Another front recently emerged in the legal battle over whether US law enforcement authorities can use a search warrant issued under the Stored Communications Act (SCA) to obtain data stored overseas. Until now, the battle has been focused in New York, where Microsoft filed a challenge in December 2013 to an SCA warrant for an Outlook.com e-mail account stored on a server in Ireland. Last summer, the US Court of Appeals for the Second Circuit sustained Microsoft’s challenge, holding that the use of an SCA warrant to obtain data stored overseas would constitute an impermissible extraterritorial application of the statute. On January 24, 2017, the Second Circuit declined to rehear the case en banc. It remains to be seen whether the Government will petition the Supreme Court to hear the case.
For the moment, however, the action has shifted to Philadelphia, where Google is litigating a similar issue. On February 3, 2017, US Magistrate Judge Thomas J. Rueter of the Eastern District of Pennsylvania issued a decision compelling Google to comply with search warrants issued under the SCA for two separate Google accounts. Google initially refused to comply fully with the warrants, relying on the Second Circuit’s decision in the Microsoft case. Because the data associated with the two Google accounts at issue is distributed across multiple servers in a variety of jurisdictions, Google sought to comply with the Microsoft ruling by turning over only the account data stored on servers located in the United States, while withholding any account data stored on servers abroad. Judge Rueter, however, disagreed with the reasoning of the Second Circuit’s decision in the Microsoft case—which was not binding on him, as Philadelphia sits within the Third Circuit—and ordered Google to produce all of the account data in response to the warrants, regardless of its physical location.
Specifically, Judge Rueter disagreed with the Second Circuit’s conclusion that applying an SCA warrant to electronic data stored overseas constitutes an extraterritorial application of the SCA. In its decision, the Second Circuit held that the application of the SCA occurs at the location where the user’s data is stored. The court reasoned that the storage location is where the provider, on the Government’s behalf, “seizes” the data, and thereby invades the user’s privacy interest—which the court found to be the “focus” of the statute. While Judge Rueter assumed for purposes of his opinion that user privacy is the focus of the SCA, he disagreed with the Second Circuit that the location of a user’s data is relevant to that focus.
In so holding, Judge Rueter rejected the idea that a provider’s collection of data from an overseas server constitutes a “seizure.” As he put it: “Electronically transferring data from a server in a foreign country to Google’s data center in California does not amount to a ‘seizure’ because there is no meaningful interference with the account holder’s possessory interest in the user data.” Indeed, Judge Rueter noted that Google regularly transfers user data from one data center to another, without the customer’s knowledge, and without any apparent impact on user privacy. What mattered for privacy purposes, Judge Rueter held, was not the provider’s collection of the data, but its disclosure to, and review by, the Government. In his view, the account holder’s privacy is not actually invaded until “Google produces the electronic data in accordance with the search warrants and the Government views it”—which “will occur in the United States.” Thus, Judge Rueter found that requiring Google to disclose the electronic data “involve[s] a permissible domestic application of the SCA, even if other conduct (the electronic transfer of data) occurs abroad.”
Judge Rueter also found no reason to believe that requiring Google to comply with the warrants would cause any conflict with the laws of any foreign country or otherwise pose risks to international comity. Again relying on his conclusion about the locus of the “search” authorized by the warrants, Judge Rueter opined that “[n]o foreign nation’s sovereignty will be interfered with in any ascertainable way at the time the two warrants are executed because the searches will be conducted in the United States.” Notably, Judge Rueter found that, even if the foreign location of the account data did implicate foreign sovereignty, it would be impossible in any event to determine which foreign country’s sovereignty would be affected, due to the way that Google stores its data. Importantly, unlike the Outlook.com account stored on an Irish server in the Microsoft case, Google does not store its account data in one discrete place. Rather, Google accounts are broken up into “shards” that are often stored in different locations (including different countries) at the same time. Google frequently and automatically moves these shards around from one location to another for load-balancing reasons. Indeed, Google asserted in the case that it does not even “currently have the capability, for all of its services, to determine the location of particular account data and to produce that data to a human user at a particular point in time.” Accordingly, Judge Rueter rejected the notion that there was any tangible risk to international comity on these facts.
In a similar vein, Judge Rueter also found that quashing the warrant and forcing the Government to seek the account data from foreign governments through the MLAT process would lead to “absurd results.” The judge noted that the MLAT process can be “slow and laborious” in the normal course, but “Google’s architecture creates an insurmountable obstacle” to using MLATs to obtain its data. Because the “shards” composing a Google account regularly change location, the Government would have no way to know which countries to serve with MLATs in order to obtain the account data. Moreover, even if certain “shards” could be located and collected, each one by itself is a “piece of coded gibberish” that is useless unless combined with all the other constituent parts of the account. Hence, Judge Rueter found that, unless the warrants were enforced, it would be impossible as a practical matter for the Government to collect the evidence at issue.
This case shows how the Microsoft decision can have different implications for different providers depending on their respective data storage practices. Whereas some providers, like Microsoft, store user content in a single location correlated to the user’s physical location, other providers, like Google, base their data storage on other models and other factors. Issues of international comity and the practicality of using MLATs may play out in quite disparate ways based on those variations. Judge Rueter’s opinion also provides a new counterpoint to the Microsoft decision and creates the potential for a circuit split. That could be a factor in determining whether and how soon the Supreme Court takes up the issue.
