A kind person sent me the appeal decision in Microsoft v United States before the metaphorical ink was dry. Usually I could drop everything and deal with it, but its arrival coincided with one of those rare blog posts which had to be published that day, which had in turn been interrupted by an urgent request for something techy by someone entitled to make urgent requests. Accordingly, some useful and interesting articles had already been published about the decision before I had the chance to read its dense 63 pages. The last 20 pages, by Judge Gerard E Lynch, are, in some ways, the most interesting part – not a dissent from the conclusion but a slightly different route to it.
When I say that the decision is “dense” I mean it in the most complimentary way. Its analysis of the facts and the law makes almost every paragraph quotable, so I suggest that you read it for yourself. Perhaps find a quiet room and some strong coffee first, because the principles covered in the decision are complex – it is, of course, the nature of appeals to this level that they are concerned with complex things.
At one level, what matters most is its conclusion which reads as follows:
We conclude that Congress did not intend the SCA’s [the Stored Communications Act] warrant provisions to apply extraterritorially. The focus of those provisions is protection of a user’s privacy interests. Accordingly, the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States. The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s e‐mail account stored exclusively in Ireland. Because Microsoft has otherwise complied with the Warrant, it has no remaining lawful obligation to produce materials to the government.
The emphasis is mine. They are the words which make this seem, to some, a victory for privacy against government, and they represent the difference of opinion between Judge Lynch and the others.
As some of the learned articles make clear, the underlying paragraphs which led to this conclusion are less important than the prospective future implications. This subject – the right to privacy and the differing implications of ownership, control and, not least, the jurisdictional aspects – are part of wider issues being raised by the EU’s General Data Protection Regulation, by the new Privacy Shield, by the conflict between national security and individual privacy and, most recently, by the pending separation of the UK from the EU. They are all interrelated.
I will look at some of those articles, and then come back to the second part of the appeal decision, delivered by Judge Lynch.
Perhaps start with an article by Jeffrey Nagel at Gibbons called
Second Circuit reverses lower court Microsoft Decision and holds that email evidence stored abroad cannot be gathered pursuant to criminal warrant issued under Stored Communications Act. Jeffrey Nagel has long been an informed and reliable commentator on all aspects of cross-border data transfers and this article is an excellent brief summary if you can’t face all 63 pages of the decision itself.
Daniel Solove’s article is called Microsoft just won a big victory against government surveillance – why it matters. It matters, he says, for various reasons: the US should not be putting its companies in the position where they must violate the laws of other countries; if the original decision stood, then non-US citizens would choose service providers from their own country or, at least, from anywhere but the US, to the detriment of US providers; if the US government is seen to be “thumbing its nose of the laws of other countries” then other countries might start doing the same to the US; whatever the US government might like to think, there is no “US exceptionalism” and, if other countries start making similar demands, “what if their laws were ‘much less protected than US laws’?”
Daniel Solove sees the implications as including:
- Respect for foreign nations
- Better sharing with the EU and elsewhere
- Better outcome for US industry
- Impetus to reform relevant US laws.
The first of those points echoes a point made in the Sedona Conference International principles on eDiscovery, Disclosure and Data Protection. The idea of “US exceptionalism” has stood the US well, at least in its own eyes, since (I would say) 1918 when the US emerged as the only industrial power standing after the war, something which was reinforced in 1945. By default, the US then became the master of the internet, thanks as much to its technology skills and resources as to its actual position as a trading partner for others. That balance is changing, if not in favour of Europe then certainly in favour of growing Asia Pacific countries; this means more than just China, with Singapore showing that physical size is not the only factor in this evening out of technological skills and service provision.
Andrew Keane Woods goes even further in his article Reactions to the Microsoft warrant case with its sub-heading Privacy Paradox. This case is not, he says, an obvious “win” for privacy”, as many have suggested:
…it strikes me as odd that privacy advocates are celebrating a case that has the effect of holding that foreign search-and-seizure law should regulate access to the foreign servers of American firms
The potential reactions go wider than simply tit-for-tat demands for US documents, he says. The Microsoft decision “may incentivise states to pursue localisation policies or find other ways to get data that is extraterritorial and therefore … beyond the state’s jurisdictional reach”. The erection of additional jurisdictional barriers “increases the government’s desire to look for solutions elsewhere, including backdoors and mandatory localisation requirements”.
The article refers also to a pending agreement between the US and the UK whose discussions have hitherto been “pretty sleepy”. This case may change that.
There is more of the same kind in Andrew Keane Woods’ article. As with the Microsoft decision itself, there is little sense in my quoting too much of it when you can easily read it for yourself.
The Schrems decision woke the US authorities from their torpor and from the dreams of US exceptionalism, leading, pretty quickly (all things considered) to the Privacy Shield. The Microsoft decision may lead to some serious thinking about how the major trading nations of the world deal with the interconnections between nations, with the shift from physical trade to professional and financial services, and with the conflicting pressures of world security, international trade, and privacy.
I said I would come back to Judge Lynch’s separate opinion. He is in “general agreement” with the court’s conclusion but his reasons are slightly different. For one thing, he does not believe that upholding the warrant would “undermine the basic values of privacy as defined in the Fourth Amendment and in the libertarian traditions of this country”.
The warrant, he says, showed “probable cause”, that is, satisfied the court that a crime had been committed, to an extent which would have made it reasonable (and the degree of reasonableness matters in this context) to raid a home for evidence equivalent to that likely to be found on Microsoft’s Dublin servers. The government’s showing would, indeed, have been sufficient to win authorisation to enter Microsoft’’s premises and seize the server. Is it right, he asks, that Microsoft can get round that by the simple expedient of locating the server outside the US? The key distinction, he says, is between US citizens and those who are (or who say they are) foreign.
It is only foreign customers, and those Americans who say that they reside abroad, who gain any enhanced protection from the Court’s holding. And that protection is not merely enhanced, it is absolute: the government can never obtain a warrant that would require Microsoft to turn over those emails, however certain it may be that they contain evidence of criminal activity, and even if that criminal activity is a terrorist plot. Or to be more precise, the customer’s privacy in that case is absolute as against the government; her privacy is protected against Microsoft only to the extent defined by the terms of [the] contract with the company.
The court was not made aware of the nationality of the email account holder:
…we do not know the nationality of the customer. If he or she is Irish (as for all we know the customer is), the case might present a troubling prospect from an international perspective: the Irish government and the European Union would have a considerable grievance if the United States sought to obtain the emails of an Irish national, stored in Ireland, from an American company which had marketed its services to Irish customers in Ireland.
The issue in this case he says, “is not about privacy, but rather about the international reach of American law”.
The issue, Judge Lynch says, is one for Congress. Nothing in the SCA suggests that Congress intended it to have effect beyond US borders. Picking up his earlier parallel with a warrant for searches of a physical building with the US, he says that Congress would not have attempted to authorise “a search of a building physically located in Ireland”.
A careful study of the words of the warrant follows, together with an examination of the nature of an electronic “document”. Cloud storage was not in contemplation when the Act was drafted in 1986, and it is unsurprising that Congress did not take account of it in considering potential transnational applications of the statute.
It is up to Congress, Judge Lynch says, to do so now:
Although I believe that we have reached the correct result as a matter of interpreting the statute before us, I believe even more strongly that the statute should be revised, with a view to maintaining and strengthening the Act’s privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications and other data where compelling interests warrant it, and clarifying the international reach of those provisions after carefully balancing the needs of law enforcement (particularly in investigations addressing the most serious kinds of transnational crime) against the interests of other sovereign nations.
Whatever the rest of us may think of claims to “US exceptionalism”, we all want to trade with the US and much of the world depends on the US for its security. If the Brexit vote surprised us, it surprised the rest of the world even more, and after a brief period of well-deserved mockery at our expense, the US, like everyone else, must face a new set of trading alliances and a shift in commercial power between the players. Dublin, the locus of the warrant dispute, may become a new trading and technology hub as the last English-speaking state within the EU.
It is not just the EU, with or without the UK, which imposes restraints on the uses of data; the rest of the major trading countries are going down the same road. If we all have to respect the commercial and defensive might of the US, as we do, the US is having to recognise those restraints and deal with them. Judge Lynch is right: this is not just a matter for courts and law enforcement; Congress must get involved in reaching a balance between openness and privacy, between the legitimate demands of the authorities and the equally legitimate requirements of the individual, and between the need for security and respect for privacy.