Case To Watch: Microsoft v. US on the Extraterritorial Reach of the Electronic Communications Privacy Act

On Monday, the government will be filing its brief in its case against Microsoft regarding the reach of the government’s warrant authority under the Electronic Communications Privacy Act (ECPA). The case, titled In re Warrant to Search Certain E-mail Account Controlled and Maintained by Microsoft Corporation, has important implications for law enforcement’s access to data located outside the United States borders, the government’s ability to protect data stored within our borders from the long-arm reach of other nation’s law enforcement officials, and the bottom line for an array of US-based Internet Service Providers (ISPs) and telecommunication companies. The fact that just about every ISP and telecommunication company (with the exception of Google) has filed amicus briefs on Microsoft’s behalf highlights the significance of the business interest at stake. US-based providers are worried — rightly so — that a ruling in the government’s favor will exacerbate the already-high distrust of American-based companies’ ability to safeguard their customers’ privacy interests.

As readers of this blog will remember (I’ve blogged about this case herehere, and here; the case is also featured in my forthcoming Yale Law Review article, The Un-Territoriality of Data), the dispute arose when the government sought, via a warrant issued pursuant to ECPA, to compel Microsoft to turn over emails being held in a data storage center in Dublin, Ireland. Microsoft moved to quash on the grounds that the government’s warrant authority does not have extraterritorial reach and the warrant was therefore invalid. Microsoft put forward textual analysis, theories of statutory interpretation, and policy reasons in support. 

Microsoft, however, has not fared well to date. Both the magistrate judge and district court have sided with the government, concluding that the warrant was directed at Microsoft, a company headquartered in Redmond, Washington, and therefore was a territorial warrant, not an extraterritorial warrant. The territorial limits of the warrant authority are, as a result, simply irrelevant. What mattered was the location of the company that was directed to produce the sought-after emails, not the location of the data that was ultimately being produced.

In making this argument, the magistrate judge (in an order adopted in full by the district court) defined an ECPA warrant as a “hybrid” — part subpoena and part search warrant. The lower court judges then relied on case law approving the government’s use of its subpoena power to compel banks and other entities to produce their own records located outside the territorial jurisdiction of the United States.

Microsoft has since written a compelling brief explaining all the reasons why the magistrate and district court judges got it wrong. Microsoft persuasively argues that the lower courts’ analogy to subpoenas and the related case law is flawed. In particular, Microsoft distinguishes between the use of a subpoena for a company’s own business records (which can be compelled regardless of their location) and the use of a subpoena to compel the production of the customer’s data that the company happens to store (which it argues is not permitted). Here, Microsoft analogizes its customers’ emails to the private materials stored in a bank’s safety deposit box; few would argue that the US agents could, without notice to and consent of, German authorities unilaterally break into a Frankfort-located safety deposit box; nor could they unilaterally compel a US-based bank to do the same.

Microsoft also emphasizes — rightly so — that nothing in ECPA’s text or history suggests that it was intended to authorize the seizure of data stored outside the territory of the United States. (That said, neither does the text or history suggest the contrary; the issue simply wasn’t on the mind of the drafters of ECPA in 1986 — a time when the Internet was in its infancy and few communications crossed international borders.) Given this silence, Microsoft argues that two principles of statutory interpretation compel a result in its favor. First, the presumption against the extraterritorial application of statutory law; and second, the maxim that statutes should be interpreted in ways that avoid conflict with international law — namely the prohibition on unilateral law enforcement actions in another nation’s territory.

Both of these contentions are ultimately resolved by what is at heart of the case: an assessment as to where the relevant seizure takes place. If what matters is the location of Microsoft agents accessing the data, then neither of these contentions are particularly persuasive; if, by contrast, the location of the property being searched or seized is what counts (as it does when the search or seizure involves data’s more tangible analogs) then Microsoft — it seems to me — wins.

In addition to the multiple telecommunications companies and ISPs that have their own business reasons to get involved, news organizations, computer scientists, advocacy organizations focused on privacy rights, and a European MP, all have weighed in as amici in support of Microsoft’s position. (Amicus briefs can be found here.)

It will, no doubt, be interesting to hear what the government has to say in response. Stay tuned for more. 

About the Author(s)

Jennifer Daskal

Associate Professor at American University Washington College of Law Follow her on Twitter (@jendaskal).