Microsoft won a victory today when a federal appeals court narrowly declined to rehear a case involving attempts by the U.S. Justice Department to access customer data stored on a Microsoft server in Ireland.
The decision means that, at least for now, U.S. authorities can’t use the Stored Communications Act (SCA) to access customer data stored outside the country. It also creates the possibility the feds will seek an appeal to the U.S. Supreme Court.
“We welcome today’s decision,” Microsoft president and chief legal officer Brad Smith said in a statement. “We need Congress to modernize the law both to keep people safe and ensure that governments everywhere respect each other’s borders.”
The U.S. Court of Appeals for the Second Circuit denied a hearing en banc (by the entire court) in what’s come to be called the Microsoft Ireland case. A panel of judges on that court ruled in July that a warrant issued under Section 2703 of the SCA can’t compel American companies to produce data stored on servers outside the U.S.
The government in October filed a petition for rehearing by the entire Second Circuit. With today’s denial, its only recourse is to seek an appeal to the Supreme Court. The high court grants only about 1 percent of such requests.
The case began in 2013 when a federal trial judge issued a warrant demanding that Microsoft produce all emails in an account the company hosted. The emails were stored on a server located in a Dublin data center. Microsoft refused to produce the emails, arguing that a U.S. judge has no authority to issue a warrant for information stored abroad.
In May 2014, a federal magistrate judge disagreed with Microsoft and ordered the company to turn over the emails after finding reason to believe they contained evidence of a crime. Microsoft appealed to the District Court for the Southern District of New York, which affirmed the decision. Microsoft then appealed to the Second Circuit, which reversed, siding with Microsoft.
The dispute hinges on interpretations of the SCA, as part of the broader Electronic Communications Privacy Act that Congress passed in 1986. It was designed to “protect user privacy in the context of new technology that required a user’s interaction with a service provider,” according to the ruling. The Second Circuit noted the original law did not consider overseas application and failed to anticipate the complexity of today’s technological landscape.
The judges in the rehearing request split evenly on whether to grant a rehearing en banc, four in favor and four against, with three recusing themselves.
The key question in the case, wrote Judge Susan Carney in today’s concurring opinion, is “whether Microsoft’s execution of the warrant to retrieve a private customer’s electronic data, stored on its servers in Ireland, would constitute an extraterritorial application of the SCA in light of the statute’s ‘focus.'” She concluded that the “focus” is user privacy, not data location.
She addressed the difficulties of pinning down the “locus” of privacy, “given the ease with which data can be subdivided or moved across borders and our now-familiar notion of data existing in the ephemeral ‘cloud.’ But, mundane as it may seem, even data subject to [lightning] recall has been stored somewhere, and the undisputed record here showed that the ‘somewhere’ in this case is a data center firmly located on Irish soil.”
Finally, she lamented the SCA’s antiquity but noted that Congress can extend the law’s warrant procedures to cover foreign-data situations if it wishes.
One dissenter attacked Carney’s approach as “unmanageable and increasingly antiquated,” because online data’s being located in a particular place is “outdated.” Wrote Judge Dennis Jacobs, “Localizing the data in Ireland is not marginally more useful than thinking of Santa Claus as a denizen of the North Pole.”
Another dissenter, Judge Jose Cabranes, wrote in a separate opinion, “The panel majority has indisputably, and severely, restricted ‘an essential investigative tool used thousands of times a year [in] important criminal investigations around the country.'” Criminals can now choose to store their data overseas to shield it from SCA warrants, he wrote.
The case is Microsoft v. U.S., No. 14-2985.