Symposium: Comity tonight — conflicts of law in cross-border data demands

Eric Wenger is the director of cybersecurity and privacy policy at Cisco Systems.

This term, the Supreme Court considers two cases addressing government access to electronic data in the hands of third-party providers that prompted Cisco and other leading technology companies to submit amicus briefs. In United States v. Carpenter, we questioned whether a blanket rule extinguishing user privacy rights in data shared with third parties makes sense given the rising importance of cloud-based services. Now, in United States v. Microsoft, we urge the court to refrain from reinterpreting a more than 30-year-old data privacy law to allow search and seizure of email messages created and stored abroad. Both cases highlight gaps where the law has not kept pace with the development of technology. Both disputes require a delicate balancing of competing interests that the court should leave to Congress.

The law at issue in the Microsoft case, the Stored Communications Act, was passed as part of the Electronic Communications Privacy Act in 1986. Recall, this was not only decades before the advent of public cloud, but even years before the public internet. Much has been written about the case. So it perhaps bears calling out precisely where the parties agree and disagree. First, Microsoft and the government agree that under Morrison v. National Australia Bank, U.S. law must not be interpreted to have an extraterritorial reach absent an express indication of congressional intent. Further, both parties agree that such intent is lacking here given that ready access to transnational data storage was not contemplated when the law was passed. Finally, both agree that the email messages at issue are stored outside of the United States — in a data center in Ireland — and belong to a user who is neither present in the U.S. nor a U.S. citizen. The point of contention in the case is whether requiring Microsoft to move email messages from Ireland to the United States for the purpose of enabling seizure by U.S. law enforcement is an extraterritorial application of U.S. law.

The very sorts of conflicts of law to be avoided under Morrison are clearly at play in this case. The fact that the messages are stored in Ireland, combined with the European Union’s position that it regulates transfers of personal data from within an EU member state to another jurisdiction, demonstrates that the government’s favored result — compelling Microsoft to disclose customer communications stored abroad — would clearly have an extraterritorial effect. Yet the government persists in arguing that its interpretation of the SCA does not cause the sorts of unintended extraterritorial impacts that Morrison directs the Supreme Court to avoid. The government instead asserts that because providers storing email messages abroad may reserve the right to store and move data for business-related reasons, the government should also be able to compel the movement of that same data for the purpose of enabling compliance with a search warrant. In that view, data capable of being moved to the U.S. in the ordinary course of business must be moved upon the government’s demand and then disclosed as if the data storage were purely domestic.

That is not the right result. Regardless of where the disclosure ultimately occurs, the possibility that the U.S. government’s favored outcome will result in conflicting legal obligations remains unacceptably high, because a requirement to produce data in one country may violate a requirement to protect data in another. Certainly, when the location of data has been found to be on foreign soil, as it has in this case, the Supreme Court should be wary of enabling U.S. law to authorize a seizure that potentially violates another sovereign country’s law.

The government’s view ignores the fact that Microsoft, Cisco and other companies entrusted by customers in the EU or other jurisdictions with handling the contents of electronic communications may not be free to move the data to the U.S. without some legal justification. Enforcing the government’s warrant would, therefore, have an extraterritorial impact regardless of whether the disclosure of the email messages occurs in the U.S. or abroad. The government’s solution would fly in the face of long-held rules of statutory construction intended to promote comity among nations and to avoid unnecessary, unintended conflicts of laws between countries that have adopted mutual legal assistance treaties (MLATs). Notably, the United States and Ireland have entered into such an agreement.

The EU brief clearly demonstrates that member states would view the execution of an SCA warrant to seize the contents of communications stored in the EU as having an extraterritorial effect. This would be true even accepting the U.S. government’s assertion that seizure under the warrant occurs at the location of disclosure. The fact that EU nations believe the government’s recommended outcome would result in the movement of data, that this movement requires a legal justification, and that the application of the SCA to reach the data might not be sufficient legal justification on its own shows that enforcing this warrant has a clear extraterritorial impact. The perception of the Europeans is meaningful regardless of how the U.S. government interprets the location of the key actions mandated by the warrant, and it should be considered by the Supreme Court. Taken together, the arguments in the brief demonstrate there is a very high probability that were the government to prevail, the forced transfer of email messages to the U.S. for the purpose of complying with this search warrant would bump up against the data-protection requirements of EU law.

The government argues that it needs the Supreme Court to interpret the law in a way that enables enforcement of its search warrant in order to protect U.S. citizens against crime and terror. This argument is incorrect for at least three reasons. First, if the existing MLAT processes are not sufficient for the pace of the modern world, the government should work with Congress to update, not sidestep, them. Congress is actively considering this problem, and is, in any event, better suited than the Supreme Court to weigh the competing interests of law enforcement, foreign governments, end-users and multinational companies. Moreover, Congress could craft a law explicitly authorizing U.S. law enforcement to reach data stored abroad in the hands of a provider subject to U.S. jurisdiction. The law might authorize such reach in a variety of situations — e.g., when the selection of a foreign storage location can be shown to have been fraudulent, when there is no MLAT in place, or when the nationality of the owner is unknown or the location of the data is indeterminate. The court should not supplant Congress’ role in making these determinations.

Second, the limitation being sought by Microsoft relates only to the contents of communications that are protected by a search warrant requirement — not subscriber information already within the reach of the government’s subpoena powers. In fact, the parties agree that Microsoft provided law enforcement with all the non-content subscriber information that the government could have obtained with a grand jury subpoena under Bank of Nova Scotia v. United States. During oral argument in Carpenter, the government conceded that there is a critical distinction between provider transactional records and the contents of customer communications. In an exchange with Justice Sonia Sotomayor about the protections that should be accorded to the contents of email messages, the government stated, “There is a difference between content and routing information that the Court recognized … .” That difference stems from the fact that although routing and other transactional information may fairly be considered business records of the provider itself, the contents of email messages entrusted to the provider by its customers are not. It is, therefore, rational for the Supreme Court to conclude that the contents of customer email messages deserve the protections of a warrant, which have not only a higher standard of proof, but also a narrower territorial reach than a subpoena.

Finally, the law as written already enables the government to gather evidence quickly in emergency situations — even when that involves the contents of email stored abroad. The SCA currently empowers the government to seek and providers to share information if there is “danger of death or serious physical injury to any person.” Microsoft’s president, Brad Smith, has publicly noted that within 45 minutes of being asked by authorities in Paris, the company collected and disclosed the contents of suspects’ email accounts in the 2015 Charlie Hebdo shooting.

As it has done in recent years, including in United States v. Jones and Riley v. California, the Supreme Court is again examining critical issues around how antiquated statutory frameworks apply to new and emerging technologies. Here, the court should be wary of the potential for unintended conflicts of law stemming from the government’s position that it can unilaterally reach data owned by an EU user stored in an EU data center. Clearly, existing law needs to be revised to weigh properly the government’s need for data stored in foreign cloud locations operated by entities subject to its personal jurisdiction against the need to respect the comity of other sovereign nations. However, the responsibility for crafting a statute that balances such delicate, competing interest rests with Congress, not the Supreme Court.