In an order issued on October 16, 2017, the U.S. Supreme Court granted certiorari in United States v. Microsoft Corporation, a case with potentially far-reaching implications for the privacy of electronic data maintained by technology companies across the globe.

The case, which Robinson+Cole has previously discussed here, here, and here, arises from a warrant obtained by the Department of Justice (DOJ) under the Stored Communications Act (SCA).[1] The SCA was enacted in 1986 to protect the privacy of electronic communications, including by extending privacy protections to electronic records analogous to those afforded under the Fourth Amendment to the U.S. Constitution.[2] In relevant part, the SCA requires a governmental entity in most instances to secure a warrant in accordance with the Federal Rules of Criminal Procedure to compel disclosure of electronic communications stored by a service provider.[3]

In this case, the DOJ warrant directed Microsoft to seize and produce the contents of a Microsoft user’s email account in connection with a drug trafficking investigation. In response, Microsoft produced non-content data stored on servers within the United States, but refused to produce the contents of the user’s account stored on a server located in Dublin, Ireland.[4] After a federal district court ordered Microsoft to produce the records stored in Ireland, in July 2016 a unanimous panel of the U.S. Court of Appeals for the Second Circuit quashed the warrant, finding that the DOJ’s attempt to procure the contents of emails stored on a server in Ireland constituted an impermissible extraterritorial application of the SCA.[5]

In reaching its decision, the Second Circuit panel cited the “very different” technological context in which the SCA was passed in 1986 as a factor affecting the panel’s construction of the SCA, and also noted the “strong and binding” presumption against extraterritorial application of U.S. statutes endorsed by the U.S. Supreme Court.[6] Under the Supreme Court’s extraterritoriality framework, the analysis turned on whether the conduct compelled by the SCA warrant – the production of the contents of the records (representing the invasion of the user’s privacy) – occurs within the United States or in Ireland. The DOJ argued that because Microsoft can disclose the records in question from the United States, the warrant does not represent an extraterritorial application of the SCA, and should be interpreted consistent with precedents governing subpoenas that require delivery of records within a recipient’s control, regardless of the location of the records.[7] The Second Circuit panel determined that “the invasion of the customer’s privacy takes place under the SCA where the customer’s protected content is accessed—here where it is seized by Microsoft, acting as an agent of the government,” and sided with Microsoft in concluding that “an SCA warrant may reach only data stored within United States boundaries.”[8]

In January 2017, the Second Circuit rejected a request for an en banc rehearing of the case in an evenly divided vote. That denial was accompanied by dissents that focused on the alleged deleterious effects the panel’s decision would have on law enforcement investigations under the SCA, as well as a need to update the SCA to confront the realities of information privacy in the digital age. Notably, Circuit Judge Cabranes argued that the panel’s decision “indisputably and severely… restricted” an important investigative tool and “substantially burdened the government’s legitimate law enforcement efforts” without serving any “serious, legitimate, or substantial privacy interest.”[9] He further stated that the relevant conduct regulated by the SCA is the service provider’s “disclosure or non-disclosure of emails to third parties, not a provider’s access to a customer’s data,” and because Microsoft here could disclose the records in question to the DOJ from its offices within the United States, the warrant represented a domestic application of the SCA.[10]

Although the Supreme Court has not yet scheduled oral arguments in this case, the Court is expected to hear it in early 2018, and to issue a decision by June, 2018. The merits brief for the government will be due within 45 days of the Court’s order granting cert (by November 30, 2017), and Microsoft’s brief on the merits will then be due 30 days after the government’s brief is filed, provided that these deadlines are subject to change.

Given the stakes in this case for technology companies, government officials and law enforcement, and more broadly for the information privacy of all users of electronic systems, interested parties may seek to bring particularly important issues to the attention of the Supreme Court via submission of an amicus curiae brief. An interested third party from the United States or abroad must obtain the written consent of all parties to the case to file an amicus curiae brief, although the Court customarily will allow submission of an amicus curiae brief without the consent of all parties to a case upon receipt of a motion for leave to file an amicus curiae brief. An amicus curiae brief generally must be submitted within seven days after the brief of the party supported by the amicus curiae is filed, or if no party is supported within seven days of the deadline for the petitioner’s or appellant’s brief, and is subject to certain additional requirements set forth by Rule 37 of the Rules of the Supreme Court of the United States.

Robinson+Cole will continue to closely monitor this case as it is reviewed by the U.S. Supreme Court.

 

[1] 18 U.S.C. § 2703.

[2] Microsoft Corp. v. United States (In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp.), 829 F.3d 197, 206 (2d Cir. 2016).

[3] 18 U.S.C. § 2703(a), (c).

[4] Microsoft, 829 F.3d 197, 200.

[5] Id. at 222.

[6] Id. at 206, 209 (citing Morrison v. National Austl. Bank Ltd., 561 U.S. 247, 255 (2010)).

[7] Microsoft, 829 F.3d 197, 201.

[8] Id. at 220-221.

[9] Order of Denial of Request for Rehearing En Banc (Cabranes, J., dissenting), at 1-2.

[10] Id. at 9-10.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Wystan Ackerman Wystan Ackerman

Wystan Ackerman is a partner in Robinson+Cole’s Insurance + Reinsurance Group and handles a diverse range of property insurance litigation, including large business interruption cases, class actions, other complex litigation, and appeals. He also has substantial experience representing insurance companies in putative class…

Wystan Ackerman is a partner in Robinson+Cole’s Insurance + Reinsurance Group and handles a diverse range of property insurance litigation, including large business interruption cases, class actions, other complex litigation, and appeals. He also has substantial experience representing insurance companies in putative class actions involving homeowners’ insurance coverage and market conduct/claim-handling practices. He has been prominently involved in high-profile property insurance litigation concerning the September 11th catastrophe and Hurricane Katrina, and Chinese-made drywall. Based in the insurance capital of Hartford, Connecticut, Wystan writes the blog Insurance Class Actions Insider, which was selected by Lexis Nexis as a top insurance blog for 2011.

Wystan grew up in Deep River, Connecticut, a small town on the west side of the Connecticut River in the south central part of the state. He always had strong interests in history, politics and baseball and his heroes growing up were Abraham Lincoln and Wade Boggs (at that time the third baseman for the Boston Red Sox). Wystan says it was his early fascination with Lincoln that drove him to practice law. As a high school senior, he was one of Connecticut’s two delegates to the U.S. Senate Youth Program, which further solidified his interest in law and government. He went on to Bowdoin College, where he wrote for the Bowdoin Orient and majored in government. After Bowdoin, he went on to Columbia Law School. He also interned in the chambers of then-Judge Sonia Sotomayor on the Second Circuit. Wystan graduated from Columbia in 2001, then worked at Skadden Arps in Boston before returning to Connecticut and joining Robinson+Cole.

When Wystan’s not at his desk, flying around the country trying to save insurance companies from the plaintiffs’ bar, or attending a conference on class actions or insurance litigation he often can be found watching “Dora the Explorer” or reading or playing whiffleball with his young daughter, helping his wife with her business, Option Realty, reading a book about history or politics, or watching the Boston Red Sox.

Read Wystan’s rc.com bio.

Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.

Photo of Conor Duffy Conor Duffy

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy and Security Team. Conor advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on…

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy and Security Team. Conor advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on a full range of transactional and regulatory health law issues, including contracting, licensure, mergers and acquisitions, Medicare and Medicaid fraud and abuse laws and regulations, HIPAA compliance, and other data privacy and security matters. Read his rc.com bio here.