Internet & Communications Law Blog Essay

Microsoft Ireland Argument Analysis: Data, Territoriality, and the Best Way Forward

Yesterday, the Supreme Court heard arguments in the Microsoft Ireland case – the high-profile dispute between Microsoft and the United States regarding the reach of the warrant authority under the Stored Communications Act.   The more than 30-some amicus briefs filed in the case highlight the case’s significance.  With good reason.  The outcome matters to our security, our privacy, and the economy, as well as the balance of power between nations in their ability to control access to data and hence the rules that apply.

Does It Matter Where Microsoft Stores Your Emails?

The dispute dates to December 2013, when the federal government served a warrant on Microsoft pursuant to section 2703 of the Stored Communications Act (SCA), demanding emails associated with a particular email account.  Microsoft refused to comply on the grounds that the data was stored on a server in Dublin, Ireland; that the warrant only had territorial reach; and that, therefore, the government’s demand was an impermissible exercise of its warrant authority.  The government fought back, arguing that Microsoft, as a Washington-based company, could access the data from within the United States, that the data would be disclosed in the United States, and that this was therefore a territorial – and perfectly permissible – exercise of its authority under the SCA.

The magistrate and district court judges sided with the government.  But the Second Circuit reversed, ruling on Microsoft’s side.  And the Supreme Court granted cert, even in the absence of a circuit split.

At its core, the case requires the Court to divine the intent of the 1986 Congress that enacted the SCA – and to determine whether or not the Congress intended the warrant authority to reach data that is stored outside the United States, yet controlled and accessed by a U.S.-based company acting from within United States.  This, however, is a fact pattern not even imaginable to the drafters of the legislation.  At the time, the notion of the “cloud” – with companies like Microsoft, Google, and Facebook holding and manipulating data in data centers distributed across the world – was the stuff of science fiction.

In the absence of any legislative clarity, the Court’s first task is to ascertain the statute’s “focus,” per the Court’s past precedent (see Morrison v. Nat’l Australian Bank and RJR Nabisco v. European Community).  On this, the parties are in sharp disagreement.  The government says the focus is on disclosure, which occurs in the United States, making the warrant at issue a territorial (and permissible) application of the statute.  Microsoft says the statutory focus is on the security of stored communications; what matters is where the emails are stored, making this an extraterritorial (and impermissible) exercise of the statute.

Oral Argument Highlights

While it wasn’t at all obvious from yesterday’s argument how the Court would ultimately rule, there were three discussion points that are of particular note.

First, both the government and Microsoft agreed that Congress, not the Court, is best placed to resolve the dispute.  And remarkably, both parties support the same piece of legislation — the bipartisan CLOUD Act that was introduced in the Senate earlier this month — as the best way forward.  Several of the Justices seemed to agree.  (As do I.)

If the CLOUD Act is passed before the Court rules, it would moot the case.  Specifically, the CLOUD Act clarifies that the warrant authority is not limited by data location, as the government has urged in the case.  (Microsoft would thus be required to turn over the data in this case if the CLOUD Act were law.) But the legislation also sets up a statutory mechanism for providers to move to quash a warrant, in certain limited circumstances, if the United States is seeking the data of a foreigner located outside the United States and the request conflicts with foreign law.  In such situations, courts would be statutorily required to consider a range of factors in deciding whether to enforce the warrant – including the location and nationality of the target, the importance of the evidence to the investigation, and the likelihood of access the evidence through alternative means that avoid a conflict with foreign law.   The proposed legislation also explicitly acknowledges the availability of so-called common law comity claims in situations in which the statutory provisions do not apply.

Second, and relatedly, common law comity provides a way forward, even in the absence of legislation.  As the government emphasized, a win for the government does not mean that the United States could simply demand the production of any data without limit.  After all, Justices Breyer and Kagan emphasized yesterday that it is possible that a U.S. government request for data could create a conflict of laws – with the United States compelling production and another country prohibiting it.  (Notably, however, no such conflict of laws with Ireland has been asserted in this case.)  In such cases, courts could and should conduct a comity analysis before deciding whether to enforce the warrant, as the Deputy Solicitor General, Michael Dreeban, also emphasized.  Specifically, courts could and should weigh the relative interests of the United States and foreign government, considering the kinds of factors laid out in the CLOUD Act such as the location and nationality of the target and the possibility of accessing the data through other means that avoid such conflicts.

Third, Justice Alito gets credit for the most apt statement of the day: “The whole idea of territoriality is strained.”  This is not to say that territoriality is unimportant.  It is.  But the cross-border movement and storage of data raises questions about what kinds of territorial links really matter.  As Justice Alito pointed out: If the target of the investigation “is not Irish and Ireland played no party in your decision to store the information there and there’s nothing that Ireland could do about it if you chose tomorrow to move it someplace else, it is a little difficult . . .  to see what Ireland’s interest in this.”

Put another way, the idea that there is an inherent sovereign interest in the 0s and 1s stored on one’s soil is increasingly hard to support. Data, after all, is highly mobile; it is divisible, meaning that a single email account may be broken up so that the bodies of emails are stored in one location and the attachments in another, potentially in a place far from the account owner.  The country where the data is stored may not have any connection to the account holder or to the particular crime being investigated.  Moreover, the account owner may not even know where his or her data is stored; these are decisions often made by the large multinational companies that manage our data, rather than the individual user (all issues I discuss in much more detail here and here).

Data, Doctrine, and the Court

Over the past several years, the Court has been remarkably adept at recognizing the ways in which data requires an updating of the doctrine in order to preserve the underlying values that the doctrine is intended to protect.  In United States v. Jones in 2012, several Justices recognized the qualitative and quantitative difference between the physical tracking of movements on the open streets and the electronic tracking enabled by GPS tracking.  Whereas 24/7 surveillance by law enforcement officers personally tracking a target’s public movements does not trigger the Fourth Amendment, long-term GPS monitoring might, given the ease and potential pervasiveness of such monitoring.  Two years later, in Riley v. California, a unanimous Court refused to extend the longstanding doctrine permitting a search incident to arrest to cellphones taken from the arrestee.  As the Court emphasized, the analogy to searches of containers or address books found on the person simply did not hold with respect to smart phones, given the quantity and quality of information accessible from a phone.

A similar rethinking is needed in this case as well.  After all, the relevant sovereign interests that the presumption against extraterritoriality are meant to protect are increasingly decoupled from the location of the actual data, instead turning on factors like the location and nationality of the target.  In other words, just because the data is in Ireland doesn’t mean that Ireland has any normative interest in the data or that its sovereign interests are invaded if the U.S. government, via a probable cause warrant served on Microsoft, accesses it.

The CLOUD Act recognizes this reality.  It separates access to data from the question of where the data happens to be held.  Fingers crossed that Congress acts quickly, thereby mooting the Supreme Court case.

If not, the Court should rule in a similar way.  It should recognize that location of data should not dictate access, as Justice Alito seemed to argue, while at the same time highlighting the importance of comity if and when such demands for data create a conflict of laws.  Such a ruling would minimize the kind of international discord that has been warned of, while also setting the kind of precedent the United States would and should demand when foreign governments seek U.S.-held data.