by Jennifer Daskal, Assistant Professor of Law, American University Washington College of Law. Follow her on Twitter @jendaskal.
*This post originally appeared at Just Security.
As readers no doubt already know, the Second Circuit today issued a surprise ruling in the Microsoft Ireland warrant case – siding with Microsoft. The result: location of data controls, at least for purposes of warrant jurisdiction. U.S.-issued warrants can no longer be relied on to compel the production of stored communications (such as emails) located outside the United States’ territorial jurisdiction. Rather, the United States must make a diplomatic request for extraterritorially located data via a Mutual Legal Assistance Treaty (or other avenue if no such treaty is in place)—and then wait for the foreign partner to respond. This is the case even if the target of the investigation is a U.S. citizen and the provider that controls the data can access it from the United States. (It's an issue I've written about extensively here, here, and here.)
It seems almost certain that the government will appeal the ruling. But a lot less certain that the Supreme Court will take certiorari. In the meantime, we can expect, and hope for, much more executive branch engagement with Congress on the issue.
Here’s three quick takeaways to keep in mind.
#1: Read Judge Lynch’s concurring opinion. He gets it exactly right in all key respects. First, this is not a privacy case, although it does have important privacy implications. The government, after all, is proceeding by a warrant issued based on probable cause. No one would think this is a privacy violation if the data were stored in Redding, Washington. It thus does not become a privacy violation because the data is stored in Ireland. Second, nothing in the text or legislative history of the statute suggests that Congress considered or intended the possibility that SCA warrants would have transnational reach; particularly given the Supreme Court's recent reaffirmation of the presumption against extraterritorially, they should not. Third, this is a wholly unsatisfactory result, even if correct as a matter of statutory interpretation and the application of Supreme Court doctrine. It means that U.S. law enforcement can no longer compel, via a lawfully obtained warrant, a U.S.-based provider to turn over the emails of a U.S. citizen being investigated in connection with a N.Y.C. murder if his or her data happens to be stored on a server outside the United States territory. Rather, it must make a diplomatic request for the data in whatever place the data happens to be stored. And then wait--perhaps months or longer-- for a response. This makes little sense. Fourth, Congress should engage. (More on this in point #3 below).