Back to News & Commentary

Does a US Warrant Extend to Data Held Abroad?

NSA Cabinet
NSA Cabinet
Jennifer Stisa Granick,
Surveillance and Cybersecurity Counsel, ACLU Speech, Privacy, and Technology Project
Share This Page
January 24, 2018

When the government wants a company in the United States to turn over private data stored in another country, which country’s laws apply? The Supreme Court is set to consider that question in a case that raises a novel legal question about warrants, borders, and the Fourth Amendment.

The case involves a dispute between Microsoft and the U.S. Department of Justice, which served the company with a warrant demanding it turn over emails that are stored at its data center in Ireland. Microsoft balked, arguing — so far successfully — that the warrant is effective only inside the country, and therefore cannot not compel disclosure of information stored abroad. The Justice Department has argued that the warrant is valid because the actions required for Microsoft to retrieve the data in question would take place in the U.S., and therefore do not entail a search or seizure outside U.S. borders, which can only take place with explicit authorization from Congress.

Last week, the ACLU, along with the Brennan Center for Justice, the Electronic Frontier Foundation, Restore the Fourth, and The R Street Institute, filed a brief arguing that the government’s insistence that it can seize data held abroad with a regular warrant is based on an erroneous interpretation of the Fourth Amendment.

In July 2016, a panel of the Second Circuit Court of Appeals ruled in favor of Microsoft. It held that the warrant would be executed in Ireland, and not in the U.S., where the Microsoft employees gathering the data are located. In the absence of authorization from Congress, the court ruled the warrant had no effect outside the U.S. and Microsoft did not have to comply. The Justice Department appealed to the Supreme Court, which will hear the case on February 27.

The “Microsoft Ireland” case raises complicated issues about privacy, government access to data stored in other nations, and technological design. Our amicus brief strives to sensitize the Supreme Court to dangerous arguments the government has made that, if adopted, could adversely impact Fourth Amendment rights.

The government urges the court to rule that it is not a search when the government or its agents copy or transfer a user’s emails, but only when the company discloses the information to the government or a government agent reviews the emails’ content. According to that argument, the Fourth Amendment would only kick into gear when the government takes possession of emails. That’s a dangerous position. A company acting as a government agent is conducting a Fourth Amendment “search and seizure” when accessing, copying, or moving a user’s data, regardless of when, where, or even whether investigators later search it.

While a warrant issued in this case, the government also implies that a subpoena — which is not issued by a judge and does not require a probable cause showing — would have been sufficient to search and seize the Microsoft emails. That’s dangerous, too. A subpoena cannot compel a company to disclose a customer’s email or other private communications. Since we have a reasonable expectation of privacy in those personal messages, the Constitution requires a search warrant approved by a judge. A lower standard would empower law enforcement to conduct searches without judicial oversight, creating serious consequences for privacy rights. We urged the court to make clear that a mere subpoena cannot authorize law enforcement to search and seize American emails from a service provider.

The government’s position could also increase the risk that investigators from other countries will interfere with the privacy and property interests of people in the United States. If the Supreme Court rules that the U.S. government can force access to foreign data under U.S. law, then foreign governments are more likely to reciprocate by seeking Americans’ data through foreign law, which tends to be far less protective of privacy. Mutual legal assistance treaties — agreements between countries that establish mechanisms for requesting and obtaining evidence for criminal investigations and prosecutions — already define the proper process for cross-border data demands. These agreements ensure that where a law enforcement demand implicates both countries’ legal protections, both countries’ laws are satisfied.

The Microsoft Ireland case raises complicated issues, but it certainly shouldn’t be decided in a manner that erodes constitutional privacy rights.