Microsoft Corp. v. United States

Microsoft Corp. v. United States, known on appeal to the U.S. Supreme Court as United States v. Microsoft Corp., 584 U.S. ___, 138 S. Ct. 1186 (2018), was a data privacy case involving the extraterritoriality of law enforcement seeking electronic data under the 1986 Stored Communications Act (SCA), Title II of the Electronic Communications Privacy Act of 1986 (ECPA), in light of modern computing and Internet technologies such as data centers and cloud storage.

In 2013, Microsoft challenged a warrant by the Federal Bureau of Investigation (FBI) to turn over emails of a target account stored in Ireland, arguing that a warrant issued under Section 2703 of the Stored Communications Act could not compel American companies to produce data stored in servers outside the United States. Microsoft initially lost in the Southern District of New York, with the judge stating that the nature of the Stored Communication Act warrant, as passed in 1986, was not subject to territorial restrictions. Microsoft appealed to the United States Court of Appeals for the Second Circuit, who found in favor of Microsoft by 2016 and invalidated the warrant. In response, the United States Department of Justice appealed to the Supreme Court of the United States, which decided to hear the appeal.

While the case was pending in the Supreme Court, Congress passed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which amended the SCA to resolve concerns from the government and Microsoft related to the initial warrant. The Supreme Court, following agreement from both the government and Microsoft, determined the passage of the CLOUD Act and a new warrant for the data filed under it made the case moot and vacated the Second Circuit's decision.

Background
As part of the investigation into a drug-trafficking case in December 2013, a United States magistrate judge in the United States District Court for the Southern District of New York issued a warrant under the Stored Communications Act of 1986 (SCA) requiring Microsoft to produce all emails and information associated with an account they hosted. While the information was held on Microsoft's United States servers, the emails were stored on a server in Dublin, Ireland, one of numerous servers Microsoft operates located around the world.

Microsoft complied with providing the account information but refused to turn over the emails, arguing that a U.S. judge has no authority to issue a warrant for information stored abroad. Microsoft moved to vacate the warrant for the content held abroad on December 18, 2013. In May 2014, a federal magistrate judge, reviewing the history of the SCA (which had not been amended since its passage), disagreed with Microsoft and ordered it to turn over the emails, reasoning that unlike a typical warrant, SCA warrants function as both a warrant and a subpoena, and thus are not restricted by territorial constraints. The magistrate judge considered that Microsoft had control of the material outside the United States, and thus would be able to comply with the subpoena-like nature of the SCA warrant.

Microsoft appealed to a federal District Judge. The district court upheld the magistrate judge's ruling, requiring Microsoft to provide the emails in full.

Second Circuit opinion
Microsoft then appealed to the Second Circuit. Several United States–based technology companies, publishers, and individuals submitted amicus briefs supporting Microsoft's position. The Irish government also filed a brief in support of neither party. The Irish government considered that the U.S. government's action violated both the European Union's Data Protection Directive and Ireland's own data privacy laws, and maintained the emails should be disclosed only on request to the Irish government pursuant to the long-standing mutual legal assistance treaty (MLAT) between the U.S. and Ireland formed in 2001; the government offered to consider such a request in an expedited manner for this case. Jan Philipp Albrecht of the European Parliament filed an amicus brief in support of Microsoft, stating that should the court grant execution of the warrant, it could "extend the scope of this anxiety to a sizable majority of the data held in the world's data centers outside the U.S.".

In the appeal to the Second Circuit, the three-judge panel unanimously overturned the lower court's ruling in July 2016, and invalided the government's warrant. The panel primarily focused on the extraterritoriality of the SCA, using a two-pronged test. Circuit Judge Susan L. Carney wrote the opinion of Court with District Court Judge Victor A. Bolden. Circuit Judge Gerard E. Lynch wrote a concurring opinion. The court relied heavily on the United States Supreme Court's 2010 ruling in Morrison v. National Australia Bank that the "longstanding principle of American law that legislation of Congress, unless a contrary intent appears, is meant to apply only within the territorial jurisdiction of the United States" applies in all cases. The Second Circuit found no mention of extraterritorial application in the SCA nor in its legislative history. The court said the SCA's use of the term "warrant", as a term-of-art, suggested a specific territory. It also concluded that the primary focus of the SCA was protecting the privacy of users of electronic services.

In his concurrence, Judge Lynch noted that there was nothing in the record to indicate whether the owner of the e-mails being sought was a U.S. citizen or resident. He agreed with the government that the term "warrant" only implied the need for issuance under Fourth Amendment standards, rather than suggesting it was a search warrant with a specific place. He also noted that Microsoft chose to store the e-mails in Ireland based on the account holder's unverified statement of residence and on Microsoft's business interest in minimizing network latency. No one disputed that if Microsoft had chosen to store the emails in the U.S., the warrant would have been valid. While he agreed with the majority that the presumption against extraterritoriality, as clarified in Morrison, was decisive in this case, he did not believe it to be an optimal policy outcome and called on Congress to clarify and modernize the SCA.

The U.S. government filed a petition for an en banc rehearing by the Second Circuit in October 2016. In January 2017, the full court split 4–4 on a vote to rehear the case, leaving in place the judgment in favor of Microsoft. Circuit Judge Jose Cabranes, who wrote in dissent, wrote that the held decision "has substantially burdened the government's legitimate law enforcement efforts; created a roadmap for the facilitation of criminal activity; and impeded programs to protect the national security of the United States and its allies", and called on a higher court or the U.S. Congress to rectify the outdated language of the SCA.

Separately from its appeal, the U.S. Government has had at least one other ruling in its favor, and specially against the decision of the Second Circuit Court, for similar extraterritorial requests under the SCA. In February 2017, federal magistrate judge, presiding over a district court within the Third Circuit, ruled that Google must comply with a government warrant to turn over data from foreign servers. The magistrate judge rejected Google's reliance on the current standing from the Microsoft case, and stated in his opinion that the scope of the invasion of privacy for the case was entirely within the United States, and not where the electronic transfer of the data occurs, making the SCA warrant enforceable.

Supreme Court
The U.S. Department of Justice filed an appeal with the Supreme Court in June 2017. Deputy Solicitor General Jeffrey Wall argued that the Second Circuit's order has led Microsoft, Google, and Yahoo! to deny law enforcement officials with requested information stored on servers outside the United States, hampering numerous criminal investigations. The department was joined by 33 states in support. Microsoft argued that the Court should not take the case, and instead that Congress should deal with updating the language of the outdated 1986 law.

The Supreme Court granted certiorari in October 2017. The case, United States v. Microsoft Corp., was heard by the Court on February 27, 2018, with a ruling originally expected by the end of the Court's term in June 2018.

While the case was being decided by the Supreme Court, Congress introduced the Clarifying Lawful Overseas Use of Data Act ("CLOUD Act") shortly after the oral hearings. Among other provisions, the CLOUD Act modified the SCA to specifically include cloud storage considerations of communication providers in the United States regardless of where the cloud servers may be located. The bill was supported by both the DOJ and Microsoft. In March 2018, Congress passed the CLOUD Act as part of an omnibus government spending bill, which was signed into law by President Donald Trump on March 22. By the end of March, the DOJ had issued a request for a new warrant for the original emails from the 2013 investigation under the new authority granted by the CLOUD Act, and no longer seeking resolution of the original warrant. It also requested that the Court vacate the case and remand it back to the Second Circuit, where the matter could then be rendered moot due to the passage of the CLOUD Act. Microsoft agreed with the DOJ's position. On April 17, 2018, the Court issued a per curiam opinion stating that the case was rendered moot and vacating and remanding the case back to the lower courts to dismiss the lawsuit.