On July 14, 2016, the U.S. Court of Appeals for the Second Circuit issued a landmark decision addressing a number of important issues of national sovereignty and electronic privacy. See Microsoft v. United States, No. 14-2985.   The Court held that U.S. law only authorizes the government to seek disclosure of electronic communications (such as emails) stored within the territory of the United States, and that any disclosure of information stored abroad must be obtained pursuant to a Mutual Legal Assistance Treaty or the laws of the country in which the data is stored.

The core question in the Microsoft case was whether the U.S. government can compel a U.S. company to produce data stored on a server in a foreign country. The government had issued a warrant demanding that Microsoft turn over the contents of an email account belonging to a Microsoft customer. But all of the data in question was stored on a server in Ireland, and was thus subject to the heightened data privacy protections of Irish and European Union law.

The government argued that this warrant was permissible because it was directed to a U.S. company to produce records in its custody. According to the government, a federal court has authority to order the production of documents located abroad as long as it has personal jurisdiction over the person in possession or control of the material. Just as the government may compel private citizens to produce records of bank accounts held in Switzerland, the government argued here that it could compel Microsoft to produce information about its customers regardless of where those records were stored.

Microsoft, in contrast, argued that the government was impermissibly seeking to apply U.S. law extraterritorially—i.e., beyond the boundaries of the United States. When data is stored in a foreign country, it becomes subject to the electronic privacy laws of that country, as well as any bilateral Mutual Legal Assistance Treaty. Thus, if the U.S. government forced Microsoft to produce information stored abroad, the company could find itself in the impossible position of being forced to violate either foreign law (by disclosing data that is protected by the laws of the country where the data is stored) or U.S. law (by refusing to comply with the warrant).  At the very least, Microsoft argued that the relevant statute—the Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§2701 et seq.—should not be construed as applying extraterritorially because Congress did not clearly indicate an intent for this law to apply beyond U.S. borders.

A federal district court held that the government can compel Microsoft to produce content stored in Ireland, but the Second Circuit reversed. The court held that “Microsoft has the better of the argument” because ECPA “[n]either explicitly nor implicitly … envision[ed] the application of its warrant provisions overseas.” The government had argued that it may compel disclosure of data stored in Ireland because no statute prohibits it from doing so, but the Second Circuit found that this argument “stands the presumption against extraterritoriality on its head.” The Second Circuit also rejected the government’s reliance on case law regarding subpoenas because no court has ever “upheld the use of a subpoena to compel a recipient to produce an item under its control and located overseas when the recipient is merely a caretaker for another individual or entity that … has a protected privacy interest in the item.” And the court further noted that its holding “serves the interests of comity” by preventing conflicts between U.S. law and the electronic privacy laws of other countries. In short, “to enforce the Warrant, insofar as it directs Microsoft to seize the contents of its customer’s communications stored in Ireland, constitutes an unlawful extraterritorial application of [ECPA].”

The Second Circuit’s decision provides critical and much-needed guidance to all stakeholders about the territorial reach of U.S. law and the electronic privacy protections that apply to e-mails that cross national borders. At the same time, however, much more still needs to be done to update and modernize the law in this critical area. As Judge Lynch emphasized in a concurring opinion, it is ultimately Congress’ responsibility to update the law in this area “with a view to maintaining and strengthening the Act’s privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications …, and clarifying the international reach of those provisions after carefully balancing the needs of law enforcement … against the interests of other sovereign nations.” Despite the Second Circuit’s decision, a comprehensive update of ECPA and other electronic privacy protections is long overdue.

* * * * *

Viet D. Dinh is the former Assistant Attorney General for Legal Policy at the U.S. Department of Justice, and the founding partner of Bancroft PLLC in Washington, DC.  Bancroft serves as counsel to Microsoft but the views expressed in this piece are solely Mr. Dinh’s.