What if? Microsoft appeal ponders U.S. reaction to foreign data demand

“Imagine this scenario. Officers of the local Stadtpolizei investigating a suspected leak to the press descend on Deutsche Bank headquarters in Frankfurt, Germany. They serve a warrant to seize a bundle of private letters that a New York Times reporter is storing in a safe deposit box at a Deutsche Bank USA branch in Manhattan. The bank complies by ordering the New York branch manager to open the reporter’s box with a master key, rummage through it, and fax the private letters to the Stadtpolizei.”

— Microsoft v. United States of America,
In the Matter of a Warrant to Search a Certain E-Mail Account
Controlled and Maintained by Microsoft Corporation

So begins Microsoft’s legal brief today in New York with the U.S. Second Circuit Court of Appeals in its ongoing case challenging a U.S. government search warrant for customer data stored in Ireland. Microsoft filed the appeal after a U.S. district court judge rejected the company’s argument that the warrant is illegal because it calls for the seizure of emails stored outside the United States.

The filing begins by imagining how the U.S. government might react if the shoe were on the other foot. For example, how would the Unites States react if a foreign government attempted to sidestep international law by demanding that a foreign company with offices in the United States produce the personal communications of an American journalist? As the brief hypothesizes, the reaction might go something like this:

The U.S. Secretary of State fumes: “We are outraged by the decision to bypass existing formal procedures that the European Union and the United States have agreed on for bilateral cooperation, and to embark instead on extraterritorial law enforcement activity on American soil in violation of international law and our own privacy laws.” Germany’s Foreign Minister responds: “We did not conduct an extraterritorial search – in fact we didn’t search anything at all. No German officer ever set foot in the United States. The Stadtpolizei merely ordered a German company to produce its own business records, which were in its own possession, custody, and control. The American reporter’s privacy interests were fully protected, because the Stadtpolizei secured a warrant from a neutral magistrate.”

As the brief states, “[N]o way would that response satisfy the U.S. Government” because the documents held by the foreign company for safekeeping are private letters, not business records. And any attempt to take possession of those letters through a warrant – even one served on the company entrusted with those letters – would constitute a seizure by a foreign government of private information located in another country.

Ultimately today’s legal brief is about more than a timely and interesting story. This case involves timeless principles and their enduring importance to a future with global technology.

As the story illustrates, this case and these principles are as important to Americans as they are to people elsewhere around the world. If the Government prevails, how can it complain if foreign agents require tech companies to download emails stored in the U.S.? This is a question the Department of Justice hasn’t yet addressed, much less answered. Yet the Golden Rule applies to international relations as well as to other human interaction.

In one important sense, the issues at stake are even bigger than this. The Government puts at risk the fundamental privacy rights Americans have valued since the founding of the postal service. This is because it argues that, unlike your letters in the mail, emails you store in the cloud cease to belong exclusively to you. Instead, according to the Government, your emails become the business records of a cloud provider. Because business records have a lower level of legal protection, the Government claims it can use a different and broader legal authority to reach emails stored anywhere in the world.

Of course, this case has also raised concerns around the world for a good reason. The DOJ in effect challenges people’s ability around the world to rely on the privacy protections of their own governments and laws.

As our brief points out, the power to embark on unilateral law enforcement incursions into another sovereign country has profound foreign policy consequences. For that reason, the European Commissioner for Justice protested the lower court’s decision, stating that “it bypasses existing formal procedures that are agreed between the EU and the U.S.” and “may be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the Union.” Foreign newspapers were less diplomatic, blasting the United States with headlines such as: “U.S. Wants to Rule over All Servers Globally.”

To avoid just this sort of international discord, courts presume that federal statutes do not apply extraterritorially unless Congress expresses a clear intent for them to do so. And Congress expressed no such intention here. That fundamental point is at the heart of this case.

For this reason, the case also has important implications for the separation of powers in our own Government. The DOJ risks stepping on Congress’ authority by substituting its judgment for a decision Congress exclusively is authorized to make.

By requiring Congress to speak clearly when extending U.S. law abroad, the presumption against extraterritoriality ensures that only Congress decides when to subordinate international comity to other governmental interests. Congress did not make – and, indeed, did not even consider – any such tradeoff when it enacted the statute involved here, the Electronic Communications Privacy Act (ECPA). On the contrary, ECPA’s text and history show Congress believed the law would only apply domestically. If the DOJ wants the unprecedented power it claims here, it therefore should plead its case to Congress.

To be clear, we appreciate the critical role law enforcement plays and its need to obtain evidence necessary to investigate a possible crime. Microsoft and other technology companies receive thousands of demands each year from law enforcement agencies. To accommodate its duties to both its customers and law enforcement, Microsoft complies with lawful orders from U.S. authorities. However, we believe the Government should follow the processes it has established for itself for obtaining physical evidence outside the United States. And we believe in the need to strike a better balance between security and privacy. That’s why we brought this case and why we continue to call on both the Administration and Congress to introduce reforms.

Meanwhile, the warrant issued here cannot reach emails stored in Ireland, and as we argue in our brief, we believe the lower court’s judgment should be reversed.

To download and read the full text of the filing, click here.