The Supreme Court is set to hear arguments on Tuesday in a digital privacy case that could have broad global consequences.
In United States v. Microsoft Corp., the court will decide whether a digital communications provider has to comply with a U.S. search warrant for user data if the information is stored outside of the country.
“The stakes are really high,” said Gregory Nojeim, senior counsel and director of the Freedom, Security, and Technology Project at the Center for Democracy & Technology. “It’s going to set the tone for cross-border data demands on a global scale.”
This all began back in 2013, when prosecutors served Microsoft a warrant in Redmond, Washington, for emails and information associated with an account involved in a criminal drug-trafficking investigation. Microsoft turned over data it had stored on its servers in the United States, but some information was stored on a server in Ireland. Microsoft refused to turn over the foreign data.
A lower court judge initially approved the warrant, but the U.S. Court of Appeals for the Second Circuit rejected the warrant in favor of Microsoft. Now it’s up to the Supreme Court to decide the case.
Microsoft argues U.S. law enforcement should not be able to access digital communications stored on servers outside the country. Brad Smith, Microsoft’s president and top lawyer, has said that allowing U.S. officials to seize emails stored overseas ignores borders, treaties, and international law.
The move could also put Americans’ emails at risk of seizure by foreign governments, he said.
“If the U.S. government can unilaterally use a warrant to seize emails outside the United States, what’s to stop other governments from acting unilaterally to seize emails stored inside the United States?” Smith wrote in a blog post in October.
Microsoft argues that the legislation the government is relying on, the Stored Communications Act of 1986, is too old and outdated to apply to modern internet infrastructure or cloud computing. Microsoft, Apple, Google and other service providers store data in servers throughout the world that contain information from a global population.
Law enforcement and the Justice Department argue that Microsoft and other tech companies are harming criminal investigations by refusing to turn over cloud data. U.S. attorneys argue that it should not matter where the information is stored — if it can be accessed “domestically with the click of a computer mouse.”
Some experts say that the issue should be decided outside of the courts.
“I don’t think the Supreme Court is the best place to be looking at these issues,” said Jennifer Daskal, an associate professor of law at American University. “It’s an area where Congress ought to step in and update the issue.”
Lawmakers are trying to find a solution. A group of bipartisan senators recently introduced the Clarifying Lawful Overseas Use of Data Act that would let countries enter into agreements with the U.S. to allow cross-border access to digital information. In order to enter an agreement, countries must meet certain privacy and human rights standards.
Tech companies including Facebook, Google, Apple and Microsoft support the legislation. Daskal said it’s a step in the right direction. Nojeim, of the Center for Democracy & Technology, said the protections for individuals are “woefully inadequate,” though the bill could be helpful with improvements.
Other experts worry this type of law could infringe on state sovereignty for countries that do not have a bilateral agreement with the U.S.
If passed, the Clarifying Lawful Overseas Use of Data Act would render the Microsoft case moot, Daskal said.
Privacy advocates argue that the Justice Department is overreaching in asking Microsoft to turn over internationally stored data.
“If U.S. warrants reach data stored outside the U.S., you can bet that a lot of other countries will insist that their legal process reaches data stored inside the U.S., including data of Americans,” Nojeim said.
His organization, along with other privacy and human rights groups and scholars, have filed friend of the court briefs to the Supreme Court in support of Microsoft.
The case has received global attention. The European Commission filed a brief in support of neither party, but noted it would have a global impact on data protection.
The EU has approved massive data privacy protections called the General Data Protection Regulation that go into effect later this year, and if Microsoft complies with the search warrant for Ireland data, it could violate those laws.
Meanwhile, Britain and Ireland have also filed briefs supporting neither party, while a collection of French and German trade groups filed one in support of Microsoft.
The case is one of two the Supreme Court is deciding that could shape digital privacy laws. Another case, Carpenter v. United States, will decide whether warrantless collection of cell phone records that show someone’s location is legal under the Fourth Amendment.
“So many of the laws that govern digital evidence are outdated,” Nojeim said. “It’s good for the court to be looking at it, and it’s good for Congress to act as well.”