SCOTUS Takes Up Government Access to Microsoft Overseas Emails

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Digital privacy is at the heart of a case on whether law enforcement agencies can force U.S. companies to turn over customer data stored abroad that the U.S. Supreme Court Oct. 16 agreed to review United States v. Microsoft Corp. , U.S., No. 17-2, review granted 10/16/17 .

Companies that store data overseas, including Microsoft Corp., Alphabet Inc.'s Google, and Amazon.com Inc., are often served with Stored Communication Act probable cause warrants from U.S. law enforcement authorities demanding they turn over customer communications stored in overseas data centers. The Supreme Court here will consider a U.S. Court of Appeals for the Second Circuit July 2016 ruling that Microsoft didn’t have to turn over emails related to a drug case stored in an Irish data center. The U.S. Department of Justice sought review and 33 states supported the request.

If the justices overturn the Second Circuit, the overseas operations of companies will be significantly impaired, Paul Rosenzweig, former deputy assistant secretary for policy at the Department of Homeland Security and a visiting fellow at The Heritage Foundation, told Bloomberg Law. A ruling upholding the appeals court would “boost their competitiveness, especially in Europe.”

The case provides the opportunity for the high court to address issues that are significant in the privacy versus public safety debate, and provide clarity for federal trial courts outside the Second Circuit’s jurisdiction that have largely rejected the approach taken by the appeals court and ordered companies to turn over data. But the case presents complex technology and public policy issues that Congress is in a better position to effectively address.

Changing Technology

The Second Circuit in January denied the government’s request to have the full court reconsider the initial panel ruling. The dissenting judges opinions, which echo the DOJ’s arguments, said that since the warrant was served on a U.S. company and the data would be retrieved from within the U.S., so Microsoft should turn over the information pursuant to the valid SCA warrant.

The DOJ focus on the ability of the company in the U.S. to control the release of the data may not be as simple as it first sounds. The data transfer and storage technologies at play in the Microsoft case aren’t universal and include options where the location of data isn’t easily determined or controlled by the company located in the U.S.

“The wrinkle now is technology,” because internet service providers don’t use the same ways to move data around the world, Craig Newman, chairman of the privacy and data security practice at Patterson Belknap Webb & Tyler LLP in New York, told Bloomberg Law. The Microsoft case involves relatively static data storage issues, not technology used by others that segments data and keeps it in constant motion. “Technology has clearly eclipsed the pace of the law.”

It is unclear whether these technological issues underlying the case will gain the court’s attention.

“I am not sure the court will even understand the tech well enough to judge it,” Rosenzweig said.

Legislative Fix

Regardless of how the Supreme Court rules, the tech sector, bipartisan lawmakers, and law enforcement agencies agree that Congress should move to update the 30-year-old email privacy law, the Electronic Communications Privacy Act, of which the SCA is a subset. Several ECPA-update bills have been introduced in Congress in 2017.

A legislative solution is necessary, Microsoft President and Chief Legal Officer Brad Smith said in an Oct. 16 blog post. “The current laws were written for the era of the floppy disk, not the world of the cloud. We believe that rather than arguing over an old law in court, it is time for Congress to act by passing new legislation.”

Congress may be in the best position to address and balance competing public policy interests.

There is a need to carefully balance “security, privacy, competitiveness, and foreign affairs,” Rosenzweig said.

Other Implications

Overturning the Second Circuit’s ruling could have implications for how Europeans view the U.S. commitment to privacy. The EU-U.S. Privacy Shield program relied on by more than 2,500 U.S. companies to more easily transfer personal data outside the EU is undergoing its first annual review and EU officials are focused on privacy indicators across the board.

“A ruling in DOJ’s favor would likely add weight to Europeans’ concerns about the safety of their citizens’ personal information in the hands of U.S. companies, and thus further complicate the already complicated outlook for transatlantic data transfers,” Alex Pearce, a privacy and data security compliance attorney at Ellis & Winters LLP in Raleigh, N.C., told Bloomberg Law.

Microsoft and other have also argued that a ruling in favor of the government would embolden other countries to demand access to data stored in the U.S.

A ruling for DOJ “will open the floodgates to demands from foreign governments that companies that store data in the U.S. disclose it under foreign legal process,” Greg Nojeim, director of the freedom, security, and technology project at the Center for Democracy and Technology, told Bloomberg Law.

The DOJ declined Bloomberg Law’s request to comment.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security