Privacy, Risk Management

Microsoft wins data protection case before Second Circuit

Microsoft wins in Second Circuit

On the heels of a recent Third Circuit decision protecting the data collection practices of Google, the Second Circuit Court of Appeals ruled today that a U.S. law enforcement agency could not compel a provider of communications services to disclose the content of digital information stored outside the United States.

The Stored Communications Act (“SCA”) authorizes the Government to seek the contents of stored communications that are more than 180 days old, using a subpoena, court order, or warrant.  Relying on the SCA, the underlying warrant directed Microsoft “to seize and produce the contents of an e-mail account that it maintains for a customer who uses the company’s electronic communications services” after it “found probable cause to believe that the account was being used in furtherance of narcotics trafficking.” Opinion at 4 – 5.

Microsoft argued below that the issued search warrant would require an extraterritorial search and seizure of data stored in Microsoft’s data center in Ireland.  According to Microsoft, absent express authorization, statutes are presumed to have no extraterritorial effect and given the lack of such statutory authorization, the warrant should have been quashed.

On April 24, 2014, Magistrate Judge James Francis of the District Court for the Southern District of New York sided with the government, saying that the order to produce the emails stored in Ireland was “not a conventional warrant; rather, the order is a hybrid: part search warrant and part subpoena [and] It has long been the law that a subpoena requires the recipient to produce information in its possession . . . regardless of the location of that information.” Opinion at 12 – 13.  Microsoft successfully argued that given there was no such authorization, the Government could not execute a search and seizure in Ireland or otherwise force Microsoft itself to produce the data.

Given the recently implemented EU Privacy Shield, forcing U.S. service providers to turn over data stored abroad would have certainly led to new headaches for transnational corporations – which is likely why there were so many filing amicus filings in this case.   Notwithstanding the fact this case involved a narcotics case that could have benefited from the emails sought from Microsoft, the Second Circuit correctly interpreted the SCA and avoided potential turmoil for companies still looking to get solid footing for their international privacy programs.