Second Circuit’s Decision in Microsoft v. U.S. (Data Stored in Ireland): Good News for Internet Users? (Guest Blog Post)

by guest blogger Marketa Trimble

With the July 14, 2016, decision in Microsoft v. United States (“Microsoft”) by the U.S. Court of Appeals for the Second Circuit, the question arises – as it usually does in cases involving technology in general and the internet in particular: Is the decision good news for internet users? Though the outcomes of some technology and internet cases may be heralded (initially) as victories for users, closer examination can reveal otherwise. Speaking about the Microsoft decision specifically, Jennifer Granick has warned that, while the decision “may be a short-term victory for privacy advocates … its larger implications are far more complex.”

The Second Circuit’s Microsoft decision at first seems to mark a victory for internet users, particularly those who welcome any decision that denies a government access to individuals’ data (whatever the circumstances), or those who are concerned about the U.S. government’s access to data of persons outside the United States’ jurisdictional reach. In Microsoft, the government requested the data of an individual that were stored by Microsoft, and Microsoft was successful in having the Second Circuit quash a search warrant issued by the district court (the warrant having been issued under the Stored Communications Act (“the Act”)) by arguing that a U.S. court-issued search warrant could not compel Microsoft to produce data that Microsoft had stored outside the United States (in this case, in Ireland).

This apparent victory for at least some internet users is tainted by the effects that the decision might have in the future. I will focus here on the effects of the rule that is suggested in dicta by the majority in the decision – that jurisdiction over data should depend on the location of the data. The decision of the Second Circuit panel states that U.S. courts may not issue a search warrant under the Act to compel a service provider to produce data stored on servers outside the United States; the majority determined that the Act has no extraterritorial reach, and because “the data lies within the jurisdiction of a foreign sovereign” (p. 40 of the decision), a search warrant requiring their production would have an extraterritorial reach.

The result of the decision is that if a U.S. law enforcement agency wants access to data stored outside the United States, the mechanisms of international mutual legal assistance must be utilized and foreign authorities must be engaged – even if the data are stored by a U.S.-based service provider. Only after foreign authorities sift through the potential reasons for the denial of a request and comply with the request will the U.S. agency be permitted access to the data.

Is it good for internet users if the location of data determines jurisdiction? We might ask about the expectations of internet users and the effect of the new rule on legal certainty. If I as an internet user utilize the services of a service provider based in the United States – such as Microsoft – my assumption is that U.S. laws will govern whatever Microsoft does with my data, to some extent at least. If I use Microsoft as a service provider and I am domiciled outside the United States, particularly in a country with strong pro-consumer legislation, such as Ireland or another European Union country, I might hope that the laws of my country will also apply and require Microsoft to honor my rights, as protected by the country of my domicile. I as a user have no idea where Microsoft, or any other service provider for that matter, stores my data; I assume that Microsoft stores my data wherever it wants in the world, as it sees fit, in places where it locates its servers (particularly when, as concurring Judge Lynch noted, Microsoft does not promise me that my data will be located in any particular country). One thing that I the user do not expect, and really do not want, is for my data to be subject to the laws of the country in which the Microsoft server that contains my data is located (i.e. the country of whatever Microsoft data center Microsoft has chosen to locate the data).

Microsoft stated that it stored data only in the “region” where a user has declared himself or herself to be located. But a “region” is not a jurisdiction, and may, depending on the definition, comprise multiple legal jurisdictions with not only differing rules, but also differing legal practices and political structures. Further, some service providers will be unwilling and/or incapable of limiting the location of my data to a certain region or country (on difficulties of data location verification see here); redundancy of data storage is important for reliability and the security of data in the cloud.

If jurisdiction over my data is to be governed by each of the countries containing the servers on which my data are located, my data may be exposed to the laws, courts, and law enforcement agencies of countries that are unexpected by me, and which may be multiple, or many, countries. Perhaps the uncertainty about and the multitude of jurisdictions poses no problem as long as the countries have strict rules that protect my data from unjustified intrusions by governments. But what if these countries’ rules and/or practices are – or one day become – less protective? And what of other laws of the foreign jurisdictions that might be applicable to my data, such as copyright and defamation laws that might not afford a suficient level of free speech protection to users? The Microsoft rule would change the status quo; so far, courts have accepted only in exceptional circumstances the notion that jurisdiction arises in the location of a server (see, e.g., here and here). Typically, the location of a server plays a minimal role, if any role, in courts’ decisions on jurisdiction.

Enforcement under the suggested rule poses another problem. If jurisdiction over data were to lie in the courts and agencies of a country where data are stored, this would be so even in cases where a service provider has no presence in a country other than some of its servers being located there. In the absence of any other provider assets in the country, enforcement in the country where the data is stored would necessarily be directed only at the servers where the data were stored. Enforcement abroad against the provider itself would require that the domestic decision be recognized by a foreign court, and foreign enforcement might not be available at all if it involves a criminal or similar penalty (e.g., a contempt order). One has to wonder whether data centers, particularly those not owned and/or operated by service providers but by data center companies that only rent space and/or equipment to service providers, should be the target of law enforcement activities concerning data stored on third-party servers. Exposing data centers to enforcement actions directed at data that are stored on their premises or their equipment would disrupt confidence in and could discourage the expansion of cloud-based services.

For service providers it is advantageous if they may utilize data centers anywhere they choose. The draft Trade in Services Agreement that is being negotiated apparently contemplates a provision that would prohibit countries from mandating that service suppliers locate data on their servers in any particular country (Article 9 of the leaked draft Annex on Electronic Commerce). But if jurisdiction over data is to be based on the location of the data, do I as a user really want countries to lose their ability to influence (or mandate) where my data are located? The provision in the Annex prohibiting the mandating of the location of a server should be without prejudice to countries’ provisions in a number of areas of law, including privacy law (Article 1 of the draft Annex), and perhaps my country may therefore request that service providers, in order to comply with its privacy laws, locate my data within the country. But what if a country has no data location requirement? Or suppose that limiting the location of and movement of my data in the cloud is technically unachievable and/or undesirable?

Microsoft has another important international dimension. The recently concluded EU-U.S. Safe Harbor/Privacy Shield negotiations have highlighted the EU’s concerns about the data of its residents. From this perspective, the outcome in Microsoft should improve both relations between the EU and the U.S. and the prospects for U.S. service providers who want to do business in the EU. Nevertheless, the suggested jurisdictional rule that would be based on data location should alarm users on both sides of the Atlantic.

Judge Lynch pointed out that it will be foreign, non-U.S. users who will gain from Microsoft, as they will be shielded from U.S. government direct access to their data when it is stored outside the United States. The problem with the Second Circuit’s suggested rule on jurisdiction based on data location is that its application would negatively affect all internet users, including EU users, because it would expose their data to unknown, and possibly multiple, jurisdictions. The rule might cause some pressure to be put on service providers to be transparent about the location of users’ data, but not all service providers might be able to adhere to specific data location limitations.

Merely revising the Act (which Judge Lynch in his concurrence calls “a badly outdated statute”) might not suffice. As I suggested elsewhere, enhanced cooperation among countries in procedural matters, meaning enhanced mutual legal assistance, seems essential. Whether the recently proposed legislation is the best way forward is for a separate discussion.