U.S. v. Microsoft (Microsoft-Ireland): Implications for International Lawmaking

[Austen Parrish is the Dean and James H. Rudy Professor at Indiana University Maurer School of Law. He is a co-author, with appellate lawyer Carl Cecere and Prof. Anthony Colangelo (SMU Dedman School of Law), of an amicus brief filed in U.S. v. Microsoft.]

Next Tuesday, the U.S. Supreme Court will hear U.S. v. Microsoft. A fascinating and potentially landmark case, it is one in a growing line of transnational cases where the Court has grappled with how new technology affects older laws. Indicative of its potential significance, thirty amicus briefs were filed in the case, including one that I was pleased to help write.

The case began when the federal government obtained a warrant requiring Microsoft to turn over records related to a customer’s email account in a drug trafficking investigation. Microsoft agreed to provide records stored in the United States. It refused, however, to provide communications stored in Ireland. Instead of seeking Ireland’s cooperation or using a Mutual Legal Assistance Treaty designed to address cross-border criminal investigations, the Government took a different tack. Congress, according to the Government, had already granted it—and local and state law enforcement—the power to force Microsoft to seize private emails of foreign citizens, stored on data servers in foreign countries, and import them into the United States. The Government asserts this power exists even when foreign privacy laws prohibit disclosure, and without the need to notify the email’s owner or the country where the emails are stored.

The case has potentially wide-ranging implications. But, on a basic level, at stake is how courts should interpret a statute when technology enables the government to obtain information previously unobtainable. Did Congress, when it enacted the Stored Communications Act in 1986, intend to give local law enforcement the power to seize communications stored overseas? Because it served the warrant at Microsoft’s Washington state headquarters seeking documents under Microsoft’s control, the Government asserts it doesn’t matter that technology now enables what previously would have been prohibited. Microsoft argues, in contrast, that the presumption against extraterritoriality prevents guessing what Congress would have wanted. When Congress enacted the Stored Communications Act thirty years ago, it could not have anticipated seizing emails stored abroad from computers within the U.S. because the internet was in its nascent form, email was just beginning, and no one had conceived of cloud computing. Accordingly, the Court should not assume Congress granted law enforcement this power. This is particularly true, Microsoft urges, because the Act was designed to provide greater privacy protections in light of changing technology, not less.

Worth emphasizing is what this case is not about. The case is not about whether law enforcement should, in certain circumstances, be able to effectuate a cross-border search. It’s not a question of whether the Government needs more tools to investigate transnational crime. And it’s not about whether criminals can evade law enforcement efforts by storing incriminating materials abroad. What the Government seeks could be achieved through the existing MLAT process, through collaboration with Ireland, through new legislation (such as that currently proposed by a bipartisan group of Senators), or through the negotiation of bilateral and multilateral treaties. It’s also not a policy question of what might be a sensible approach if Congress rewrote the statute today. The question is what Congress authorized when it passed the Stored Communications Act. While international comity may ultimately come into play—allowing a court to balance competing sovereign interests when deciding whether to enforce the warrant—that only happens if the Court finds the Act granted the government authority to seize communications stored abroad in the first place.

As set forth in our amicus brief, if the Court is faithful to its past precedent Microsoft should win the statutory argument. To be sure, there’s a number of complicated doctrinal considerations, and I won’t repeat the arguments set out in our amicus brief. In this post, however, I thought I’d highlight how a decision in the Government’s favor could potentially undermine international lawmaking.

Most commentators believe a harmonized, international solution is essential. That’s true for privacy and data law scholars who argue that the “way forward on data extraterritoriality must be an international one.” It’s also true for those writing about coordinated approaches to transnational crime. The question is whether a ruling that enables the Government to unilaterally seize private information of foreign citizens stored abroad helps or hurts in that effort. At the very least, the Government’s interpretation of the Act bypasses and makes bilateral mutual legal assistance treaties less relevant. But putting that aside, does one result or the other lead to a more likely international solution?

Viewed through this lens, for those committed to effective international lawmaking, there should be a clear preference in outcomes. A ruling that the Government has the power to unilaterally seize foreign communications undermines incentives to push for an international solution or to fix the shortcomings of mutual legal assistance treaties. As Professor Tonya Putnam’s recent book and research show, in the past when courts have rejected government arguments for extending domestic statutes extraterritorially, those refusals have helped fuel U.S. multilateral or bilateral engagement. In contrast, rulings that permits unilateral extraterritorial action create environments where there’s little urgency for the U.S. to find coordinated solutions. The most common result is free-for-alls, where each nation relies on its own piece-meal approach. Not surprisingly then, the reciprocity problem—that other nations would unilaterally try to seize private communications of U.S. citizens—figures prominently in the Second Circuit opinion. As one lawyer provocatively, but accurately, explains: “Why is the U.S. government trying to help Vladimir Putin access information stored in the United States?”

For international lawyers, the Government’s position should be particularly troubling because the Government asks the Court to assume that Congress authorized activity that in 1986 would violate prohibitions on extraterritorial enforcement jurisdiction. All agree that the Government could not send FBI agents to Ireland to retrieve documents without Ireland’s consent. The Government also could not surreptitiously hack into data servers in Ireland. That too would violate Irish sovereignty. The issue then is whether the Government can do indirectly what it is prohibited from doing directly, by compelling Microsoft to do its work for it. But the U.S. can’t sidestep international law’s limitations merely by conscripting a private company to act in its stead. Ireland’s sovereignty and its citizen’s privacy rights aren’t offended less because the Government forced Microsoft to electronically seize records for it.

The response by some is to reimagine international law. Professor William S. Dodge takes this approach somewhat in a recent post on the Just Security blog. Citing to his own work with the Fourth Restatement, he says that the amicus brief “is simply wrong” on the international law by pointing to U.S. domestic court decisions related to production orders. Because I think highly of Professor Dodge and his other work, and because he directly responds to our amicus brief, I felt a short reply appropriate.

As an initial matter, the Fourth Restatement does not purport to set out international law. It’s an important publication, written by distinguished scholars, but it’s a survey of how U.S. courts have ruled. Some comments in the Fourth Restatement are contentious. For example, Professor Dodge cites to it for the proposition that customary international law “does not limit adjudicatory jurisdiction at all, except for certain rules of immunity.” That suggestion is inconsistent with the Third Restatement, which indicates a reasonableness restriction exists, and canonical treatises on international law. While it may be true that some domestic courts have not allowed international jurisdictional principles to constrain them and that international law limits are rarely in play given often stricter domestic limitations, the assertion that international law imposes no limits whatsoever is a minority position. As Professor Alex Mills explains: “Although some international lawyers have questioned the need for a separate category of ‘adjudicative jurisdiction,’ few if any would maintain that adjudicative jurisdiction is unregulated in international law.” The point is not to argue whether the Fourth Restatement is normatively right, but to suggest that the Fourth Restatement does not reflect settled international law, and not international law as it existed in 1986.

On the substance there’s also problems with arguing, as the Government does, that because some lower courts have permitted subpoenas to produce information from abroad that international law permits unilateral, extraterritorial warrants. Lower court cases focused on civil discovery generally do not interpret international law. They also don’t involve warrants, let alone warrants under the Stored Communications Act—an issue discussed extensively in the briefing. The cases also aren’t comparable because extraterritorial discovery is only permitted if the court has personal jurisdiction over the person subject to the production order, something that does not necessarily exist over foreign email owners (it might be different if the Government were only seeking foreign stored documents of Americans).

Even if these problems were overcome, it’s not clear that unilateral extraterritorial discovery orders are themselves always consistent with international norms. Certainly other countries object strongly to the practice. The background assumptions of the Brussels Convention, the Mutual Legal Assistance Treaties, the European Union’s General Data Protection Regulation, and the U.S. Department of Justice’s own manuals are that international law requires coordination, not unilateral action, to effectuate a cross-border production. Even if one could argue that state practice is changing, in 1986—the critical time for determining what Congress authorized in the Stored Communications Act—international law did not permit law enforcement to seize communications stored abroad and therefore is not something the Court lightly should assume Congress authorized.

Also contrary to what the Fourth Restatement implies, unilateral extraterritorial discovery orders have provoked pronounced friction. Published in 1987 around the same time of the Stored Communications Act, the Third Restatement was clear: “[n]o aspect of the extension of the American legal system beyond the territorial frontier of the United States has given rise to so much friction as the request for documents in investigation and litigation in the United States.” And as Gary Born and Bo Rutledge note in their well-regarded treatise: “Unilateral U.S. discovery of materials located abroad has frequently provoked vigorous foreign resistance” including diplomatic protests and blocking statutes. Writing earlier in a related context, the International Law Association noted that “[i]t is difficult to find any authority under international law for the issuance of orders compelling the production of documents from abroad.” Or as Professor Cedric Rygaert has recently explained: “Foreign states, European ones in particular, have. . . not surprisingly often argued that the U.S. execution of discovery orders for the production of documents located within their territory is not in keeping with the territoriality principle, violates international law, and violates their judicial sovereignty if their consent was not previously obtained.”

And for those interested in international law, perhaps this is where U.S. v. Microsoft is most interesting. For me, it’s an example of how unilateral action in the name of expediency threatens to undermine longer-term interests. U.S. companies aren’t the only ones that can access data abroad, and the U.S. should have an interest in protecting its own citizen’s privacy interests from foreign intrusion. This is exactly the kind of problem where coordinated, international solutions are needed. Unilateral, extraterritorial enforcement—in which nations compel the production of data located anywhere around the globe—is not a sustainable approach. More importantly for this case, there’s no indication that in 1986 Congress intended this odd result.