[Orin Kerr] Second Circuit: Warrants cannot be used to compel disclosure of emails stored outside the United States

The Second Circuit has handed down its long-awaited decision in the Ireland warrant case, In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation. The holding: If a U.S. company stores customer email outside the United States, whether of U.S. or foreign customers, the government cannot use a domestic search warrant to compel the disclosure of the email. If the data is stored outside the United States, the government has to find some other way to compel the email other than a traditional search warrant.

This post will cover the reasoning of the opinion, and in another post I’ll address its implications and what happens next.

A brief recap: The government obtained a search warrant inside the United States compelling Microsoft inside the United States to disclose email it had stored on a server in Ireland. The court assumed, following the briefing of the parties, that the Stored Communications Act, if it applied, would require Microsoft to comply with the warrant. Everyone in the case agreed that the Stored Communications Act applied only inside the United States. The big issue was whether the Act’s territoriality was governed by where the disclosure occurs (inside the United States) or where the data is stored (outside the United States).

The court ruled that the Act’s territoriality is governed by the location of the data. Because Microsoft stored the data outside the United States, Microsoft doesn’t have to comply with the warrant. As I read the majority opinion, authored by Judge Susan Carney, the core reasoning of the opinion largely boils down to a single sentence on Page 39. After reasoning at length that the Act is focused on user privacy, Carney announces the follow conclusion: “it is our view that the invasion of the customer’s privacy takes place under the SCA where the customer’s protected content is accessed — here, where it is seized by Microsoft, acting as an agent of the government.”

This strikes me as a conclusion that needs explanation, although the opinion doesn’t appear to provide it. Yes, the statute focuses on privacy. But what is the territorial location of a privacy invasion? Is that where the disclosure occurs? Where the access occurs? Where the person is located? There are lots of different ways to answer this. It’s what the case was fundamentally about. At least based on my initial read of the opinion, however, the majority doesn’t actually develop an explanation of that choice.

Concurring in the judgment, Judge Gerard Lynch points out the gap:

Privacy, however, is an abstract concept with no obvious territorial locus; the conclusion that the SCA’s focus is privacy thus does not really help us to distinguish domestic applications of the statute from extraterritorial ones. “The real motor of the Court’s opinion,” Morrison, 561 U.S. at 284 (Stevens, J., concurring in the judgment), then, is less the conclusion that the statute focuses on privacy than the majority’s further determination that the locus of the invasion of privacy is where the private content is stored – a determination that seems to me suspect when the content consists of emails stored in the “cloud.” It seems at least equally persuasive that the invasion of privacy occurs where the person whose privacy is invaded customarily resides.

The closest the majority comes to explaining why the invasion of privacy takes place where the information is accessed may be in this paragraph on Page 40:

The magistrate judge suggested that the proposed execution of the Warrant is not extraterritorial because “an SCA Warrant does not criminalize conduct taking place in a foreign country; it does not involve the deployment of American law enforcement personnel abroad; it does not require even the physical presence of service provider employees at the location where data are stored. . . .  [I]t places obligations only on the service provider to act within the United States.”  In re Warrant, 15 F. Supp. 3d at 475– 76.  We disagree.  First, his narrative affords inadequate weight to the facts that the data is stored in Dublin, that Microsoft will necessarily interact with the Dublin datacenter in order to retrieve the information for the government’s benefit, and that the data lies within the jurisdiction of a foreign sovereign.  Second, the magistrate judge’s observations overlook the SCA’s formal recognition of the special role of the service provider vis‐à‐vis the content that its customers entrust to it.  In that respect, Microsoft is unlike the defendant in Marc Rich and other subpoena recipients who are asked to turn over records in which only they have a protectable privacy interest.

I’m not sure this actually explains why the invasion of privacy is