On February 27, 2018, the Supreme Court heard oral arguments in a case that will affect the security of data stored in the cloud. At issue in United States v. Microsoft is whether a U.S. based digital communications provider must comply with a warrant for user data stored on servers located outside of the U.S. This case is being heard against the backdrop of Congressional debates regarding proposed amendments to Section 2703 of the Stored Communications Act – some of which are tailored to address this very issue.
The Stored Communications Act governs the proper disclosure of electronic communications and allows for criminal as well as civil remedies for improper disclosure. It was enacted as Title II to the Electronic Communications Privacy Act.
Back in 2013, the Government served Microsoft with a warrant for emails and account information for an account suspected to be involved in a drug-trafficking investigation. Microsoft provided the information stored on the U.S. servers, but refused to provide the additional information and emails stored on the Dublin, Ireland servers.
The district court approved the warrant and held Microsoft in contempt for its refusal to provide the foreign data. On appeal, however, the Second Circuit unanimously reversed the district court’s approval and vacated the contempt order.
Overview of Arguments
Microsoft argues that allowing Section 2703 to extend to data being stored on servers outside the U.S. was not contemplated by Congress and would ignore principals of international comity as well as treaties.
The Government contends that Section 2703 is a tool necessary for law enforcement operations and to construe it to prevent disclosure of foreign data would impede such operations. The crux of the Government’s argument is that where the data is stored should not control for extraterritorial analysis. Rather, the controlling principle is where the disclosure of the data occurs. The Government also relies heavily on recasting a Section 2703 warrant as a subpoena, despite legislative history and the plain text of the statute providing evidence that Congress did not intend for a Section 2703 warrant to operate in such a fashion.
Decreased data privacy is a potential result if the Supreme Court sides with the Government. Microsoft, and a number of commentators, have raised the possibility that if the U.S. is not willing to honor international treaties addressing data privacy, then other countries may also unilaterally circumvent similar obligations so as to reach data stored within the United States. This poses an issue for U.S. and non-U.S. citizens alike who rely on private companies maintaining the security of sensitive personal data.
A ruling allowing a Section 2703 warrant to reach into a sovereign country also threatens to implicate and in some instances, violate that sovereign country’s own laws. As Ireland is a member of the European Union, data stored within Ireland is subject not only to Ireland’s laws, but is also afforded protections against disclosure under the General Data Protection Regulation (GDPR). Such protections cannot be overlooked, as disclosure of data in violation of the GDPR could serve as a basis for a civil cause of action in Ireland.
Stay tuned for an additional blog post analyzing the relevant EU data privacy provisions in light of this dispute.