When a court ruled that the US government could not force Microsoft to turn over emails stored in a Dublin data centre, it was hailed as a victory for the cloud. Mason Hayes & Curran explains how this successful appeal came down to a single word.
A US appeals court recently handed down a groundbreaking privacy decision, bringing the three-year Microsoft warrant saga to an apparent end.
On 14 July 2016, the US Court of Appeals for the Second Circuit sided in favour of Microsoft, deciding that Microsoft has no obligation to disclose email content stored on its Dublin servers to US authorities.
One of the key factors that swayed the court was the traditional meaning of the term ‘warrant’. The court held that the use of the term ‘warrant’ implies that its application is confined solely to matters within the bounds of the United States.
The decision has been celebrated by many in the technology industry as a victory for personal privacy but it has also raised a number of additional issues.
The Microsoft saga
In short, the case concerned the nature and reach of a warrant issued under the US Stored Communications Act (SCA) – a law that was developed in 1986 to extend the privacy protection of electronic records.
The case began in late 2013 when a federal magistrate in New York granted, under the SCA, a search warrant for data held by Microsoft. The warrant was issued as part of an ongoing investigation into narcotics trafficking.
Microsoft unsuccessfully challenged the warrant in front of the issuing magistrate. It then appealed this decision to the District Court, but the magistrate’s ruling was confirmed by the District Court. Subsequently, Microsoft brought a further appeal before the Court of Appeals. This appeal provides the context of the current decision.
Warrants, subpoenas and hybrids
The decision of the court can ultimately be attributed to the determination of two questions. One, whether the wording of the SCA contemplates a warrant’s application outside US borders; and two, if not, whether the US government’s application of the SCA warrant is actually extraterritorial and beyond the intention of the law.
In the US, there is a legal presumption that US laws only apply domestically, a point that was particularly highlighted by the US Supreme Court in Morrision (2010). According to the court in the current case, this is a “strong and binding” presumption. The court could not find any indication of Congress’s positive intent that the SCA was meant to reach beyond the bounds of the US.
On the first question, the court held that the SCA does not apply to territories outside of the United States. On the second question, the court noted that the US government had conceded an oral argument that the warrant provisions of the SCA do not contemplate overseas application. Still, the court sought to consider the meaning of the rules.
Congress’s use of the term ‘warrant’ in the SCA, the court highlighted, underlined the domestic boundaries of the Act. A warrant is a term of art and, according to the court, a term “endowed with a legal lineage that is centuries old”. Focusing again on the intention of Congress, the court considered that the use of the term was intended to invoke its “traditional, domestic connotations”.
‘The term ‘warrant’ is endowed with a legal lineage that is centuries old’
– US COURT OF APPEALS
One of the core arguments made by the US government was that the warrant in question should be viewed as a “hybrid” of a traditional warrant and a subpoena. This arose from the fact that a subpoena – a binding request for the production of documents – can require the collection and production of information located overseas. Nevertheless, the court fundamentally rejected this view, explaining that warrants and subpoenas “have long been distinct legal instruments” and that the terms are not used interchangeably within the SCA. To highlight this point, the court emphasised the cascading nature of the SCA’s protections, with the term ‘warrant’ denoting a greater level of protection to stored content while the term ‘subpoena’ indicated a lesser degree of protection.
Moreover, the court’s views diverged from those of the US government on a number of additional fronts.
First, the court disagreed with the application of the 1983 Marc Rich case, in which the disclosure of foreign-located records was ordered. In particular, the court found that Marc Rich did not provide any basis for applying law developed in the context of subpoenas to SCA-based warrants.
Furthermore, the US government sought to rely upon a number of past US cases involving banks and the disclosure of their overseas records. However, the court found that such instances were not comparable to Microsoft’s case, particularly given the fact that – according to the US Supreme Court – bank depositors have no protectable privacy interests in bank documents.
The court’s decision
In light of its findings, the court concluded that the SCA warrant may not be lawfully used to compel Microsoft to produce email content stored in its Dublin data centre.
The court’s verdict was celebrated as a victory for personal privacy with Brad Smith, Microsoft president and chief legal officer, stating, “It tells people they can indeed trust technology as they move their information to the cloud.”
However, with the resolution of one problem, another emerges. With so much data today being stored using cloud services, there remains the open questions as to when, why, and how such information should be made available to investigating law enforcement. The traditional search and seizure powers of the state, developed over many years, do not sit well in an era of cloud computing. The parties to the case are in agreement that the 1986 rules are outdated and a review of these laws is badly needed to address the discrepancy.
‘I concur in the result, but without any illusion that the result should even be regarded as a rational policy outcome, let alone celebrated as a milestone in protecting privacy’
– JUDGE GERARD LYNCH, US CIRCUIT COURT
Microsoft itself, in a statement released after the court’s decision, called on all stakeholders to support legislative action in this area, including a new International Communications Privacy Act which has been put before Congress and has the potential to solve the current impasse.
In addition, it is worth noting that the court did not come to its conclusion based on a new theory of privacy practices in the cloud – instead, the case turned on technical questions of statutory interpretation.
Perhaps the current situation is best summated by Circuit Judge Gerard Lynch – one of the judges behind the ruling – who stated, “I concur in the result, but without any illusion that the result should even be regarded as a rational policy outcome, let alone celebrated as a milestone in protecting privacy.”
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.