Microsoft scored a major victory for the privacy of its cloud computing users yesterday winning a closely watched case against U.S. Government. In Microsoft Corporation v USA (2nd.Cir. Jul. 14, 2016), the U.S. Second Circuit Court of Appeals held that a warrant issued under Section 2703 of the Stored Communications Act (ECA) did not have extra-territorial effect to require U.S. based Microsoft to access and provide the government with user data stored on servers operated by a subsidiary in Dublin Ireland.
The decision was based on a number of factors including the principle against the presumption of extra-territorial application of U.S law and the historical difference between a subpoena and a warrant, which in this case was held to apply only to Microsoft’s servers in the U.S.
According to the court:
These practical considerations cannot, however, overcome the powerful clues in the text of the statute, its other aspects, legislative history, and use of the term of art “warrant,” all of which lead us to conclude that an SCA warrant may reach only data “warrant,” all of which lead us to conclude that an SCA warrant may reach only data stored within United States boundaries. Our conclusion today also serves the interests of comity that, as the MLAT process reflects, ordinarily govern the conduct of cross‐ boundary criminal investigations. Admittedly, we cannot be certain of the scope of the obligations that the laws of a foreign sovereign—and in particular, here, of Ireland or the E.U.—place on a service provider storing digital data or otherwise conducting business within its territory. But we find it difficult to dismiss those interests out of hand on the theory that the foreign sovereign’s interests are unaffected when a United States judge issues an order requiring a service provider to “collect” from servers located overseas and “import” into the United States data, possibly belonging to a foreign citizen, simply because the service provider has a base of operations within the United States.
Thus, to enforce the Warrant, insofar as it directs Microsoft to seize the contents of its customer’s communications stored in Ireland, constitutes an unlawful extraterritorial application of the Act.
We conclude that Congress did not intend the SCA’s warrant provisions to apply extraterritorially. The focus of those provisions is protection of a user’s privacy interests. Accordingly, the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States. The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s e‐mail account stored exclusively in Ireland. Because Microsoft has otherwise complied with the Warrant, it has no remaining lawful obligation to produce materials to the government.
The decision vindicates the position Microsoft took to protect the privacy of its users located outside the U.S. However, the decision only relates to the particular form of investigative document used by law enforcement in the case and did not make any definitive findings on whether a subpoena would have had a broader territorial ambit.
For a good summary of the case, see U.S. Cannot Compel By Warrant Microsoft’s Production of Emails Stored Outside of U.S.