Can U.S. law enforcement reach data stored oversees by using a warrant under the Stored Communications Act, 18 U.S.C. § 2701, et seq.? Until the Supreme Court decides the issue, which may happen next term, the answer is: it depends where the government applied for the warrant.
Over the last few years, U.S.-based technology companies have been increasingly resisting warrants under the Stored Communications Act for data those companies store oversees. These warrants, they claim, represent an extraterritorial application of the law, which Congress has never permitted.
Traditionally, if the government has probable cause to believe that a person’s email account contains evidence of a crime, and a federal magistrate judge agrees, a warrant would issue directing the email service provider to turn over those emails to the government. But data is increasingly stored in the “cloud.” And, as it turns out, the “cloud” consists of server farms located all over the world. Companies like Microsoft, Google, Amazon, Facebook, and Apple now host large quantities of data abroad, raising complicated jurisdictional questions.
A year ago, in Microsoft Corp. v. United States, the Second Circuit held that the U.S. Government cannot compel Microsoft to produce data stored on a server in Ireland, even with a Stored Communications Act warrant. In that case, the Department of Justice obtained a warrant for the production of the content of the electronic communications (emails) and certain non-content subscriber information (name, contact information, etc.) associated with a Microsoft email account. Treating the data as a “physical” object, the Second Circuit held that compelling Microsoft to turn over foreign data would be an extraterritorial application of the Stored Communications Act, which Congress did not sanction. The government has petitioned the Supreme Court for a writ of certiorari asking it to review the Second Circuit’s ruling next term.
Other courts have declined to extend the same reasoning. On April 19, 2017, a federal magistrate judge in San Francisco ordered Google to comply with a Stored Communications Act warrant directing it to hand over information related to a specified Google account holder. In the Matter of the Search of Content That is Stored at Premises Controlled by Google, 2017 WL 1487625 (N.D. Cal April 25, 2017). Much like Microsoft, Google reasoned that the warrant was invalid because it called for data stored overseas. The Court disagreed, finding that it did not matter where Google stored the data, as long as Google “is in the district and subject to the court’s jurisdiction” and “the warrant is directed to the only place where [Google] can access and deliver the information the government seeks.” Just last week, on August 14 a U.S. District Judge affirmed the decision, finding that the Stored Communications Act warrant was a “domestic application” of the statute because the data could be “easily and lawfully” accessed in the United States. The different holdings may encourage the Supreme Court to take up the issue.
The rulings create a great deal of uncertainty for businesses moving and storing data around the world, a challenge that is further complicated by the fact that Congress is considering updating the law, though the precise direction remains unclear. Notwithstanding the ongoing court battles, there is broad agreement that Congress needs to update the 30-year old Stored Communications Act given the explosive technological advancements of late. If the Supreme Court hears the Microsoft case, it may say just that, calling on Congress to update the law. Until that time, companies can expect and prepare for different outcomes in different jurisdictions.