Jennifer Daskal is an associate professor of law at American University Washington College of Law.
With more than 30 amicus briefs filed in the Microsoft Ireland case – including from members of Congress, the European Commission, the Chamber of Commerce, privacy advocates and dozens of media organizations – United States v. Microsoft stands as one of the most closely watched cases this term. For good reason. The implications are far-reaching – touching on everything from security, privacy, the future of the internet, democratic accountability and core attributes of sovereignty, as attested to by the number of individuals and institutions that have weighed in on the case.
It is, however, a set of issues best dealt with by Congress, not the courts. The good news is that Congress is beginning to engage. Earlier this week, a bipartisan group of senators introduced the Clarifying Lawful Overseas Use of Data (CLOUD) Act – a bill that, if enacted quickly enough, would moot the Microsoft Ireland case and authorize the executive to enter into bilateral and multilateral agreements so as to facilitate cross-border access to data in the investigation of serious crime. Amazingly, the legislation has the support of both the Department of Justice and Microsoft – the dueling parties in the case. (I describe the bill in detail at Just Security.)
If Congress moves quickly enough, it would avert a Supreme Court showdown. But assuming that doesn’t happen, the Supreme Court can, and should, write the kind of nuanced ruling that will bolster these congressional efforts and balance the competing interests presented by the case. Specifically, the court should – as does the legislation – reject the idea that the location of data controls access, yet it should also demand respect for the legitimate interest of governments in protecting their own citizens and residents.
On its face, the case is one of statutory interpretation. Does, or does not, the Stored Communications Act (SCA) reach data that is stored overseas? More specifically, can the U.S. government, pursuant to an SCA warrant, compel a U.S.-based service provider (in this case, Microsoft) to turn over data that is in the service provider’s custody or control, but stored overseas (in this case, in Ireland)? Microsoft says no. The government says yes.
Both sides agree that the statute does not apply extraterritorially. The dispute thus centers on what is the “focus” of the statute (an inquiry dictated by the Supreme Court’s ruling in Morrison v. National Australia Bank). Microsoft says the statutory focus is protecting the security of stored communications; according to Microsoft, this depends on where those communications are stored. The government, by contrast, argues that the focus is about regulating disclosure, something that occurs in the United States.
There is, frankly, is no clear-cut answer to this question. The SCA was written in 1986, well before anyone could have conceived of a globally interconnected internet or the possibility of data stored in the cloud. Both the statute itself and the legislative history are therefore silent as to the key question in the case. Microsoft makes its case by asking the court to examine the statute as a whole, whereas the government focuses on the specific provision regulating compelled disclosure orders.
Even if Microsoft is right, however, it faces the additional hurdle of convincing the court that the relevant security breach occurs at the place of storage (in this case, Ireland) as opposed to the place of disclosure (the United States). Internet service providers, after all, move data around all the time without breaching either the SCA or the security of their customers’ stored data. Any additional privacy intrusion or erosion of security arguably occurs when the data is handed over to U.S. law enforcement, not simply when it is accessed and moved to the United States.
Microsoft’s position, as endorsed by the U.S. Court of Appeals for the 2nd Circuit, also carries with it a number of troubling policy implications. A win for Microsoft means that U.S. law enforcement will be unable to compel, via a warrant issued based on probable cause, a U.S. provider to turn over the data of a U.S. citizen accused of a local crime, simply because the data is stored abroad. U.S. law enforcement will be required to make a diplomatic request to the country where the data happens to be held in order to access it, presumably pursuant to a mutual legal assistance treaty.
But the United States has mutual legal assistance treaties with less than half of the world’s countries. And even when such a treaty is in place, the processing time is often lengthy and uncertain. As highlighted by state and local law enforcement brief, the 2nd Circuit rule is already making it difficult, if not impossible, to access critical evidence in certain cases, even pursuant to lawful process, even in cases involving U.S. residents, and even in the investigation of serious crime.
More broadly, the idea that access should turn on the location of highly mobile and divisible data makes little practical or normative sense. By making location the sine qua non of access, such a rule further encourages the proliferation of data-localization mandates as a means of ensuring such access, likely pricing smaller start-ups out of the international market and undercutting the benefits of an open and interconnected internet.
Conversely, however, a straight-up government win carries its own risks. Rightly or wrongly, it will be perceived as the United States claiming the authority to scoop up data anywhere, without regard to the interests of foreign sovereigns. It sets a dangerous precedent, encouraging countries around the world to assert similar authority to access data of anyone everywhere, and without any clear standards as to the substantive and procedural rules that apply.
This risks a race to the bottom, making it harder for the United States to protect the interests of its own residents and citizens, and undercutting ongoing international efforts to develop rules governing access to data across borders (see discussion of these efforts in the Part I.A. of the Electronic Privacy Information Center’s brief). It also risks generating an increasing array of conflicting legal obligations, with one state demanding disclosure and another prohibiting it, and providers being forced to choose whose laws to comply with and whose to break.
The Supreme Court can, however, rule in a way that mitigates some of these perils. It should rule, as the government urges, that the warrant authority applies without regard to the location of data. But it also should couple that ruling with the requirement that lower courts engage in a robust comity analysis if and when the warrant seeks data of a foreign national located outside the United States and the request would generate a conflict of laws.
The E-Discovery brief provides a particularly thoughtful set of recommendations in this regard, as I also have discussed previously at Just Security. It asks the Supreme Court to recognize explicitly the risk of conflicting legal obligations that could arise if the U.S. warrant authority reaches data without regard to location. And it asks the court to require a comity analysis in such situations and to lay out the relevant factors to be considered. The relevant factors include the location and nationality of the target of the investigation, the importance of the case, the importance of the evidence in the case, and the possibility of accessing the evidence by other means (including via the MLAT system).
Such a ruling would set the kind of precedent the U.S. presumably would, and should, want other countries to follow if accessing U.S.-held data. It would mitigate the risk that the U.S. be seen as asserting the authority to access all data anywhere around the world, thus helping to protect the U.S. tech industry from the negative backlash that is likely to ensue. And it would respond to the concern that a government win will subject providers to conflicting legal obligations. In fact, whether or not compelled disclosure orders will conflict with EU data-transfer restrictions in the soon-to-be implemented General Data Protection Regulation remains an open and central question, as addressed by several of the amicus briefs.
Notably, such a ruling also dovetails with the approach taken in the CLOUD Act. The legislation, rightly in my opinion, shifts the focus away from the location of the data to the location and nationality of the target. It puts its thumb on the scale of comity analysis as a means of addressing the kind of conflicting interests that arise if and when the U.S. seeks the data of noncitizens located outside the United States. Specifically, it sets up a new statutory basis to quash a warrant if it seeks the data of a foreigner outside the United States and the disclosure violates the laws of certain “qualifying” foreign nations. And although the list of qualifying nations will, at least initially, likely be quite small, the bill also, via a rule of construction, endorses the application of common-law comity in other cases that yield a conflict of laws – something that the Supreme Court should endorse as well.
Perhaps, fingers crossed, Congress will move fast to enact the CLOUD Act, and the entire case will be mooted. But if not, the Supreme Court should rule in a way that supports these congressional efforts. It should recognize that access to data should depend on more than location, yet put its thumb on the scale in favor of comity analysis as a means of respecting foreign government’s interests in delimiting access to their own citizens’ and residents’ data – much as the United States does and should insist on when foreign governments seek U.S. citizen data.