For this week’s blog post, we will be continuing with a discussion of another recently decided Supreme Court case. Specifically, we will cover United States v. Microsoft Corporation, and talk about the ramification’s the Court’s decision has on the world of internet technology.
This case involves user data privacy rights and the ability of US based technology companies to refuse to comply with federal warrants when user data is stored overseas. The case had to do with the extraterritorial (outside of the United States) application of the Stored Communications Act (SCA), and whether warrants issued under SCA could be effective with regard to new internet technology such as cloud storage and data centers.
In 2013, FBI agents obtained a warrant requiring Microsoft to disclose emails and information related to a customer’s account who was believed to be involved in drug trafficking. Microsoft attempted to quash the warrant, claiming that all of the customer’s emails and information were stored in Microsoft data centers in Dublin, Ireland. The court held Microsoft in civil contempt for refusing to give agents the emails, but this decision was reversed by the Second Circuit. The Second Circuit held that requiring Microsoft to give federal agents emails that were stored overseas would be outside the realm of permissible extraterritorial application of the Stored Communications Act (18 U.S.C. 2703).
After the case was pending appeal, changes relating to the extraterritorial application of the SCA came about. In March 2018, Congress enacted and President Trump signed into law the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). The Act amended the SCA as follows: A service provider shall preserve, backup, and disclose the contents of an electronic communication and any record or other information pertaining to a customer or subscriber within such service provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
The CLOUD Act requires companies such as Microsoft and Google, who store user information in overseas data centers, to provide user information to government agents when a warrant is issued. The Act provides for companies or courts to reject or challenge such warrants, however, if the request violates the privacy rights of the foreign country in which the data is stored. The CLOUD Act also has implications for foreign technology companies with a significant presence in the United States. If a court decides that a foreign service provider has substantial connections to and operations within the United States, the foreign company may be subject to US law and thus a warrant issued under the CLOUD Act may be enforced. If, however, a warrant under the CLOUD Act is issued for a foreign citizen’s information, and such a demand conflicts with the foreign country’s data privacy laws, the Act permits such a conflict to be raised in a motion to quash.
Because the CLOUD Act was enacted while United States v. Microsoft Corporation was on appeal, the Supreme Court had to take this legislative change into account when making their decision. Since the original case was regarding the lower court holding Microsoft in contempt for not providing information stored in foreign data centers, and the CLOUD Act now provides that such information must be disclosed regardless of where it is stored, the Supreme Court held that the case was moot. Because the CLOUD Act requires a company to disclose a user’s information regardless of location, there is no dispute as to whether Microsoft can refuse to comply with the warrant. The Supreme Court thus held that no live dispute remained, and vacated the case. A new warrant will take the place of the original warrant, and Microsoft will have to comply with the disclosure of the user’s information.
At our law firm, we assist clients with legal issues related to internet, technology, data privacy, and e-commerce. Please contact us to set up an initial consultation.