Jan 23, 2018 By Ilya Shapiro
At first glance, it seems incredible that the U.S. Supreme Court would have to take a case that hinges, in part, on whether Ireland is part of the United States. But it has, with argument to be held next month, and the outcome of United States v. Microsoft has important implications for today’s digital world, in which data crosses borders at the speed of light and cloud computing is an everyday tool of American business.
The U.S. government is seeking access, through a search warrant, to electronic communications that Microsoft has stored in Ireland. Microsoft’s position is that users, not companies, own their data, so the government needs to follow the established process for pursuing foreign investigations. If the Supreme Court rules that instead that Internet service providers (ISPs) own all the data housed on their servers, and that borders don’t matter in these circumstances, then users would have serious concerns about online privacy.
Effectively, Ireland and everywhere else U.S. companies do business would be a part of the United States for law-enforcement purposes. So the case has tremendous implications for everyone who uses the Internet to store data—all of us.
Apply the Same Principles We Already Use
The U.S. Court of Appeals for the Second Circuit has already considered these issues and got the outcome right: U.S. search warrants simply cannot encompass electronic communications outside the United States any more than they can authorize physical searches of Dublin flats. U.S. laws only apply in the United States unless Congress has explicitly authorized extraterritorial application—and even then those foreign countries have a say in how that law is applied on that foreign ground. So if a U.S. search warrant cannot automatically apply to a physical object stored abroad, why should it apply to digital objects?
There are already solutions in place to resolve international conflicts like this, through existing treaties that provide mutual law-enforcement assistance between different jurisdictions. It’s not simply a matter of an American court ordering Europeans to comply. In this case, a loss for Microsoft would have serious implications for European citizens as well as Americans, leading to conflict between the United States and the European Union.
It’s clear why the Supreme Court took the case—to clear up confusion in murky jurisprudence. Beyond the particulars of the Microsoft case, however, there’s another solution: Congress must act.
Our Current Laws Are Horribly Outdated
The statute at issue here, the Electronic Communications Privacy Act, is more than 30 years old, going back to a time when email was the purvey of tech nerds and e-commerce only a distant dream. ECPA is neither precise enough nor flexible enough to address issues that arise from today’s technology, and from the migration of so much commerce online.
Congress can end the ambiguities in the law that have led different courts to different conclusions on a sometimes complex issue. A new statute would help both ISPs and law enforcement, and benefit everyone who uses electronic communications. The online world relies on trust. If consumers cannot trust that their data is secure and private, they will be far less likely to engage in e-commerce or even to send email. This would damage our economy and make the cost of storing electronic data far more expensive.
A fix like the proposed International Communications Privacy Act, which already has bipartisan cosponsors, would both solve the problems presented in this litigation and set up a strong foundation for the future. Consistent with the Fourth Amendment, it would require U.S. officials to obtain a warrant to obtain data stored with electronic communications-service providers and require providers receiving the warrant to comply with it as with search warrants of other types.
Specifically with respect to the issue in the Microsoft case, it would require that certain “qualifying” foreign countries receive notice of a warrant application and have the chance to object to it on the ground that the warrant would violate the laws of the host country. If the country objects, the U.S. court considering the warrant then analyzes the issue using a multi-factor test, including the interests of both the United States and the foreign country, the location of the alleged offense, the relevance of the data concerned to the investigation, and the ability for U.S. law enforcement to get the data in other ways.
We Need This Kind of Clarity
Not every country would qualify for this treatment: This analysis would only apply to countries that both meet privacy and human rights standards and cooperate with U.S. law enforcement in obtaining electronic data. Whether ICPA or some other vehicle, that’s the sort of thing that we need for the digital age.
This kind of clarity in the law, through a statute enacted by Congress, would clean up the confusion about the limits of privacy in electronic communications, whether stored domestically or abroad. It would benefit law enforcement, ISPs, and those who store electronic communications in the cloud.
Visit Ireland, and you’ll see many American flags welcoming travelers. But even the most exuberant Hibernophiles recognize that the Emerald Isle isn’t the 51st state, so the outcome in this case should be clear.
The need for Congress to act is equally paramount. Our elected representatives looked to the future and acted in 1986 to address a new world of electronic communications. It’s time for them to do so again in the era of cloud computing.