On Tuesday, the Supreme Court heard oral argument in United States v. Microsoft, a case that many observers believe could have significant ramifications for how cloud computing and other technology companies interact with the US government. If it were up to the justices themselves, however, those implications would end up being short-lived.
The dispute concerns the reach of the Stored Communications Act, a 1986 law that regulates the ability for the US government to obtain emails and other communications from technology companies. In July 2016, the Second Circuit Court of Appeals, a prominent federal appellate court that sits in New York, ruled that a warrant obtained under the SCA does not allow the government to require the production of emails stored by Microsoft overseas—in this case, on a server in Ireland—because the relevant provision of the statute does not apply “extraterritorially” to reach foreign-stored data.
To Microsoft and other technology companies, the Second Circuit ruling represented the best reading available of a decades-old law that never envisioned the kind of cross-border data storage practices that are commonplace today. Microsoft, along with the numerous technology companies and privacy advocates that supported its position, has said that the ruling protects it from conflicts between US law and the law of the country where the data is stored, a serious and growing challenge for global technology companies. Several foreign governments have filed briefs raising similar concerns. Coming in the wake of the Edward Snowden disclosures, the Second Circuit’s decision was also seen among privacy advocates as a victory that trimmed the sails of US surveillance.
Several justices expressed unease with having to choose between these options.
Since that ruling came down, however, the Department of Justice has gone to great lengths to overturn it, arguing that it puts information that could be critical to uncovering and prosecuting serious crimes out of reach. The DOJ has emphasized that Microsoft employees based in the United States can readily access the information at issue—and that the government followed the privacy “gold standard” here by obtaining a warrant based on probable cause that the information relates to a crime under US law. In addition, DOJ has warned that the Second Circuit’s ruling creates new incentives for companies to place data overseas, to appeal to customers who want their information out of reach of the US government.
While these arguments did not win over the Second Circuit, they held sway elsewhere in similar litigation involving Google, which lost multiple times when it tried to make the same argument. Those decisions bolstered the case for Supreme Court review, paving the way for one of the most closely watched technology cases to reach One First Street in recent years.
It is generally a mistake to draw too many conclusions from questions at oral argument—especially in a complicated case that has divided courts below. As one would expect, each side was forced on Tuesday to address the potentially problematic consequences of their position, and the justices seemed divided on the merits. But on one point, there appeared to be broad agreement from the bench: It would be much better for Congress to resolve this issue through new legislation, rather than by either of the rulings that the parties were advancing.
Justice Ginsburg started on this theme by noting that when the 1986 law was passed, “no one ever heard of clouds. This kind of storage didn’t exist.” She expressed concern that a court having to apply the decades-old law to the current landscape would face an all-or-nothing choice—either the law applies to data stored overseas or it doesn’t. But “if Congress takes a look at this, realizing that much time and… innovation has occurred since 1986, it can write a statute that takes account of various interests. And it isn’t just all or nothing.”
Justice Sotomayor later took the unusual step of asking the attorney for the US government about the status of pending legislation, in a line of questioning that appeared skeptical of the government’s position. A few minutes later, Justice Alito, who appeared more sympathetic to the government’s view, nevertheless prefaced his question for Microsoft’s counsel by saying, “It would be good if Congress enacted legislation that modernized this.”
As Justice Ginsburg framed the issue, the way that the case came to the court presents the Justices with a binary choice between two less than satisfactory outcomes: Rule in favor of Microsoft and put in jeopardy the government’s ability to access the information it needs—or rule in favor of the government and potentially harm the ability of US technology companies to compete globally, and create strains between US and foreign laws. While several justices expressed unease with having to choose between these options, the Supreme Court will presumably do just that in the coming months when it hands down a decision.
Of course, as the oral argument made clear, there is actually a third option. And unusually, it has the support of both parties squaring off in the Supreme Court. It is the CLOUD Act, recently introduced legislation that would make clear that the SCA applies to foreign-stored data, while also providing companies like Microsoft a new avenue to challenge some types of orders if they conflict with the laws of the country where the data is stored.
Whatever the Supreme Court decides may not be the last word for long.
The CLOUD Act would also address the reverse situation at issue in the Microsoft case—instances in which a foreign government seeks access to US-stored data through an order under its own laws. The law would provide a mechanism for the US government to enter into agreements with foreign governments to allow US companies to respond to legal orders from foreign courts or governments. (Right now, the SCA actually makes it illegal for a US company to turn over data unless the order comes from a US court.) These bilateral agreements, which would be subject to congressional review, would require the foreign governments to demonstrate that they have the same basic privacy and human rights safeguards as exist in the US. For example, there is already a framework in place for this type of agreement with the UK.
In the current environment, few pieces of legislation are a good bet to become law—and the CLOUD Act does have its critics, in the form of privacy groups that believe that it affords law enforcement too broad access to information. But it is backed by a bipartisan group of senators and supported by the current administration—as well as by several major tech companies. As to the Microsoft case, a ruling for either side will likely add to the pressure on Congress to act by highlighting the extent to which the current framework is badly outdated and in need of revision. Whatever the Supreme Court decides may not be the last word for long—and both sides prefer it that way.
David Newman is a former special assistant to the president, associate White House counsel, and director on the National Security Council staff. He is currently counsel at Morrison & Foerster LLP, where he represents clients in a wide variety of national security and global risk and crisis management issues.