The U.S. Supreme Court April 17 ended a dispute between Microsoft Corp. and the Justice Department, but that won’t stop electronic communication providers and law enforcement from fighting over access to data stored abroad.
Cloud computing, electronic communications, and internet service providers scored a victory when the Supreme Court ended a dispute between Microsoft and Justice over data stored overseas. The decision to moot the case provides clarity to companies that are served with Stored Communications Act (SCA) orders because law enforcement must follow a more restrictive set of rules under the CLOUD Act to obtain such data.
The Supreme Court, in a procedural order, moved to end the case after Congress passed the CLOUD Act, which allows U.S. law enforcement in criminal investigations to access data stored overseas subject to certain requirements, such as an executive bilateral agreement. After Justice obtained a new warrant under the CLOUD Act, Microsoft and the DOJ petitioned the court to stop the case because there was no conflict in law. The high court agreed.
“The narrow question of extraterritorial jurisdiction and whether providers like Microsoft must turn over customer data—wherever located—if it’s in their custody or control is resolved by the CLOUD Act,” Craig A. Newman, partner and chairman of Patterson, Belknap, Webb & Tyler LLP’s privacy group, told Bloomberg Law.
But disputes over data sought under the CLOUD Act could spur new legal disputes as companies and law enforcement figure out when data can be obtained under which circumstances. The case itself ended because Justice obtained a new warrant under the CLOUD Act that could cause further challenges.
The Supreme Court’s decision is “just the beginning of the analysis. If a provider believes that” turning over data to law enforcement “would create a material risk that it would be violating the laws of another country, then it has the option of challenging the warrant in court,” Newman said. It will be interesting to see if “Microsoft will hand over the customer data stored in Ireland or essentially hit the reset button and start a new challenge to the warrant that was recently issued,” he said.
Although the Supreme Court’s decision effectively provided clarity for companies that get served with SCA orders, it sets up a new round of corporate concerns on how the CLOUD Act’s cross-border data access framework works in practice.
“After the passage of the CLOUD Act there is still a lot of ambiguity on how it will be implemented,” Hanley Chew, privacy and data security of counsel at Fenwick & West LLP and former assistant U.S. attorney in the Northern District of California, told Bloomberg Law. Tech companies that get served with these orders have come into their own in fighting against government requests for data and “we’ll definitely see them push back against overseas data requests,” he said.
Companies will be watching closely on how federal prosecutors will use their new warrant powers, Chew said.
“Microsoft’s goal has always been a new law and international agreements with strong privacy protections that govern how law enforcement gathers digital evidence across borders,” Brad Smith, the company’s president and chief legal officer, said in a April 17 emailed statement. Justice representatives didn’t immediately respond to requests for comment.
Conflict of Laws
The CLOUD Act, which was included in the 2018 omnibus spending package, provides a mechanism for companies to challenge law enforcement data requests if the order would cause international conflict of law issues. These challenges will likely be a hotly contested issue as prosecutors use their new warrant powers to obtain data stored overseas, attorneys said.
The conflict of law challenges under the act come in two parts. Companies can challenge underlying warrants for data stored overseas if there is a bilateral law enforcement pact between the U.S. and a “qualifying foreign government,” according to the law. Companies are also afforded the ability to argue that the underlying order would cause a conflict of law issue with other countries absent a law enforcement sharing agreement.
“Microsoft and other tech companies, cloud computing providers, email communication operators, will likely use provisions under the act to challenge warrants,” said Chew, who served many SCA orders during his time as a federal prosecutor.
Prosecutors will likely use the next months to test whether companies will challenge CLOUD Act orders and devise a plan to collect criminal investigatory data that is stored overseas.
The post-Microsoft world will be a “testing period,” Chew said. Federal prosecutors “will use the CLOUD Act legal process to push as far as they can, while tech companies will retrench and push back once law enforcement can obtain as much data as legally viable,” he said.
“Now that there is a statutory basis for these challenges, we are going to see a lot more case law going forward,” Chew said.
The case is United States v. Microsoft, U.S., No. 17-2, case mooted 4/17/18.