It is 2025. The government of Russia has requested Microsoft, the operator of Microsoft 365, which provides email services, among other services, to disclose the contents of an individual's email account. The target is a dual citizen of the U.S. and Russia and a well-known supporter of an opposition political leader. The Russian law enforcement alleges that the individual was a key in organizing the protest against the government after the recent amendments to the Constitution of the Russian Federation. The Russian authorities claim that the individual allegedly broke public assembly rules by organizing the unsanctioned protest, which is “unlawful.” Under domestic law, the Ministry of Internal Affairs of Russia has broad legal authority to acquire all the stored data from the email account for use in the investigation process.[1] In responding to the request, Microsoft tracks the data's location and finds that the metadata[2] is stored in the computer servers in Russia. However, the content of the emails is stored in the U.S.
How should Microsoft respond to the request of the Russian Government regarding the privacy of U.S. citizens? Is Microsoft legally obligated to hand over the foreign-stored data to the local authorities? Can Microsoft challenge the request on the grounds that (1) the data was stored across the borders of Russia, and (2) the nationality of the concerned individual?
Data Flow Across the Borders
The ubiquitous use of the Internet has increased the demand by law enforcement officials in the U.S. and foreign countries for accessing electronic communications stored in data centers in foreign countries.[3] On one hand, since the majority of technology companies are U.S.-based,[4] law enforcement officials from other countries must seek the U.S. government’s assistance in obtaining necessary digital evidence.[5] On the other hand, technology companies often store an individual’s data in jurisdictions other than those of the user or the service provider. Another factor that complicates the data transfer is the jurisdiction where the user resides.[6] Thus, U.S. law enforcement agents have faced challenges in accessing the data stored on servers outside the U.S. territory.
Resolving the Issue Raised in United States v. Microsoft Corporation
The Judge of the Southern District of New York issued a warrant to Microsoft requesting the company to hand over the contents of a customer email stored outside the U.S. territory.[7] After the court denied Microsoft’s motion to quash a warrant issued under § 2703 of the Stored Communication Act (“SCA”) (also called as a SCA warrant), Microsoft appealed the case, arguing that the SCA warrant was subject to territorial limits.[8] Further, the Second Circuit ruled in favor of Microsoft,[9] relying on the presumption established by the Supreme Court that U.S. laws do not have effect outside U.S. territorial jurisdiction unless the law specifies otherwise.[10] The U.S. government appealed the Second Circuit’s ruling, and the Supreme Court granted certiorari.[11] The focal question raised in the Microsoft Ireland case was whether the SCA’s mandatory disclosure provisions applied extraterritorially.[12]
While the case was under the Supreme Court review, it brought significant attention from the public and government agencies alike. In the hearing before the Judiciary Committee in the House of Representatives, not only the representatives of state, federal, and international law enforcement brought testimonies, but also the technology sector, academia, and civil liberties groups shared their views.[13] Department of Justice, while arguing that the Second Circuit’s decision “effectively hamstrung the ability of law enforcement” to obtain data stored by U.S.-based entities abroad, creating a “tremendous problem” that caused “substantial harm to public safety,”[14] proposed a draft bill that would amend respective provisions of the SCA.[15]
Finally, Congress stepped in and passed the CLOUD (Clarifying Lawful Overseas Use of Data Act) in 2018, which amended the extraterritoriality provision of the SCA in explicitly permitting the government to compel U.S.-based service providers to disclose electronic communication or any record to a customer even if they are stored on servers located outside of the U.S. territory.[16] Following the enactment of the CLOUD Act, the Department of Justice issued a new warrant requesting Microsoft to hand in the respective data.[17] Both parties in United States v. Microsoft agreed that the new warrant replaced the old warrant.[18] Consequently, the Supreme Court decided that the case had become moot.[19]
The CLOUD Act is insufficient in addressing the complexities of cross-border data transfer issues. While the Act facilitates access to electronic information stored in foreign countries, it relies on executive agreements to ensure such access. Despite ongoing negotiations with close allies like Canada and Australia to establish bilateral agreements under the Act, similar effective negotiations with countries such as China and Russia are lacking.
This discrepancy becomes particularly problematic given the persistent threat of hacking activities emanating from these countries, posing significant risks to American companies across vital sectors like telecommunications, energy, and water infrastructure. Without comprehensive application of the CLOUD Act to all nations, justice remains elusive. Criminals should not find refuge simply due to their location, and the selective enforcement of the Act undermines its purpose. To truly address the challenges posed by cross-border data transfers and combat cyber threats effectively, there is a pressing need for equitable implementation of the CLOUD Act across all countries. Failure to do so risks perpetuating vulnerabilities in the global digital ecosystem and compromises the integrity of international law enforcement efforts.
[1] In 2014, the Russian parliament adopted the Data Localization Law, which requires data operators to collect Russian citizens’ personal data to store and process such personal data using databases located in Russia (Effective on Sept 1, 2015). Under the amendments to the Information law (eff. on July 1, 2018), an internet operator who is considered a personal data operator pursuant to the Personal Data Law of the Russian Federation (“RF”), must provide any communications to Russian police and intelligence at their request and to install special systems used for investigation purposes. Olga Chislova & Marina Sokolova, Cybersecurity in Russia, Springer Link (Jul. 19, 2021), https://link.springer.com/article/10.1365/s43439-021-00032-9 [https://perma.cc/YK5B-9ZAP]
[2] Optiver Australia Pty. Ltd. v. Tibra Trading Pty. Ltd., Case No.: C 12-80242 EJD (PSG) (N.D. Cal. Jan. 23, 2013) (“Optiver [plaintiff] is entitled to such non-content metadata…[so] Google is required to provide only the following information [metadata] “Documents sufficient to show the recipient(s), sender, date sent, date received, date read, and date deleted of emails, email attachments, or Google Talk messages sent or received between Nov. 3 to Dec. 31, 2009…”).
[3] See, e.g., Andrew Keane Woods, Against Data Exceptionalism, 68 Stan. L. Rev. 729, 442-45 (2016) (analyzing the trends of increased government demands for data located outside a nation’s territorial jurisdiction)
[4] William Smith, Top 10 Largest Tech Companies 2021, Technology Magazine (Apr. 24, 2021), www.technologymagazine.com/top10/updated-top-10-largest-tech-companies.
[5] See U.S. Dep’t of Justice, FY 2015 Budget Request: Mutual Legal Assistance Treaty Process Reform 1 (2014), https://www.justice.gov/sites/default/files/jmd/legacy/2014/07/13/mut-legal-assist.pdf (“Over the past decade the number of requests for assistance from foreign authorities handled by the Criminal Division’s Office of International Affairs (OIA) has increased nearly 60 percent, and the number of requests for computer records has increased ten-fold.”) [https://perma.cc/4DZD-GY5C].
[6] Jennifer Dascal, Privacy and Security Across Borders, 128 Yale L. J. Forum 1029, 1032 (Apr. 1, 2019); Gail Kent, The Mutual Legal Assistance Problem Explained, Ctr. For Internet and Soc’y, http://cyberlaw.stanford.edu/blog/2015/02/mutual-legal-assistance-problem-explained, (“it is quite possible that the location of the companies providing a communication platform, the location of data, and the location of perpetrators are all in different parts of the world”) [https://perma.cc/24G9-NPLX].
[7] In re Warrant to Search a Certain E-mail Account Controlled & Maintained by Microsoft Corp., 15 F. Supp. 3d 466, 467-68 (S.D.N.Y. 2014).
[8] Sam Thielman, Microsoft Case: DOJ Says It can Demand Every Email from Any US-Based Provider, Guardian (Sep. 9, 2015), https://www.theguardian.com/technology/2015/sep/09/microsoft-court-case-hotmail-ireland-search-warrant [https://perma.cc/6MVZ-28YD].
[9] In re Warrant to Search a Certain Email Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197, 201–02 (2d Cir. 2016).
[10] See Morrison v. Nat’l Australian Bank Ltd., 561 U.S. 247, 266 (2010).
[11] United States v. Microsoft Corp., 138 S. Ct. 1186 (2018) (granting certiorari).
[12] In re Warrant to Search a Certain Email Account, 829 F.3d at 209.
[13] Brief for Tech. Comp. as Amici Curiae, United States v. Microsoft, Blogsmicrosoft.com 36, http://blogs.microsoft.com/datalaw/wp-content/uploads/sites/149/2018/01/Brief-of-14-Tech-Companies.pdf [https://perma.cc/CZ9T-WS5Y].
[14] Stephen P. Mulligan, Cross-Border Data Sharing Under the CLOUD Act, Cong. Res. Ser. 1 (Apr. 23, 2018), https://sgp.fas.org/crs/misc/R45173.pdf [https://perma.cc/7VKS-TVK9].
[15] Adam Schwartz & Lee Tien, Protect the Privacy of Cross-Border Data: Stop the DOJ Bill, Elec. Frontier Found. (Sep. 24, 2017), https://www.eff.org/deeplinks/2017/09/protect-privacy-cross-border-data-stop-doj-bill [https://perma.cc/EXP7-KBF].
[16] 18 U.S.C. § 2713.
[17] United States v. Microsoft, 138 S. Ct. 1186, 1188 (2018).
[18] Id.
[19] Id.