In his November 29, 2016, Volokh Conspiracy post, Professor Orin Kerr raised some important points about the unintended or unanticipated consequences of the so-called Microsoft Ireland case. In that case, the Second Circuit decided that a search warrant issued pursuant to section 2703 of the Electronic Communications Privacy Act (ECPA) had no extraterritorial effect and could not be used to compel the disclosure of user content stored by Microsoft in Ireland. Professor Kerr thinks the court said much more than that. He concludes that none of ECPA's restrictions apply to data stored outside the U.S., so providers actually are free to "voluntarily" disclose content to anyone as a result of the decision, including, oddly enough, to the very U.S. law enforcement agents seeking the content with the warrant at issue in the case! As I told Professor Kerr in a lengthy Twitter exchange, I respectfully dissent.
But first, to Professor Kerr's main point in his posting, he's absolutely right that the case has had some unanticipated consequences for the the Department of Justice (DoJ). Not all providers "know" at any given time where data is stored in their distributed, global data networks. If a provider doesn't "know," does the benefit of the doubt go to DoJ in fulfilling the warrant? No. As DoJ makes clear in its petition for hearing filed last month with the Second Circuit, providers are not guessing or taking the risk of producing content in such cases. That leaves DoJ with insurmountable procedural hurdles to obtain evidence.
If DoJ knows where the data centers are located, they could pursue production through mutual legal assistance procedures in that country, assuming that eventually Ireland for example will order Microsoft's Irish subsidiary/data center to produce the email for delivery to the US. But as DoJ notes in its petition, some providers only have a U.S. access point for production even if the data is stored in a non-U.S. data center, so DoJ would end up back at the original provider in the U.S. and hit a stone wall. That is, local data center personnel don't have access to global email storage for a U.S. provided service by the parent entity, nor would they have the ability to determine whether email was stored on local servers at all. The Second Circuit may have thought the data storage and services world was tidy and that providers engineered networks like Microsoft where, based on a user's self-selected, unverified choice of country of residence, the content was plainly stored on Ireland's servers. They were, at best, uninformed, and now DoJ has raised these consequences in an effort to convince the Second Circuit that they got it wrong in the first place. But as Professor Kerr notes in his post, the court's conclusion about the reach of the warrant and the resulting framework is not irrational regardless of the consequences.
Now, to my disagreement with Professor Kerr. His surprise at the unanticipated consequences of the decision comes from his understanding that the court decided ECPA lacked extraterritorial effect so if data is stored outside the U.S., none of ECPA's prohibitions on disclosure of content have any effect. He therefore expected that U.S. providers would, or at least could, "voluntarily" disclose content to U.S. law enforcement on domestic warrants because, as he reads the opinion, ECPA does not cover content stored outside the U.S. He anticipates that DoJ eventually will challenge providers who don't "volunteer" to add in non-U.S. stored content in response to domestic warrants, presumably because he believes that a court can compel a voluntary act. (One court has so held, in Negro v. Superior Court, the court held that a subpoena to the provider could compel disclosure of content where a user had validly consented to the production, consent being an exception to the prohibition on disclosure of content.)
But the Second Circuit made no such broad pronouncement about the applicability of ECPA to data stored outside the U.S. The decision is quite limited to the ability of the government to use the Rule 41 search warrant exception to compel such disclosures. Here's what the court said at pages 32-33, having first found that section 2703's warrant provision was not intended to apply extraterritorially:
This conclusion does not resolve the merits of this appeal, however, because "it is a rare case of prohibited extraterritorial application that lacks all contact with the territory of the United States." Morrison, 561 U.S. at 266. When we find that a law does not contemplate or permit extraterritorial application, we generally must then determine whether the case at issue involves such a prohibited application. Id at 266– 67. As we recently observed in Mastafa v. Chevron Corp., "An evaluation of the presumption's application to a particular case is essentially an inquiry into whether the domestic contacts are sufficient to avoid triggering the presumption at all." 770 F.3d 170, 182 (2d Cir. 2014).
In making this second‐stage determination, we first look to the "territorial events or relationships" that are the "focus" of the relevant statutory provision. Id. at 183 (alterations and internal quotation marks omitted). If the domestic contacts presented by the case fall within the "focus" of the statutory provision or are "the objects of the statute's solicitude," then the application of the provision is not unlawfully extraterritorial. Morrison, 561 U.S. at 267. If the domestic contacts are merely secondary, however, to the statutory "focus," then the provision's application to the case is extraterritorial and precluded.
[W]e conclude that the relevant provisions of the SCA focus on protecting the privacy of the content of a user's stored electronic communications. Although the SCA also prescribes methods under which the government may obtain access to that content for law enforcement purposes, it does so in the context of a primary emphasis on protecting user content ― the "object of the statute's solicitude." Morrison, 561 U.S. at 267.
The court goes on to make clear that the focus of ECPA is the protection of user content, and that it is therefore proper to view the warrant requirement as consistent with protection of communications. That is, statutory analysis supports the conclusion that Congress meant to apply all the substantive and procedural baggage that comes with issuance, execution and use of a Rule 41 warrant when it permitted compelled disclosure under section 2703 using "the procedures described in the Federal Rules of Criminal Procedure." Where data is stored outside the U.S., law enforcement will have to follow whatever laws and procedures exist to obtain production regardless of the degree of difficulty, just as other countries must follow those procedures when seeking content from U.S. providers where the provider and data are in the U.S.
Nothing in the Second Circuit's opinion suggests that the Section 2702 prohibition on provider disclosure of content in other than the delineated exceptions (now including only content stored in the US in response to a search warrant) doesn't apply to non-U.S. users or their content stored outside the U.S. To the contrary, the Ninth Circuit decided in another Microsoft case in 2011, Suzlon Energy Ltd. v. Microsoft, that ECPA emphatically applied to the content of a non-U.S. user and that a subpoena for its production, without regard to where the data was stored, was not one of the enumerated exceptions that permitted disclosure. Section 2702 is plain on its face - a provider of an electronic communications service is prohibited from disclosing the content of ANY of its users absent an applicable, limited exception. Prior to the Second Circuit case, most U.S. providers, subject to the jurisdiction of U.S. courts, understood ECPA warrants to be one such exception regardless of where the data was stored. Warrants still are an exception, but limited now only to data stored in the U.S. where the warrant can be so executed.
There is no "voluntary" disclosure of foreign-stored content exception for U.S. providers in ECPA, and personally, I know of no U.S. provider that has read ECPA to permit it after the Second Circuit case. Thus, I dissent from Professor Kerr's conclusions.
As a footnote to the discussion, providers always have understood ECPA to be a domestic statute without extraterritorial effect. If a provider had a non-U.S. operating subsidiary that stored its users' content locally in that country for bona fide reasons, the U.S. entity would not be liable under ECPA if that subsidiary complied with local law to produce in response to legal process. See Zheng v. Yahoo! Inc., 2009 W.L. 4430297 (2009). So ECPA plainly is, and remains, a blocking statute for U.S. providers subject to U.S. jurisdiction. To protect user privacy from compelled production in countries where civil liberties may be less honored, many U.S. providers maintain the separation between corporate parent/U.S. provider and local sales or other operating subsidiaries without access to parent company data. The danger of the Microsoft Ireland case is data localization demands, such as under Russia's new law, or assertions of extraterritorial reach of surveillance powers to compel U.S. providers to comply with local requirements. The latter is evident in the U.K.'s "snooper charter" and ironically, in a case Microsoft is defending in Belgium against compelled disclosure of Skype communications as reported here. It is worth pointing out these investigative gymnastics would be unnecessary if non-U.S. data could be voluntarily disclosed to investigators in other countries at the whim of U.S. providers. They shouldn't get the wrong idea, having read Professor Kerr's posting.