In 2013, the United States issued a search warrant for emails in the possession of its target’s data storage provider, which in this case was Microsoft. A typical day for law enforcement, except Microsoft stored this client’s data in Ireland. Faced with complying with a warrant from the United States or violating the laws of Ireland by complying, Microsoft refused. Microsoft’s reasoning was simple: It’s a well-established legal principle that U.S. statutes apply only in U.S. territory unless the law in question explicitly provides otherwise.
Nearly five years later, that case is slated to come to the Supreme Court, with oral arguments set to begin later this month. An unlikely group has assembled behind Microsoft’s position in the case. Our members of Congress have taken the same position as their counterparts in the European Parliament, the ACLU, and even Fox News. Somehow, the European Commission, the U.S. Chamber of Commerce, and other large business groups are all on the same page as consumer advocates.
The law in question—the Electronic Stored Communications Act—does not provide for extraterritorial warrants. Last year, a federal appeals court agreed. The statute, the court determined, does not provide U.S. authorities with the ability to issue a warrant compelling Microsoft to disclose emails stored outside the United States.
The Electronic Stored Communications Act, which was passed in 1986, made sense in an era of phone booths, floppy disks, and music sold on cassette tapes. Back then, the idea that someone in the United States would casually and routinely store data in other countries, like Ireland, was cost prohibitive. But today, much of our data is stored in the cloud via a network of remote servers spread throughout the world that allows us to access data from anywhere with an internet connection.
As Microsoft notes in its brief to the Supreme Court for their upcoming oral arguments, trust in U.S.-based firms “will evaporate entirely the moment this Court directs that U.S. companies must disclose emails stored in foreign nations when doing so would violate the data-privacy laws of those nations.”
For the courts to suddenly rewrite the basic meaning and scope of statutes would undermine our allies’ faith in the stability of U.S. laws. To paraphrase the author of The Death of Common Sense, Phillip Howard, legislation by courts is too rigid and doesn’t account for the need to adjust to particular circumstances.
Such things are not for the courts to decide, but rather for Congress. Further, if the Court does declare new legislation via the bench, then foreign nations can demand that U.S. firms storing data overseas also hand over client data. If the United States can do it by judicial fiat, why can’t everyone? As Microsoft asks in its brief, what would stop the Chinese government from demanding that a Chinese company hand over a journalist’s data stored in the United States?
The lawyers representing Microsoft are entirely correct in their assessment that the forum for this debate should not be in the courts but in Congress. ECPA’s scope simply does not extend to Ireland. If Congress wanted U.S. warrants under ECPA to extend to foreign nations, it surely would have said so.
In fact, Ireland, the United Kingdom, the European Commission, New Zealand’s Privacy Commissioner, and the United Nation Special Rapporteur are all responsible for the avalanche of amicus briefs submitted in support of Microsoft’s position to the Supreme Court. This diverse group of stakeholders is encouraging the court to decline to rewrite the law and for Congress to step up and do its job: legislate.
Every country has its own laws on privacy and electronic storage, so what is legally required in nation A might be explicitly prohibited in nation B. This leads to companies, not Congress, having to choose between disregarding a court order from one nation and violating the privacy laws of another, all the while throwing customers overboard with ad hoc decisions.
In this case, the U.S. government did not elect to utilize the bilateral Mutual Legal Assistance Treaty (MLAT) between the United States and Ireland, which was designed for instances such as this one. Instead, the government waived its right under an existing MLAT in favor of obtaining a warrant. The fact that the law is not equipped for this doesn’t give the government the prerogative to invent another law nor does it allow the courts to do so. A law allowing for such warrants may or may not be a desirable policy, but there’s a sound reason for why the appeals court ruled against the government’s position on existing law: It is incorrect.
Congress is now acting on the issue. Earlier this week, Senator Orin Hatch introduced the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018. The CLOUD Act addresses the exact issues facing the court in this case. The bill would ensure that American law protects Americans wherever their data is hosted and it would institute a process for tech companies to seek court reviews of warrants that may generate legal conflicts with countries that have bilateral agreements with the U.S. Furthermore, since the CLOUD act is directly on point with the controversy before the court, the Department of Justice is expected to drop the case if it’s passed, a perfect example of the three branches of government working under their respective Constitutional authorities.
This dovetails perfectly with what appellate court Judge Gerard E. Lynch noted:
I believe even more strongly that the statute [ECPA] should be revised, with a view to maintaining and strengthening the Act’s privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications and other data where compelling interests warrant it, and clarifying the international reach of those provisions after carefully balancing the needs of law enforcement (particularly in investigations addressing the most serious kinds of transnational crime) against the interests of other sovereign nations.
With global communications and storage assets being used in criminal activity ranging from money laundering to human trafficking, Congressional action on this issue has garnered a wide range of supporters. Writing to key Capitol Hill leaders on the issue, organizations led by Americans for Tax Reform, the Small Business & Entrepreneurship Council, and Citizens Against Government Waste called for an update to existing legislation from over 30 years ago, “which has been eclipsed by technology its authors could not foresee.”
If Congress wishes for such changes, it should pass the CLOUD Act -especially because addressing these issues through legislation would offer ample time for global stakeholders and U.S. domestic companies to weigh in on the issue. Additionally, as Sen. Hatch noted in his speech introducing the CLOUD Act, “No matter how the Court rules, however, problems will remain. Either law enforcement will lack the ability to obtain in a timely manner email and documents in the cloud that are stored overseas, or providers will find themselves caught between conflicting domestic and foreign laws.”
Ultimately, as the Constitution requires, Congress rather than the courts ought to write our laws and the CLOUD Act is the only piece of legislation under consideration that can resolve the issues at hand and prevent the act of legislation from the bench that would likely ensue if Microsoft’s case proceeds.