Directing Microsoft to Seize Its Customer’s Communications Stored in Ireland is Unlawful

E. Extraterritoriality of the Warrant

Having thus determined that the Act focuses on user privacy, we have little trouble concluding that execution of the Warrant would constitute an unlawful extraterritorial application of the Act.  See Morrison, 561 U.S. at 266–67; RJR Nabisco, 579 U.S. at __, 2016 WL 3369423, at *9.

The information sought in this case is the content of the electronic communications of a Microsoft customer. The content to be seized is stored in Dublin. J.A. at 38.  The record is silent regarding the citizenship and location of the customer.   Although the Act’s focus on the customer’s privacy might suggest that the customer’s actual location or citizenship would be important to the extraterritoriality analysis, it is our view that the invasion of the customer’s privacy takes place under the SCA where the customer’s protected content is accessed—here, where it is seized by Microsoft, acting as an agent of the government.[27] Because the content subject to the Warrant is located in, and would be seized from, the Dublin datacenter, the conduct that falls within the focus of the SCA would occur outside the United States, regardless of the customer’s location and regardless of Microsoft’s home in the United States.[28]  Cf. Riley v. California, 134 S. Ct. 2473, 2491 (2014) (noting privacy concern triggered by possibility that search of arrestee’s cell phone may inadvertently access data stored on the “cloud,” thus extending “well beyond papers and effects in the physical proximity” of the arrestee).

The magistrate judge suggested that the proposed execution of the Warrant is not extraterritorial because “an SCA Warrant does not criminalize conduct taking place in a foreign country; it does not involve the deployment of American law enforcement personnel abroad; it does not require even the physical presence of service provider employees at the location where data are stored. . . .  [I]t places obligations only on the service provider to act within the United States.” In re Warrant, 15 F. Supp. 3d at 475– 76.  We disagree. First, his narrative affords inadequate weight to the facts that the data is stored in Dublin, that Microsoft will necessarily interact with the Dublin datacenter in order to retrieve the information for the government’s benefit, and that the data lies within the jurisdiction of a foreign sovereign. Second, the magistrate judge’s observations overlook the SCA’s formal recognition of the special role of the service provider vis‐à‐vis the content that its customers entrust to it. In that respect, Microsoft is unlike the defendant in Marc Rich and other subpoena recipients who are asked to turn over records in which only they have a protectable privacy interest.

The government voices concerns that, as the magistrate judge found, preventing SCA warrants from reaching data stored abroad would place a “substantial” burden on the government and would “seriously impede[]” law enforcement efforts. Id. at 474. The magistrate judge noted the ease with which a wrongdoer can mislead a service provider that has overseas storage facilities into storing content outside the United States.  He further noted that the current process for obtaining foreign‐stored data is cumbersome.  That process is governed by a series of Mutual Legal Assistance Treaties (“MLATs”) between the United States and other countries, which allow signatory states to request one another’s assistance with ongoing criminal investigations, including issuance and execution of search warrants. See U.S. Dep’t of State, 7 Foreign Affairs Manual (FAM) § 962.1 (2013), available at fam.state.gov/FAM/07FAM/07FAM0960.html (last visited May 12, 2016) (discussing and listing MLATs).[29] And he observed that, for countries with which it has not signed an MLAT, the United States has no formal tools with which to obtain assistance in conducting law enforcement searches abroad.[30]

These practical considerations cannot, however, overcome the powerful clues in the text of the statute, its other aspects, legislative history, and use of the term of art “warrant,” all of which lead us to conclude that an SCA warrant may reach only data stored within United States boundaries. Our conclusion today also serves the interests of comity that, as the MLAT process reflects, ordinarily govern the conduct of cross‐ boundary criminal investigations. Admittedly, we cannot be certain of the scope of the obligations that the laws of a foreign sovereign—and in particular, here, of Ireland or the E.U.—place on a service provider storing digital data or otherwise conducting business within its territory.  But we find it difficult to dismiss those interests out of hand on the theory that the foreign sovereign’s interests are unaffected when a United States judge issues an order requiring a service provider to “collect” from servers located overseas and “import” into the United States data, possibly belonging to a foreign citizen, simply because the service provider has a base of operations within the United States.

Thus, to enforce the Warrant, insofar as it directs Microsoft to seize the contents of its customer’s communications stored in Ireland, constitutes an unlawful extraterritorial application of the Act.

[27] We thus disagree with the magistrate judge that all of the relevant conduct occurred in the United States. See In re Warrant, 15 F. Supp. 3d at 475–76.

[28] The concurring opinion suggests that the privacy interest that is the focus of the statute may not be intrinsically related to the place where the private content is stored, and that an emphasis on place is “suspect when the content consists of emails stored in the ‘cloud.’” Concurring Op. at 14 n.7. But even messages stored in the “cloud” have a discernible physical location. Here, we know that the relevant data is stored at a datacenter in Dublin, Ireland.  In contrast, it is possible that the identity, citizenship, and location of the user of an online communication account could be unknown to the service provider, the government, and the official issuing the warrant, even when the government can show probable cause that a particular account contains evidence of a crime.

[29] The United States has entered into an MLAT with all member states of the European Union, including Ireland. See Agreement on Mutual Legal Assistance Between the European Union and the United States of America, June 25, 2003, T.I.A.S. No. 10‐201.1.

30 In addition, with regard to the foreign sovereign’s interest, the District Court described § 442 (1)(a) of the Restatement of Foreign Relations Law as “dispositive.” Tr. of Oral Arg., supra note 25, at 69. That section provides:

A court or agency in the United States, when authorized by statute or rule of court, [is empowered to] order a person subject to its jurisdiction to produce documents, objects, or other information relevant to an action or investigation, even if the information or the person in possession of the information is outside the United States.

Restatement of Foreign Relations Law (3d) § 442(1)(a) (1987).  We are not persuaded. The predicate for the Restatement’s conclusion is that the court ordering production of materials located outside the United States is “authorized by statute or rule of court” to do so. Whether such a statute―the SCA―can fairly be read to authorize the production sought is precisely the question before us.