the company is not required to comply with a federal search warrant for customer emails stored on a server in Dublin, Ireland. The ruling was the first by a federal court of appeals to address the extraterritoriality of the Stored Communications Act (SCA) often used in government investigations to obtain data. The Second Circuit overturned the lower court’s ruling which had ordered that the data outside the US be produced.
Microsoft Corp. v. United States implicates numerous emerging legal issues intersecting with international data privacy, including antitrust, which frequently involves the government requesting data stored overseas.
Our article provides some initial observations and highlights a number of open questions following the landmark opinion. One open question is the precedential value of the ruling. Presently, the ruling only applies to federal courts in the Second Circuit (Connecticut, New York, and Vermont). Other federal courts are not bound by the new ruling and may reach other conclusions.
In fact, since the ruling, the US Justice Department has asked judges outside the Second Circuit to reject the new ruling. Recently, on February 3, 2017, Magistrate Judge Thomas J. Reuter of the Eastern District of Pennsylvania ordered Google to comply with search warrants for emails stored overseas. A judicial split on this issue is emerging.
Another open question is whether the US Supreme Court or Congress will intervene to clarify the SCA. Some judges have invited congressional action.
Our article discusses how the ruling avoids a major conflict between EU and Irish laws that protect personal data located in Ireland from being delivered to US law enforcement through a warrant from the United States.
The article further highlights the broader fight between Silicon Valley (and other technology companies) and Washington over how much authority the government has to force technology companies to provide data in investigations.
Finally, our article notes that the scope of the government’s authority to compel the production of data will continue to turn on the particular facts of the case. The manner in which the data is obtained and stored abroad can vary. In the Microsoft Corp. case, the data was automatically stored in Ireland based on the user’s country code. Upon the transfer of the data to Ireland, “all content and non‐content information associated with the account in the United States” was deleted from US-based servers. The question of where data is actually located at any given time becomes particularly challenging when one considers the various and complex methods of data storage.
The full impact of this landmark ruling remains to be seen.