What will Microsoft and Ireland do with the new CLOUD Act warrant?

So it seems that the Microsoft Ireland case at the Supreme Court will end with a whimper. Both the Department of Justice and Microsoft agree that the case is moot and should be dismissed due to the passage of the Clarifying Lawful Overseas Use of Data Act or “CLOUD Act.” DoJ told the Court that it has procured a warrant under new section 2713 of the Stored Communications Act. 

Case closed, right? We don’t really know, but everyone should be asking what Microsoft, and indeed Ireland, intend to do now that a CLOUD Act warrant has been issued.

First, the CLOUD Act resolved that any legal process issued under the SCA has extraterritorial effect. A provider responding to SCA process now must produce information within its “possession, custody, or control, regardless of whether such...information is located within or outside of the United States.” That should moot the pending Supreme Court case and it should be dismissed.

Second, the CLOUD Act established a process for the U.S. government to enter into executive agreements with other nations to permit those “qualifying foreign governments” to obtain data from U.S. providers directly, including by means of wiretaps. We have no such agreements at this time.

If there were such an agreement with Ireland, under the CLOUD Act, Microsoft could move to quash or amend the warrant if it “reasonably believed” that compliance would “create a material risk that the provider would violate the laws of a qualifying foreign government.”

The court would then be required to conduct a comity analysis using the factors listed in the Act to determine if compliance should be required.

Anyone who wonders how such a motion would turn out should read the Bank of Nova Scotia line of cases: See In Re Grand Jury Proceedings (Bank of Nova Scotia), 740 F.2d 817 (11th Cir.), cert. denied, 469 U.S. 1106 (1985); In Re Grand Jury Proceedings (Bank of Nova Scotia), 691 F.2d 1384 (11th Cir. 1982), cert. denied, 462 U.S. 1119 (1983); In Re Grand Jury Subpoena Directed to Marc Rich & Company A.G., 707 F.2d 663 (2d Cir.), cert. denied, 463 U.S. 1215 (1983).

U.S. government law enforcement interests almost always have trumped foreign secrecy and privacy laws where the U.S. person has custody or control of the data, even where production violates the law where the data is stored.

Third, because Ireland is not party to an executive agreement, Microsoft now is faced with a compulsory production order that has extraterritorial reach and nothing in the CLOUD Act permits a motion to quash the warrant or requires a court to conduct a comity analysis using the same factors that would be required if there were an executive agreement in place. Instead, the CLOUD Act simply says that nothing in the Act “affect[s] the common law standards governing the availability or application of comity analysis to other types of compulsory process or to instances of compulsory process issued under section 2703 of title 18 United States Code, as amended by this section, and not covered under subsection (h)(2) of such section 2703.”

To be really clear, the CLOUD Act does not say a comity analysis is available at all or even that a provider has a right to bring a motion to quash or amend the legal process. Ireland filed an amicus brief in the Microsoft Ireland case, stating that the most appropriate way for the U.S. government to obtain the data was through the Mutual Legal Assistance Treaty in effect between Ireland and the U.S. Ireland strongly suggested without saying so directly that the warrant at issue in the case would violate its sovereignty otherwise. 

So what will Microsoft do? Will it file a motion to quash? Or will it just comply? Will Ireland ask Microsoft (and indeed, other U.S. providers that store data in Ireland) to inform data protection authorities when such demands are received? 

DPAs will not know how many such requests providers receive and comply with otherwise. Perhaps providers will add a new category to their transparency reports for U.S. demands regarding non-U.S. subscribers or users.

One thing is for sure, the CLOUD Act may have answered whether SCA legal process has extraterritorial reach, but it raised more questions in the process.

This blog post first appeared in IAPP Privacy Perspectives.

Add new comment