Microsoft Stands Up in Court for European Privacy Rights?

by Latham & Watkins LLP
Contact

A Stored Communications Act (SCA) search warrant case arising out of a New York federal  narcotics trafficking investigation is being closely watched by EU data protection authorities, privacy advocates, multinational internet service providers, and law enforcement, among others, as the  parties pursue an expedited appeal to the Second Circuit Court of Appeals. Captioned In re Search Warrant, No. 13 Mag. 2814, M9-150, the case involves  a U.S. law enforcement request for the contents of an Outlook.com email box, stored in Microsoft’s Dublin, Ireland data center. On September 8,  2014,  Microsoft elected to submit its opening brief on December 8, 2014, meaning that the case will likely be briefed and argued in early 2015, on an expedited schedule.

It has evolved into a test case under the SCA of whether a government can assert a right to digital content wherever in the world it is stored, based upon service of a warrant or other request on the internet service provider which hosts the data.  Diplomatic and competitive business tensions are already high in this area, following the Edward Snowden and other revelations about government interception and surveillance of electronic communications.  On the eve of the Labor Day holiday, Microsoft perhaps signaled another front in the dialogue with a series of advertisements more likely targeting legislative or other policymakers.

As a threshold matter, search warrants or other valid law enforcement requests for the contents of electronic communications are of course an unexceptional, accepted feature of narcotics trafficking and other criminal investigations in the United States and elsewhere.  In the United States, under the Stored Communications Act, in order to obtain the contents of an email, law enforcement must file an affidavit with a federal judge, demonstrating probable cause that a crime has been committed, and the federal  judge rules on the request.  This procedure was followed here, but the similar provisions of Irish law (requiring an Irish judge to review the factual basis of the request and order compliance) were not. 

The government’s election to press Microsoft directly for the emails, rather than following the (non-exclusive) bilateral process laid out in the Mutual Legal Assistance Treaty between the US and Ireland is at the root of the controversy.  The MLAT process would have triggered local Irish legal scrutiny of the legitimacy of the request.  Bypassing that (admittedly discretionary process) has now raised very difficult questions of who owns  the Outlook.com email contents, international comity and extraterritorial application of US law.  These are the issues that will now be briefed and decided by the Second Circuit or perhaps, ultimately be resolved through legislative action.

The case involves a December 2013 search warrant issued to Microsoft Corporation for data, including mailbox contents, associated with a free consumer Outlook.com email account, signed last April by a magistrate judge in the Southern District of New York.  While certain subscriber data was turned over immediately upon receipt of the warrant, the emails in question were not, because they are stored on Microsoft servers in Dublin.  Microsoft  refused to produce these, and ultimately moved to vacate that portion of search warrant effectively requiring its US personnel (acting as agents of the United States government)  to effect a search and seizure of data not physically located on servers in the US.  In support, Microsoft argued that the U.S. Congress had not intended the SCA to have extraterritorial effect, and therefore the search warrant as issued could not compel Microsoft to retrieve and produced the emails stored in Ireland. With the eventual  backing of AT&T, Cisco, Verizon, and others, Microsoft has continued to escalate its strong legal stance against the court-ordered production of the contents of this non-US-hosted email box.  To garner interest and manage perceptions among legislative and executive branch personnel, known to spend the last weekend of summer at the Delaware beaches,  on the eve of the Labor Day holiday weekend, Microsoft even placed full page advertisements in well-known beach resort news publications.

As it proceeds before the Second Circuit next month, and perhaps to the United States Supreme Court thereafter,  the Microsoft In Re Search Warrant case is likely to set important legal and procedural precedents for how cross-border (or as here, quasi cross-border) law enforcement requests for data are handled where US doctrines mandate production of documents within the “possession, custody, or control” of the US based entity on whom a government demand for assistance is lawfully served.

For its part, the Southern District of New York judges sided strongly with the government position that Microsoft has “control” over the e-mails stored on servers in Dublin and therefore has to produce the requested information.  For many decades, it has been settled law in the United States that where the U.S. entity has “control” of documents in the physical custody of a foreign subsidiary, the documents must be produced in response to valid legal process, whether a civil or criminal subpoena or search warrant.  In civil litigation, for example, courts routinely evaluated the degree of ownership and control over a foreign subsidiary, focusing upon matters such as commonality of ownership, intermingling of directors and management, ordinary course transfers of documents across borders, and the involvement of the non-party corporation in the matters in dispute.  U.S. courts have frequently addressed the conflict between these discovery obligations and E.U. blocking statutes for example, on a case by case, court by court basis.

Courts often look, as the judges and parties have in the Microsoft case, to the Restatement (Third) of Foreign Relations law of the United States, often prioritizing discovery over foreign law in practice.  The district judges both determined that Microsoft itself had elected to store the contents of the Outlook.com account on Irish servers, and therefore, it could just as easily retrieve the data from the US.  The magistrate and district court judges rejected Microsoft’s arguments that it was the end user’s data, not its own business records, at issue in the search warrant, arguing that the argument had been waived because it was not a part of the briefing in support of the original motion to vacate.

Both judges ultimately found that an SCA warrant does not, as Microsoft had asserted, violate the presumption against extraterritorial application of US law.

The dispute raises important economic and diplomatic issues for Microsoft and the amici.  As one amici counsel arguing against extraterritorial application stated at oral argument on July 31, one of the “very significant” policy issues is “the interest of companies in not losing billions of dollars in foreign business because of the impact overseas, because of foreign customers wanting to go to a German provider instead of an American one.  These are the sorts of policy considerations that need to be left to Congress.”  One can speculate that the well-timed vacation ads in the beach newspapers are harbingers of a public policy / lobbying campaign to seek a legislative “fix” to the conundrum presented by the New York federal district court’s extraterritorial application of the SCA.

In Europe, data protection authorities and policymakers voice concerns over the potential privacy law implications of the case. They argue that the due process considerations under Irish law should have compelled U.S. law enforcement to opt for the  procedures set forth in the Mutual Legal Assistance Treaty in Criminal Matters between Ireland and the US has been in force in place since 2001.  They also claim that otherwise the transfer of the data would infringe Irish privacy law.  However, the US-judges at the trial court level were persuaded by the government’s position that the MLAT process was slow and in any event, discretionary under the wording of the Treaty.  The potential breach of Irish privacy law has been not been considered.

Whether the Second Circuit will take a broader look and also consider limitations under Irish privacy law remains to be seen.  In any event, it would not be easy to argue that the production of the e-mails would infringe Irish privacy law.  As a Safe Harbor registered and certified participant, Microsoft has signed up for the Safe Harbor Principles (2000/520/EC) and in such principles, the European Commission explicitly approved government access under US law.  Furthermore, Microsoft's terms of use for Outlook.com explicitly reserve the right to provide user data in order to satisfy applicable law, regulation, legal process or governmental requests.  Therefore, this case focuses on the question whether Microsoft is obliged to provide the data from Ireland under US law or not.  The privacy rules in Europe may become more relevant in the future, because the European Court of Justice has been asked whether Safe Harbor is binding, the European Commission is rethinking Safe Harbor and  a new European privacy law is in the making  For the time being, however, it is unlikely that Irish privacy law will be decisive in the Microsoft case.

 

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP
Contact
more
less

Latham & Watkins LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.