Consumer Protection & Privacy

Troutman Sanders LLP: Can Content-Based Communications Located Overseas Be Reached Via The Stored Communications Act?

In an oral ruling from the bench, Judge Lorraine Preska of the Southern District of New York recently affirmed Magistrate Judge James Francis IV’s April 25, 2014 decision – Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corporation, (S.D.N.Y. Jul. 31, 2014), [enhanced opinion available to subscribers] - and rejected Microsoft Corporation’s bid to quash a warrant for the search of an Irish user’s content-based information, which was located in a Microsoft data center located in Ireland.

As you may remember from our previous posts, the Stored Communications Act, 18 USC §§ 2701 through 2711, represents, among other things, an attempt at balancing the privacy rights of individuals who expect that their electronic information will remain private against the government’s legitimate interest in gaining access to such information during criminal investigations.

In a way, the SCA can be thought of as granting individuals a right to privacy in their electronic communications that supplements the protections already contained within the Fourth Amendment.  While individuals have a civil cause of action when their electronic information is disclosed in violation of the SCA, the SCA is most properly thought of as a limitation on the investigatory power of the government.  Section 2703, the section at issue in Microsoft warrant matter, pertains only to governmental entities, and it distinguishes between requests for content and non-content information.

Importantly, and relevant here, Section 2703 contains an exception to the general prohibition against the disclosure of content (as opposed to non-content information) information that is stored with electronic communications services, such as Microsoft.  This is because of the commonly held belief, evidenced in the provisions of the SCA itself, that customers have greater privacy rights to the content of their electronic communications than they do to non-content information.

In its efforts in to resist the search warrant, Microsoft contended, among other things, that the warrant was governed by Federal Rules of Civil Procedure 41, which prevents courts from issuing warrants for search and seizure of property beyond United States borders (such as the user’s content-based information that was located in the data center in Dublin).  This is because Section 2703 of the SCA states that, in obtaining a warrant under the SCA, the Government must “use the procedures described in the Federal Rules of Civil Procedure.”

Judge Francis conceded that the SCA’s “language [wa]s ambiguous [because]…[t]he words “using the procedures described in the Federal Rules of Criminal Procedure” could be construed to mean, as Microsoft argues, that all aspects of Rule 41 are incorporated by reference…including limitations on the territorial reach of a warrant issued under that rule.  But, equally plausibly, the statutory language could be read to mean that while procedural aspects of the application process are to be drawn from Rule 41…more substantive ones are derived from other sources.”

In considering the statutory structure, relevant history, and congressional purpose, Judge Francis determined that “hybrid” aspects of SCA warrants—namely, that they are somewhat like a subpoena in that they are executed by the internet service provider (ISP) itself, rather than by the government sending federal agents to the ISP to themselves obtain the information—suggests that the SCA “does not implicate principles of extraterritoriality.”

In the lower court, Magistrate Judge Francis also seemed concerned about the fact that another electronic communications service, not before the Court, had in the past made public statements that it was exploring the possibility of establishing “offshore” server farms that would be beyond the territorial jurisdiction of any nation.

Accordingly, Judge Francis found that the SCA warrant should be viewed as being more akin to a subpoena, where the relevant question is whether the information is under the possession, custody, or control of the  recipient—regardless of the location of the information sought.

In the appeal before Judge Preska, Microsoft, as well as a number of other technology firms who would likely be deemed electronic communications services under the SCA and had  submitted amicus curie briefs to the Court, argued that the possession, custody, or control test applied by Judge Francis would offend foreign countries, as it did not take into account the concerns that foreign nations might have about giving the United States government access to their citizens’ data.  Microsoft further argued that this was a not a speculative concern, as the European Commission has publicly stated that its policy is that data should not be sent to United States law enforcement authorities outside of formal channels such as Mutual Legal Assistance Treaties.

Judge Preska, however, affirmed Judge Francis’ decision, finding that the relevant question was whether Microsoft, a domestic entity, exerted control over the information sought under the warrant—not where the information was located.  Judge Preska reiterated that there was no extraterritoriality concern because Microsoft was located within the jurisdiction of the Court.

The ruling may be viewed by some as eviscerating the statutory and constitutional protections that the drafters of the SCA intended to incorporate into Section 2703, in favor of the civil litigation standard of possession, custody, and control (and the efficiencies that come with the application of that standard).

What does this ruling mean?  While the decision is stayed while Microsoft appeals to the Second Circuit, if the Second Circuit affirms, electronic communications services such as Microsoft maybe placed in an uncomfortable position—if they comply with the “control” interpretation of the SCA advanced by Judges Francis and Preska, and produce a user’s content-based information that is located overseas, they may very well be subjecting themselves to liability abroad.  This is particularly the case where the information (or user) is located in Europe, as Europe takes the position that individuals have significantly greater privacy rights in their electronic communications than are recognized in the United States.  This appears to be yet another way in which the diverging privacy regimes of Europe and the United States are making it difficult for multinational corporations to operate.

For more information, please contact Aurora Cassirer or Christina H. Bost Seaton

About Troutman Sanders

Troutman Sanders is an international law firm with offices in North America, Europe and Asia. Founded in 1897, the firm’s heritage of extensive experience, exceptional responsiveness and an unwavering commitment to service has garnered strong, long-standing relationships with clients across the globe. These clients range from multinational corporations to individual entrepreneurs, federal and state agencies to foreign governments, and non-profit organizations to businesses representing virtually every sector and industry.

Troutman Sanders lawyers provide counsel and advice in practically every aspect of civil and commercial law related to the firm’s core practice areas: Corporate, Finance, Litigation, Public Law and Real Estate. With more than 50 practice groups focused on specific aspects of these areas, the firm is defined by its considerable knowledge base and proactive approach to addressing legal and business challenges.

For more information about LexisNexis products and solutions, connect with us through our corporate site.