Blog: VLP Speaks

Congress Steps in to Address the Microsoft Ireland (Overseas Warrants) Case

Posted on Mar 27, 2018 in Privacy, Blog by Michael L. Whitener

The Supreme Court recently heard oral arguments in a high stakes privacy case, United States v. Microsoft, which involves the US government’s authority to access data stored overseas. The case involves a warrant issued under the Stored Communications Act that attempted to force Microsoft to turn over customer email data stored in Ireland that was implicated in a federal drug trafficking investigation. 

The Stored Communications Act, enacted in 1986, extends Fourth Amendment protections against “unreasonable searches and seizures” to the digital world. But the Act never anticipated that data could be stored in the cloud. 

Microsoft refused to turn over the content of the emails, and so the case has made its way through the legal system. The Second Circuit sided with Microsoft and held that, because the Stored Communications Act is silent on the topic of extraterritorial reach, it must be read consistent with the presumption against extraterritorial application. The court rejected the argument of the Department of Justice that the analysis should turn on whether the company receiving the warrant (in this case Microsoft) has access to the data being sought, not where the data is being stored. But that leaves open the possibility that an internet service provider could thwart law enforcement efforts simply by deciding to store data overseas.

During the Supreme Court arguments, Microsoft contended that the court should wait for Congress to act on this issue, and Justice Sotomayor seemed to agree, questioning, “Why shouldn’t we leave the status quo as it is and let Congress pass a bill in this new age?”

As it happens, Congress has answered the call. The omnibus spending bill signed by President Trump on March 23 includes the bipartisan Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which makes it easier for law enforcement agencies to obtain access to data stored on overseas servers. 

The CLOUD Act gives the Department of Justice new powers to enter into information-sharing agreements with foreign governments, rather than relying upon the cumbersome process in place via mutual legal assistance treaties (MLATs) that require congressional ratification. Now the DOJ can ink similar agreements without the approval of Congress or the courts.

This legislation was strongly supported by tech giants such as Apple and Google as well as Microsoft, stating that it “reflects a growing consensus in favor of protecting Internet users around the world and provides a logical solution for governing cross-border access to data.”

But some privacy advocates are not pleased. The Electronic Frontier Foundation, for instance, has denounced the CLOUD Act as “a new, proposed backdoor to our data, which would bypass our Fourth Amendment protections to communications privacy.”

We’ll keep an eye on how the CLOUD Act gets implemented and its impact on the Microsoft v. Ireland case.