Privacy, Data Protection and Retention
Google Spain SL v. Agencia Española de Protección de Datos
Spain
Closed Expands Expression
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
The United States Supreme Court vacated the judgment of the U.S. Court of Appeals for the Second Circuit in a case involving data privacy rights of the user and the ability of technology firms based in the United States to refuse to comply with federal warrants issued under the Stored Communications Act (“SCA”) when user data is stored overseas.
In 2013, a warrant was issued by the District Court for the Southern District of New York requiring Microsoft to disclose contents of a customer’s email account allegedly involved in narcotics trafficking. Microsoft refused to comply with a warrant on the basis that the information was stored in Microsoft data centres based in Ireland. The United States District Court for the Southern District of New York denied Microsoft’s motion to quash the warrant, holding Microsoft in civil contempt of court for failure to comply with the warrant. In an appeal to the U.S. Court of Appeals for the Second Circuit, the appellate court reversed the order of the District Court and declined to enforce the search warrant under the SCA, finding that this would be an unlawful extraterritorial application of the Act. The Court reasoned that the order was a warrant, not a subpoena, because the private party, Microsoft, in being required to conduct the search and seizure became an agent of the government and the Fourth Amendment’s warrant clause applied to its actions. Further, the Court reasoned that the SCA was not intended to have extraterritorial application and only applied to material located in the U.S. Since the information was located in Dublin and the warrant would require Microsoft to reach out to the Dublin centre to obtain it, enforcement of the warrant would constitute an unlawful extraterritorial application of the Act. Subsequent to the enactment of the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) which required companies storing user information in overseas data centres to provide user information to government agents when a warrant is issued, the Supreme Court held that no live dispute remained over the issue, and thus, remanded the case back to the appellate court with instructions first to vacate the District Court’s contempt finding and subsequently directing District Court to dismiss the case as moot.
Since 1997, Microsoft, headquartered in the United States, operated a web-based email service called “Outlook”, allowing customers to send and receive correspondence using e‐mail accounts and available for public use without charge. In order to reduce network latency (i.e. inherent delay in web based computing services) and improve customer experience, Microsoft stored the contents of such emails sent using its service alongside non-content information relating to the account on a network of servers. Such servers, housing customer’s email information and contents, were located in data centres operated by the subsidiaries of Microsoft in over 100 discrete leased and owned datacenter facilities, spread over 40 countries. One of such data centres was located in Dublin, Ireland.
On December 4, 2013, Magistrate Judge James C. Francis IV of the United States District Court for the Southern District of New York issued a warrant requiring Microsoft to produce the contents of an individual’s email account that it was alleged was being used in furtherance of narcotics trafficking. On being served with the warrant, Microsoft determined that the email contents stored in the alleged account were located in its Dublin datacenter. While agreeing to disclose all other responsive information kept with the United States, it moved the Magistrate Judge to quash the warrant with respect to the user content located in its Irish datacentre, stating that “to comply fully with the warrant, it would need access to customer content that it stores and maintains in Ireland and to import that data into the United States for delivery to federal authorities” [p. 5]. The motion to quash the warrant was however denied by the Magistrate who concluded that the SCA authorized the District Court to issue a warrant for “information that is stored on servers abroad”. The District Court observed that a probable cause lied for the requested search and therefore, the warrant acted as a subpoena to produce information in its possession, custody, or control regardless of the location of that information. (p. 11)
Microsoft subsequently appealed to the District Court for the Southern District of New York and Chief Judge Loretta affirmed the Magistrate’s ruling. The Court held Microsoft in civil contempt for failing to comply with the warrant.
Following the denial of the Magistrate’s ruling, Microsoft appealed to the United States Court of Appeals for the Second Circuit, arguing to vacate the finding of contempt as well as remand of the case to the District Court with instructions to quash the warrant. By a judgment dated July 14, 2016, a panel of the appellate court reversed the denial of the motion to quash and vacated the civil contempt finding, holding that requiring Microsoft to disclose the electronic communications in question would be an unauthorized extraterritorial application under the SCA.
During the period of appeal, the US Congress enacted the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) which required companies storing user information in overseas data centres to provide user information to government agents when a warrant is issued. Given the enactment of the CLOUD Act, the US Supreme Court took the legislative change into account and held that no live dispute remained over the issue, since Microsoft was now required under the CLOUD Act to disclose a user’s information regardless of the location. The Court directed the District Court to issue a new warrant and remanded the case back to the appellate court with instructions first to vacate the District Court’s contempt finding and subsequently directing District Court to dismiss the case as moot.
Once the CLOUD Act was in effect, the federal government went back to court and got a new warrant, which was replaced the warrant originally served on Microsoft back in 2013.
The Supreme Court of the United States delivered a per curiam opinion, holding that the CLOUD Act rendered moot a challenge to a warrant requiring Microsoft to disclose electronic communications stored overseas. The principle issue before the Supreme Court was whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. § 2703 by making disclosure in the United States of electronic communications within that provider’s control, even if the provider has decided to store that material abroad.
Under the provisions of the Stored Communications Act (“SCA”), 18 U.S.C. § 2703 provides conditions under which service providers must disclose stored communications to the government. Specifically, an administrative subpoena can ask for basic subscriber and transactional information, whereas other non-content records can be obtained by a court order, which may be issued only upon a statement of “specific and articulable facts showing . . . reasonable grounds to believe that the contents or records . . . are relevant and material to an ongoing criminal investigation”. (p. 17)
In dealing with the principle issue, the Appellate Court first analysed whether SCA authorized enforcement of a warrant with respect to customer data stored in Ireland. Before the Court, the government had argued that an SCA warrant was more akin to a subpoena than a warrant and thus, compelled production of any material stored in the premises, irrespective of the location. This view was adopted by the Magistrate Judge in his ruling which denied Microsoft’s motion to quash – the District Court had disregarded Microsoft’s claim that the premises was located abroad rendering it outside the purview of the SCA. In fact, Microsoft also claimed before the appellate court that the warrant under the SCA was limited by the principle of extraterritoriality and cannot be given effect as to materials stored beyond United States borders, regardless of what may be retrieved electronically from the United States and where the data would be reviewed. Doing so otherwise would infringe the privacy of its customers.
On the issue of extraterritoriality, the Court noted that there exists a strong presumption against enforcement of U.S. statutes abroad, unless a clear indication of extraterritorial application is observed. Following the approach set forth in Morrison v. National Australian Bank Ltd. (561 U.S. 247 (2010)), it utilized a two part test to determine whether the warrant was valid. This involved looking into (i) whether the legislature intended the SCA to have extraterritorial application; and if not (ii) whether enforcement of the warrant would constitute an unlawful extraterritorial application. With respect to the first, the government had claimed that the SCA neither contemplated nor permitted any extraterritorial application in the SCA, and that “[n]othing in the SCA’s text, structure, purpose, or legislative history indicate[d] that compelled production of records is limited to those stored domestically”. (p. 24) However, the Court found this argument unpersuasive, upholding that the presumption against extraterritoriality laid on the head of the statute.
In construing the usage of the term “warrant” to consider whether enforcement of it would constitute an unlawful extraterritorial application, the Court observed that the Magistrate Judge had reasoned under Rule 41 of the Federal Rules of Criminal Procedure (which requires that the ‘warrant’ be obtained ‘within the district’ where the property is located) that the location of the property under the provision was equivalent to the location of the service provider (and not the location of the server). The appellate court concluded, however, that this was not the case – Rule 41 did not mention anything about the need to cross international boundaries and only allowed magistrates to issue a warrant “in other districts” and not overseas. (p. 27) It also rejected the District Court’s claim that an SCA warrant was was a hybrid between a warrant and a subpoena, specifically since a subpoena was executed by a service provider rather than a government law enforcement agent, and because it does not require the presence of an agent during its execution. This was central to the government’s argument because subpoenas, unlike warrants, may be enforced overseas. However, the Court found that the order in this case was distinguishable as a warrant, because “[w]hen the government compels a private party to assist in conducting a search or seizure, the private party becomes an agent of the government, and the Fourth Amendment’s warrant clause applies in full force to the private party’s actions”. (p. 29)
Relying on the 1983 decision In the Matter of a Grand Jury Subpoena Directed to Marc Rich & Co. 707 F.2d 663 (2d Cir. 1983) which clarified that a defendant subject to the personal jurisdiction of a subpoena‐issuing grand jury could not “resist the production of [subpoenaed] documents on the ground that the documents are located abroad.” (p. 30), the government also argued that disclosure in response to an SCA warrant should not be read to reach only U.S.‐located documents but all documents available to the recipient. However, the appellate court denied government’s assertions, holding that “neither Marc Rich nor the statute gives any firm basis for importing law developed in the subpoena context into the SCA’s warrant provisions”. (p. 31) In this regard, the Court upheld Microsoft’s claim that the use of subpoena to compel recipient to procure documents located overseas when the recipient is a mere caretaker for another entity, and that entity, has a protectable privacy interest in that document, cannot be done.
More importantly, the Court stressed that the SCA’s focus was on “user privacy” as against “disclosure” as contested by the government. This was prevalent from the statutory interpretation of the plain meaning of the text, the procedural provisions of the Act, and in light of the relevant legislative history. It noted that the information was located in Dublin, Ireland and there was no information as to the citizenship or location of the user. Consequently, an invasion of privacy of the customers would occur under the SCA where the customer’s protected content is accessed (as in this case, when it is seized from Microsoft). The Government countered that the information could be accessed without law enforcement ever setting foot in Dublin, thereby making the warrant’s application domestic. However, the Court was not convinced, because the information was located in Dublin and would require Microsoft to reach out to the Dublin centre to obtain the information. Therefore, because a warrant under the SCA could only concern material located within the boundaries of the U.S. and as the material sought was located outside of the U.S., enforcement of the warrant in this case would constitute an unlawful extraterritorial application of the Act.
Interestingly, the government’s claim that preventing SCA warrants from reaching data stored overseas would “impede” law enforcement efforts since a wrongdoer can deliberately store content outside the United States was rejected as well. The Court referenced that various Mutual Legal Assistance Treaties (“MLATs”) between the United States and other countries allow signatory states to request one another’s assistance with ongoing criminal investigations, including issuance and execution of search warrants. Irrespective, the practical considerations raised by the government cannot overcome substantive interpretation of the text of the statute, which concluded that SCA warrant is restricted by the principle of extraterritoriality.
Judge Lynch wrote separately to concur in the judgment, agreeing with the judgment but arguing that there was a legislative need to review and reconsider the statute as written in light of new technological advancements. Specifically, he noted that the characterising SCA warrants as a threat to individual privacy was an unfair characterisation, since SCA presented a “tiered” set of requirements for government access to electronic communications which consistent with the highest level of protection ordinarily required by the Fourth Amendment for the issuance of search warrants. Judge Lynch also underscored that under the majority’s interpretation of the SCA, the privacy of Microsoft’s customers’ emails was dependent not on the traditional constitutional safeguard of private communications but rather on the business decisions of a private corporation. The contract between the customer and Microsoft did not restrict Microsoft from storing its customers’ email wherever it chose to. As a result, the customer’s privacy in this case is absolute against the government (i.e., the government can never obtain a warrant that would require Microsoft to turn over emails of foreign customers), but protected against Microsoft only to the extent defined by the terms of her (adhesion) contract with the company. This was a major flaw which he believed required redressal. He also noted that in enacting legislation, it was the traditional task of Congress and of the courts, in interpreting the Fourth Amendment, to strike a balance between privacy interests and law enforcement needs. Finally, Judge Lynch was also sceptical of the majority’s conclusion that the mere location abroad of the server on which the service provider has chosen to store communications should be controlling, putting those communications beyond the reach of a purely “domestic” statute. (p. 60)
Subsequent to the enactment of the CLOUD Act which required companies storing user information in overseas data centres to provide user information to government agents when a warrant is issued, the Supreme Court, by a decision dated April 17, 2018, directed the District Court to issue a new warrant and remanded the case back to the appellate court with instructions first to vacate the District Court’s contempt finding and subsequently directing District Court to dismiss the case as moot.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
This case expands expression by protecting the freedom of expression of users of electronic communication channels by holding that U.S. authorities can not force service providers to access data stored outside the U.S.
A federal magistrate judge in a later case, In re Search Warrant No. 16-960-M-01 to Google, came to a different result on similar facts and ordered Google to comply with a search warrant to produce foreign-stored emails. It found that “the conduct relevant to the SCA’s focus will occur in the U.S.” even if the data is retrieved from outside the U.S. It said that the searches of electronic data, and therefore, the invasions of privacy, will occur in the U.S. when the FBI reviews the copies of the requested data. In other words, when a network provider is ordered to retrieve information from abroad, that copying of information abroad and sending back to the U.S. does not count as a Fourth Amendment “search” or “seizure” outside the U.S.
However, with the US Supreme Court’s per curiam opinion dated April 17, 2018 in the case, the issue has been rendered moot. Nevertheless, given the crucial considerations of territoriality of data and ensuing privacy aspects, the decision of the Appellate and Supreme Court sets an important precedent. The Appellate Court’s decision has significant implications for the ability of law enforcement agencies to obtain communications data stored outside the United States, and also for companies that must navigate among the competing demands of U.S. law enforcement requests, customer privacy expectations, and foreign laws. In addition, the Supreme Court’s decision, while acknowledging Congress’ efforts to expand the scope of U.S. warrants to cover data stored outside the United States, is also a stark reminder of the need to address legal issues on how territoriality applies to data. With the advances in technology, application of existing legal doctrines may not be adequate and legal systems need to adapt to changing circumstances.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
Let us know if you notice errors or if the case analysis needs revision.