Adding another case that grapples with the application of 20th century law in the digital age to its docket, the Supreme Court announced on Monday that it will review the U.S. Court of Appeals' ruling in United States v. Microsoft. At issue is the question of whether the U.S. government can compel an American company to produce data stored on a server physically located in a foreign country. Given the absence of a division among the lower courts, the justices’ decision to review this issue signals that they consider it a very important one.
The case stems from Microsoft's refusal to comply with a search warrant requiring Microsoft to produce the contents of emails stored in Dublin, Ireland. At Microsoft’s data center in Ireland, the company is also subject to the more stringent privacy protections found in Ireland and the European Union.
As a result, Microsoft was left with no good options — the company could either choose to not comply with the subpoena and risk being held in contempt in federal court, or it could comply and risk subjecting itself to a criminal probe or enforcement action in Europe for disclosing customer information in violation of European law.
The search warrant in question was issued under the Electronic Communications Privacy Act (ECPA), a law passed in 1986 by a Congress that could not yet envision the application of the bill’s warrant provision overseas. Three decades later, following countless failed attempts by Congress to modernize ECPA, the U.S. government interpreted the bill as allowing it to order the production of documents anywhere in the world as long as it has personal jurisdiction over the organization or individual in possession or control of the material.
That interpretation is in conflict with the Supreme Court's long-standing holding that unless Congress expressly provides otherwise, federal statutes should have only domestic application. The government nonetheless argued that the search was allowed because nothing in ECPA explicitly prohibited it from seeking information overseas.
The U.S. Court of Appeals for the Second Circuit unanimously rejected that argument, ruling that the correct interpretation is exactly the opposite. That is, the presumption against extraterritoriality means that if a statute's reach is ambiguous, it should only have domestic application.
While a lot of the press coverage has portrayed U.S. v. Microsoft as a case about email privacy, the central questions in this case concern matters of foreign sovereignty and the extraterritoriality of American laws. As a practical matter, what's at stake is the ability of U.S.-based tech companies to continue to service their customers using servers and other resources located around the world.
In the age of the data cloud, customers rely on service providers to store their data, and much of that data gets stored overseas. By asserting jurisdiction over electronic data stored anywhere in the world, governments will undermine consumers' trust in the cloud and threaten the very foundation of the huge and growing cloud computing industry.
In deciding United States v. Microsoft, the Supreme Court should be particularly cognizant of the potential for judicial overreach. The Second Circuit understood that it was not its duty to speculate whether Congress, decades ago, would have wanted this particular statute to apply to data stored overseas. The justices should reach the same conclusion and issue a narrow ruling while making it clear that the job of updating the ECPA is rightfully left to Congress.
Meanwhile, Congress has already begun to discuss a legislative update. In July, Sens. Orrin HatchOrrin Grant HatchLobbying world Congress, stop holding 'Dreamers' hostage Drug prices are declining amid inflation fears MORE, (R-Utah), Chris CoonsChris Andrew CoonsDefense & National Security — Military starts giving guidance on COVID-19 vaccine refusals Blinken pressed to fill empty post overseeing 'Havana syndrome' Who is afraid of the EU's carbon border adjustment plan? MORE (D-Del.), and Dean HellerDean Arthur HellerNevada governor Sisolak injured in car accident, released from hospital Democrats brace for tough election year in Nevada Democratic poll finds Cortez Masto leading Laxalt by 4 points in Nevada Senate race MORE (R-Nev.) introduced the International Communications Privacy Act (ICPA) of 2017, which would modernize the outdated ECPA and set up a comprehensive legal framework for determining the extraterritorial reach of court-ordered data searches by the U.S. government. Just last month, a bipartisan group of representatives introduced an identical bill in the House.
The bills would mandate that both Americans and foreign countries be notified about cross-border data searches when principles of international law require such notice. Additionally, the foreign countries involved would receive notification of the U.S. government's warrant application before it is granted and be given the opportunity to object.
With high court decisions looming in both Microsoft and Carpenter v. United States, another important digital age case, Congress would be wise to act now and pass this important legislation. The Supreme Court is the wrong forum for updating American law to reflect the rise of cloud computing.
By exercising judicial restraint in United States v. Microsoft, the Supreme Court would remind Congress to do its job.
Ashley Baker is the director of public policy at the Committee for Justice, a nonprofit group that seeks to uphold the Constitution and support constitutionalist judges.