United States v. Microsoft Corp. (Law Enforcement Cross-Border Data Access)
Privacy International filed an amicus brief to the United States Supreme Court challenging law enforcement access to personal data stored abroad
On 18 January 2018, Privacy International, together with 26 human and digital rights organizations and legal scholars, filed an amicus brief to the United States Supreme Court in United States v. Microsoft Corp. This case stems from the U.S. Government’s attempt, pursuant to a warrant obtained under the Stored Communications Act, to compel Microsoft to hand over emails and other private information associated with a particular account. Much of the data is stored in Ireland and Microsoft refused to hand over that data on grounds that the Stored Communications Act does not authorize the U.S. Government to unilaterally seize data stored extraterritorially.
Our brief highlights how the U.S. Government’s position would undermine the fundamental right to privacy by overriding the data-protection laws of Ireland and the E.U., which protect personal data, including by regulating when, how, and to what extent private entities, like Microsoft, may transfer personal information to foreign countries. In order to respect these limitations, many countries, including the U.S., have entered into specific agreements to govern cross-border law enforcement data requests. The dominant mechanism is a Mutual Legal Assistance Treaty, which the U.S. has concluded with both Ireland and the E.U., but has chosen to ignore in favour of seeking to unilaterally seize data stored in Ireland.
Our brief further explains how the U.S. Government’s position would set the stage for repeated violations of data-protection laws around the world. Approximately 120 countries have laws that specifically protect personal data. The U.S. Government would similarly violate these laws in countless cases should it be given the authority to unilaterally seize data stored abroad. It would also place companies that provide online services in the untenable position of having to violate the laws of other countries in order to comply with warrants issued in the United States.
Finally, our brief submits that established principles of statutory interpretation under U.S. law should result in a rejection of the U.S. Government’s position. First, the presumption of extraterritoriality instructs courts to construe statutes to have only domestic reach, unless their terms specifically contemplate foreign application. Because there is no indication Congress intended the Stored Communications Act to have extraterritorial application, the presumption against such application applies. Second, under principles of comity, courts determine how to apply U.S. law without unreasonable interference with the sovereign authority of other nations. Since construing the Stored Communications Act to have extraterritorial application would conflict with the data protection laws of many governments around the world, comity principles militate against such an interpretation.