United States v. Microsoft

• Background|
• EPIC's Interest|
• Legal Documents|
• Resources|
• News

• Supreme Court Vacates Microsoft Email Privacy Case: The Supreme Court has vacated United States v. Microsoft, a case concerning whether a U.S. communications law can be used by a U.S. law enforcement agency to obtain personal data stored outside of the U.S. While the case was pending, the Congress quickly passed the CLOUD Act, which requires internet companies to hand over personal data to U.S. law enforcement agencies, no matter where that data is stored. The Court then determined that there was no longer a matter to adjudicate and ended the proceeding. EPIC's amicus brief to the Supreme Court argued that human rights law and privacy standard should govern law enforcement access to personal data stored abroad. In recent comments to the UN, EPIC explained that the CLOUD Act "undermines communications privacy protections." (Apr. 17, 2018)
• In Supreme Court Brief, EPIC Backs International Privacy Standards: EPIC has filed an amicus brief in United States v. Microsoft, a case before the US Supreme Court concerning law enforcement access to personal data stored in Ireland. EPIC urged the Supreme Court to respect international privacy standards and not to extend U.S. domestic law to foreign jurisdictions. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping). (Jan. 18, 2018)
More top news »
International Privacy Experts Adopt Recommendations for Cross-Border Law Enforcement Requests for Data » (Aug. 14, 2018)
The International Working Group on Data Protection in Telecommunications has adopted new recommendations to protect individual rights during criminal cross-border law enforcement. The Berlin-based Working Group includes Data Protection Authorities and experts who assess emerging privacy challenges. The Working Group on Data Protection calls on governments and international organisations to ensure law enforcement requests accord with international human rights norms. The Working Group recommends specific safeguards for data protection and privacy, including accountability, procedural fairness, notice and an opportunity to challenge. EPIC addressed similar issues in an amicus brief for the US Supreme Court in the Microsoft case. EPIC and a coalition of civil society organizations recently urged the Council of Europe to protect human rights in the proposed revision to the Convention on Cybercrime. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.
Supreme Court: Fourth Amendment for Lawful Driver of Vehicle Regardless of Rental Agreement » (May. 14, 2018)
The U.S. Supreme Court ruled today that a driver in lawful possession of a rental car has a reasonable expectation of privacy regardless of a rental car agreement. The Court held in Byrd v. United States that, "the mere fact that a driver in lawful possession or control of a rental car is not listed on the rental agreement will not defeat his or her otherwise reasonable expectation of privacy." EPIC filed an amicus brief in the case, joined by 23 technical experts and legal scholars members of the EPIC Advisory Board, which stated that "relying on rental contracts to negate Fourth Amendment standing would undermine legitimate expectations of privacy." EPIC also urged the Court to recognize that a modern car collects vast troves of personal data and "make little distinction between driver and occupant, those on a rental agreement and those who are not." EPIC routinely participates as amicus curiae in cases before the Supreme Court, such as in United States v. Microsoft Corp., Dahda v. United States, and United States v. Jones.
CLOUD Act Enacted, Allows Law Enforcement Access to Data Stored Abroad » (Mar. 26, 2018)
President Trump has signed the CLOUD Act, requiring internet companies to hand over personal data to U.S. law enforcement agencies, no matter where that data is stored. The Act also allows the executive branch to create agreements with foreign countries to provide direct access to personal data stored in the United States. EPIC submitted an amicus brief in United States v. Microsoft arguing that law enforcement access to data abroad should be resolved by international consensus and comply with human rights norms. Many organizations and privacy experts have endorsed the Madrid Privacy Declaration, which would establish international protections for personal data.
EPIC Amicus: Supreme Court Divided Over Microsoft Stored Communications Case » (Feb. 28, 2018)
This week, the Supreme Court heard arguments in United States v. Microsoft Corps., a case concerning law enforcement access to personal data stored in Ireland. The Court appeared divided during the argument, but both Justice Ginsburg and Justice Alito appeared to agree that Congress and not the Court was better positioned to find a solution. In an amicus brief, EPIC urged the Supreme Court to respect international privacy standards. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that "a ruling for the government would also invite other countries to disregard sovereign authority." EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping).
In Supreme Court Brief, EPIC Backs International Privacy Standards » (Jan. 18, 2018)
EPIC has filed an amicus brief in United States v. Microsoft, a case before the US Supreme Court concerning law enforcement access to personal data stored in Ireland. EPIC urged the Supreme Court to respect international privacy standards and not to extend U.S. domestic law to foreign jurisdictions. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping).

Summary

The Supreme Court has agreed to review an important case concerning the search and seizure of personal data stored outside the United States. The case raises the question of whether the Stored Communications Act, 18 U.S.C. § 2703, authorizes a court in the United States to order a service provider to produce personal data stored abroad. The lower court held that Congress did not intend the SCA’s warrant provision to apply to data stored outside the United States, and the Supreme Court has agreed to review the case. The warrant under review was issued to Microsoft in 2013, but the company challenged on the grounds that the e-mails sought under the warrant were stored on its servers in Dublin, Ireland.

Question Presented

Given the presumption against applying federal law in other countries and the Government’s concession that Congress did not intend to apply the Stored Communications Act outside the United States, are private electronic communications stored in Ireland outside the scope of the Stored Communications Act’s interlocking provisions?

Background

This case arises from a criminal investigation into a drug-trafficking case in December 2013. A magistrate judge in the U.S. District Court for the Southern District of New York issued a warrant under the Stored Communications Act (SCA) ordering Microsoft to produce all emails and information associated with a certain account. Some information was held on Microsoft’s United States servers; however, the emails themselves were stored on a server in Dublin, Ireland. In response to the warrant, Microsoft complied with providing the account information but moved to quash the order to produce the emails. Microsoft argued that the court does not have authority to issue a warrant for electronic communications stored abroad under the SCA.

Procedural History

U.S. District Court for the Southern District of New York

On December 18, 2013, Microsoft moved to quash the warrant requiring production of electronic communications stored abroad. In May 2014, a federal magistrate judge denied Microsoft’s motion to quash the warrant. The judge ordered Microsoft to turn over the emails, reasoning that unlike a typical warrant, an SCA warrant is similar to a subpoena. Courts have previously held that companies can be required to produce overseas business records in response to a subpoena. The court reasoned that, because Microsoft had control over the material outside of the U.S., it must comply with the subpoena-like SCA warrant.

Microsoft sought review in the District Court of the Southern District of New York, which upheld the magistrate judge’s ruling and issued a civil contempt order against Microsoft for failure to comply with the warrant. Microsoft appealed the district court’s order to the Second Circuit.

U.S. Court of Appeals for the Second Circuit

On appeal, a three-judge panel unanimously reversed the lower court’s ruling, vacated the contempt order, and ordered the lower court to quash the warrant “insofar as it demands user content stored outside of the United States.” The court relied heavily on the Supreme Court’s ruling in Morrison v. National Australian Bank Ltd., 561 U.S. 247 (2010), affirming the “longstanding principle of American law that legislation of Congress, unless a contrary intent appears, is meant to apply only within the territorial jurisdiction of the United States.” The Second Circuit found that Congress did not intend for the warrant provisions in the SCA to apply outside the United States. The SCA’s use of the term “warrant” suggested a domestic application and the primary focus of the SCA was to protect the privacy of users of electronic services.

The Irish government and a number of other organizations and individuals filed amicus briefs in support of Microsoft in the Second Circuit.

The U.S. government filed a petition for rehearing en banc, which was denied in January 2017, by a split vote (4-4) of the Second Circuit.

Supreme Court of the United States

Following the denial of rehearing en banc, the U.S. Department of Justice filed a Petition for a Writ of Certiorari in the U.S. Supreme Court. In the Petition, the Government argued against the Second Circuit’s interpretation of the SCA. The Government argued that the issuance of a warrant ordering Microsoft to turn over e-mails is “a domestic application” of the SCA, and that Congress enacted the SCA “against the background principle that subpoena recipients must produce all records within their control.” The Government also argued that the Second Circuit’s rule would be “impractical and detrimental to law enforcement” and that the use of the SCA to obtain user data stored abroad would respect “the United States’ international obligations.” The Supreme Court granted the Petition on October 16, 2017, and will hear the case in 2018.

EPIC's Interest

Promotion of International Privacy Norms

EPIC has vigorously supported international privacy norms. In 2010, 29 members of the EPIC advisory Board wrote to then Secretary Hillary Clinton, urging US ratification of Council of Europe Convention 108 (the "Privacy Convention"). EPIC stated, "The protection of privacy is a fundamental human right. In the 21st century, it may become one of the most critical human rights of all." An adverse decision by the Supreme Court in the Microsoft case could undermine efforts to establish an international framework for data protection.

EPIC also express support for the Madrid Declaration, a substantial document that reaffirms international instruments for privacy protection, identifies new challenges, and calls for concrete actions. Among other points, the Madrid Declaration calls for "the establishment of a new international framework for privacy protection, with the full participation of civil society, that is based on the rule of law, respect for fundamental human rights, and support for democratic institutions."

EPIC recently supported a Common Position on Standards for data protection and personal privacy in cross-border data requests for law enforcement purposes of the International Working Group (IWG). The Common Position is intended to offer recommendations to the existing legal framework and current activities governing law enforcement access to cross-border data. The recommendations ensure that any cross-border law enforcement data requests accord with international human rights norms.

EPIC joined the European Digital Rights (EDRI) in a statement to the Council of Europe regarding criminal investigations. The "Global Civil Submission" endorses human rights principles and data protection standards for transnational data transfers. Several years ago, EPIC opposed the U.S. ratification of the Convention of Cybercrime citing its sweeping expansion of law enforcement authority.

EPIC also participated as amici in one of the most important international privacy cases in recent history. In Schrems v. Data Protection Commissioner, an Austrian privacy advocate, Max Schrems, challenged the transfer of his data (and the data of EU citizens' generally) to the United States by Facebook, which is incorporated in Ireland. The first Schrems case (Schrems I) led the Court of Justice of the European Union to invalidate the Safe Harbor arrangement, which governed data transfers between the E.U. and the U.S. After that case was remanded to the Irish data protection authority, the Commissioner filed a second suit (Schrems II) in the Irish High Court to determine whether the "standard contractual clauses" used by Facebook to authorize the transfer of personal data to the U.S. post-Safe Harbor provide adequate protection for E.U. citizens. EPIC was selected by the Irish High Court to provide an amicus submission in Schrems II to "counterbalance" the submission of the U.S. Government. EPIC provided a detailed assessment of U.S. privacy law, and the Court ultimately found insufficient legal protections for the transfer of data to the United States.

Related EPIC ECPA Amicus Briefs

EPIC also has an interest in the privacy and security of communications that are transmitted domestically and abroad. The primary form of electronic communication is e-mail. Unlike at the time the Electronic Communications Privacy Act was passed in 1986, the majority of e-mail is now stored and accessible remotely in cloud-based services. Yet protecting the privacy of e-mail messages, as EPIC has noted in the past, is still one of the core purposes of ECPA.

EPIC filed an amicus brief in Jennings v. Broome, a case concerning the scope of protections for stored e-mail under ECPA. EPIC argued that given the central importance of e-mail to our economic and social activities, it is critical to clarify the application of current electronic privacy rules. Furthermore, “privacy protection enables the free exchange of ideas as well as the growth of online commerce;” thus, the “Court needs to act to provide clarity in the application of federal privacy law to digital communications.”

In United States v. Councilman, a case involving a criminal prosecution under the Wiretap Act for interception of e-mail. EPIC joined a coalition of civil liberties organizations in an amicus brief authored by Professor Orin Kerr. EPIC argued that an email can be simultaneously in “electronic storage” and subject to interception under the Wiretap Act. Several EPIC advisory board members who are technical experts and leading authorities on Internet architecture, email communications, and computer privacy also filed an amicus brief in Councilman, arguing that “ECPA was intended to deal precisely with the improper capture of information by one party that is intended solely for delivery to other(s) . . . .” Senator Patrick Leahy, one of the authors of ECPA, also filed an amicus brief in the case arguing that the definition of “electronic storage” was “designed to distinguish the SCA from ordinary computer crime statutes covering unauthorized system access unrelated to the communications process,” and that the definition should not “cast doubt upon Title III’s protection of electronic communications” during the transmission phase.

EPIC also filed an amicus brief in Bunnell v. MPAA, a civil wiretap act case involving a question substantially similar to that in Councilman. EPIC’s brief argued that Congress added “electronic storage” to the definition of wire communications to expand protections for voicemail, not to lessen protections for stored e-mail.

Legal Documents

United States Supreme Court, No. 16-402

Merits Stage

• Per Curiam Opinion (Apr. 17, 2018)
• Transcript of Oral Argument
• Brief for Petitioner United States
• Joint Appendix
• Brief for Respondent Microsoft
• Briefs of Amici Curiae in Support of Petitioner United States
• States of Vermont, et al. Amicus Brief
• Briefs of Amici Curiae in Support of Neither Party
• U.N. Special Rapporteur on the Right to Privacy Joseph Cannataci
• Former Law Enforcement, national Security, and Intelligence Officials Amicus Brief
• The European Commission on Behalf of the European Union Amicus Brief
• The New Zealand Privacy Commissioner Amicus Brief
• The Government of the UK of Great Britain and Northern Ireland Amicus Brief
• E-Discovery Institute et al. Amicus Brief
• Ireland Amicus Brief

• Briefs of Amici Curiae in Support of Respondent Microsoft
• Electronic Privacy Information Center (EPIC) and Thirty-Seven Technical Experts and Legal Scholars Amicus Brief
• Bundesverband der Deutschen Industrie e.V., Deutscher Industrie- und Handelskammertag e.V., Ibec clg, Konfederacja Lewiatan, and Mouvement des Enterprises de France Amicus Brief
• 51 Computer Scientists Amicus Brief
• The Competitive Enterprise Institute, CATO Institute, TechFreedom, Reason Foundation, and American Consumer Institute Center for Citizen Research Amicus Brief
• The Council of Bars and Law Societies of Europe Amicus Brief
• Members of Congress Amicus Brief
• International and Extraterritorial Law Scholars Amicus Brief
• 12 Business and Consumer Associations Amicus Breif
• EU Data Protection and Privacy Scholars Amicus Brief
• The Reporters Committee for Freedom of the Press and 40 Media Organizations Amicus Brief
• The Police Project at New York University School of Law Amicus Brief
• Technology Companies Amicus Brief
• Jan Philipp Albrecht, Sophie in't Veld, Viviane Reding, Birgit Sippel, and Axel Voss, Members of the European Parliament Amicus Breif
• DigitalEurope, Bitkom Tech in France, Syntec Numérique, and Other European National Trade Organizations Amicus Brief
• International Business Machines Corporation Amicus Brief
• Privacy International, Human and Digital Rights Organizations, and International Legal Scholars Amicus Brief
• European Company Lawyers Association Amicus Brief
• Brennan Center for Justice at NYU School of Law, American Civil Liberties Union Foundation, Electronic Frontier Foundation, Restore the Fourth, Inc. and R Street Institute Amicus Brief
• Washington Legal Fondation Amicus Brief
• Fourth Amendment Scholars Amicus Brief
• InternetLab Law and Technology Center Amicus Brief
• United States Motion to Vacate
• Microsoft Corp. Response to Motion to Vacate

Petition Stage

• Petition for a Writ of Certiorari
• Brief of Respondent Microsoft Corporation in Opposition
• Reply Brief of Petitioner
• The States of Vermont, et al. Amicus Brief

U.S. Court of Appeals for the Second Circuit, No. 14-2985

• In re: Microsoft Corp., 829 F.3d 197 (2nd Cir. 2016)
• Brief of Petitioner Microsoft
• Brief of Respondent United States
• Reply Brief of Microsoft
• Briefs of Amici Curiae in Support of Microsoft
  • Ireland Amicus Brief
  • Jan Philipp Albrecht, Member of the European Parliament Amicus Brief
  • U.S. Chamber Amicus Brief
  • Digital Rights Ireland Limited, Liberty, and the Open Rights Group Amicus Brief
  • Amazon and Accenture Amicus Brief
  • AOL Amicus Letter
  • Media Organizations Amicus Brief
  • Brennan Center for Justice at NYU School of Law, et al. Amicus Brief
  • Anthony Colangelo
  • Computer and Data Science Experts Amicus Brief
  • Apple Amicus Brief
  • Verizon Communications Inc., et al. Amicus Brief
  • AT&T, et al. Amicus Brief
• Briefs of Amici Curiae in Support of Neither Party
• The Government of the UK of Great Britain and Northern Ireland Amicus Brief
• Briefs of Amici Curiae in Support of United States

U.S. District Court for the Southern District of New York, No. 12-20218

• In re: Microsoft Corp., 15 F. Supp. 3d 466 (S.D.N.Y. 2014)

Resources

EPIC Resources

• EPIC Amicus: Schrems v. Data Protection Commissioner
• EPIC Amicus: Jennings v. Broome
• EPIC Amicus: United States v. Councilman

News

• Lawrence Hurley, U.S. government seeks end to Supreme Court privacy fight with Microsoft, Reuters (Mar. 31, 2018)
• Greg Stohr, Justice Department asks court to drop Microsoft email case, Bloomberg (Mar. 31, 2018)
• Rachel Lerman, Congress' budget bill could end Microsoft's Supreme Court case, The Seattle Times (Mar. 22, 2018)
• Greg Stohr and Ben Brody, Tech companies applaud measure to clarify U.S. access to data, Bloomberg Technology (Mar. 22, 2018)
• Ericka A. Johnson, The CLOUD Act, bridging the gap between technology and the law, The National Law Review (Mar. 19, 2018)
• Nina Totenberg, Court Seems Unconvinced of Microsoft's Argument To Shield Email Data Stored Overseas, National Public Radio (Feb. 27, 2018)
• Pete Williams, Supreme Court seems set to rule against Microsoft in email privacy case, NBC News (Feb. 27, 2018)
• Selena Larson and Lydia DePillis, Microsoft argues data privacy case is one for Congress to decide, CNN (Feb. 27, 2018)
• Craig A. Newman, Can the United States Search Data Overseas?, The New York Times (Feb. 26, 2018)
• Julia Fioretti, Europe seeks power to seize overseas data in challenge to tech giants, Reuters (Feb. 26, 2018)
• Matthew Kahn, Microsoft-Ireland Oral Argument Preview: Will the Supreme Court Stave Off Data Localization?, Lawfare (Feb. 26, 2018)
• Richard Wolf, U.S., Microsoft fight over access to digital data stored overseas reaches Supreme Court, USA Today (Feb. 22, 2018)
• Ben Brody, Tech giants back U.S. bill governing cross-border data searches, Bloomberg (Feb. 6, 2018)
• Ariel Bogle, Could US warrants access Australian data? Microsoft case worries privacy advocates, ABC (Jan. 18, 2018)
• Moritz Koch and Dietmar Neuerer, German politicians slam US data gran in Microsoft feud, Handelsblatt Global (Jan. 16, 2018)
• Heather Sussman, Rohan Massey, Kevin Angle, Michele Goldman and Patrick Reinikainen, Global perspectives on high court Microsoft warrant case, Law360 (Jan. 10, 2018)
• Kilpatrick Townsend & Stocktown LLP, US v. Microsoft litigation provides the Supreme Court with a rare opportunity to further clarify and define the role of comity in international discovery disputes, Lexicology (Jan. 3, 2018)
• Jennifer Daskal, Supreme Court take heed: briefs raise conflict of laws issue in Microsoft Ireland, Just Security (Dec. 18, 2017)
• Elaine Edwards, Government files submission in Microsoft warrant case, The Irish Times (Dec. 13, 2017)
• Karlin Lillington, Ireland risks shooting itself in the foot in crucial Microsoft email case, The Irish Times (Dec. 10, 2017)
• Jennifer Daskal, Why Microsoft Challenged the Right Law: A Response to Orin Kerr, Just Security (Dec. 8, 2017)
• Orin Kerr, 'Microsoft Challenged the Wrong Law. Now What?', The Washington Post (Dec. 4, 2017)
• Jennifer Daskal, There’s no good decision in the next big data privacy case, The New York Times (October 18, 2017)
• Matthew Larosiere, How a 31-year-old law is threatening your privacy online, Washington Examiner (October 18, 2017)
• Brad Smith, US Supreme Court will hear petition to review Microsoft search warrant case while momentum to modernize the law continues in Congress, The Official Microsoft Blog (October 16, 2017)
• Robert Barnes, Supreme Court to consider major digital privacy case on Microsoft email storage, The Washington Post (October 16, 2017)
• Allison Grande, Privacy fights to watch at the Supreme Court, Law360 (September 29, 2017)