On July 14, 2016, the Second Circuit Court of Appeals determined that a warrant issued under the Stored Communications Act (SCA) is subject to the same territorial restrictions as a traditional warrant: the government’s reach is limited to the United States and territories that it controls. The appeals court reversed a Southern District of New York ruling that had denied Microsoft’s motion to quash a warrant issued under the SCA, 18 U.S.C. §§ 2701 et seq.
The government, as part of a narcotics trafficking investigation, sought the contents of an email account of a Microsoft Outlook user. When providing customers with web-based access to email accounts, Microsoft stores the contents of each user’s emails, along with a variety of non-content information related to the account, on a network of servers. One of those networks is located in Dublin, Ireland. A magistrate judge issued the warrant at the government’s request, and Microsoft provided the information stored on U.S.-based servers. Microsoft did not, however, turn over data stored at the Dublin location and sought to quash the warrant for that data. The district court denied Microsoft’s motion.
Congress enacted the SCA in 1986 to provide privacy protections similar to the Fourth Amendment for online communications held by certain types of internet service providers. As a provider under the SCA, Microsoft may not disclose the electronic data of its customers to third parties, except in certain circumstances. Of relevance to this case, section 1703 of the SCA allows the government to compel disclosure of content and non-content electronically stored information “if the governmental entity obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure . . . by a court of competent jurisdiction.”
Opinion and Implications
The question before the Second Circuit was whether the term “warrant” in section 1703 carries with it the restrictions associated with a traditional search warrant that “protects privacy in a distinctly territorial way.” Concluding that the SCA’s “privacy focus is unmistakable” and that such territorial restrictions do indeed apply, the court held that a government warrant cannot compel disclosure of data held outside of the United States or a territory it controls. Importantly, the Second Circuit noted that “the invasion of the customer’s privacy takes place under the SCA where the customer’s protected content is accessed — here, where it is seized by Microsoft, acting as an agent for the government.” In a concurring opinion noting that the Department of Justice would likely ask Congress to amend the SCA to overturn the court’s decision, Circuit Judge Gerald Lynch called on Congress to strengthen the SCA’s privacy protections and clarify the international reach of the SCA, while balancing the needs of law enforcement and the interests of other nations.
The Second Circuit’s opinion was careful to emphasize the distinction between warrants and subpoenas and declined to address the reach of the SCA’s subpoena provision. Thus, it remains to be seen whether the court’s analysis and conclusion could impact legal process in other criminal contexts or in civil matters, and whether Congress will step in and legislate a different result. For now, internet service providers subject to the SCA have a good argument for refusing to disclose customer information held outside the U.S. in response to a government warrant. Companies served with other legal processes should continue to consider federal law as well as the laws of the jurisdictions where data is held.