Reflections on the Microsoft/Ireland Case

Last week the Supreme Court granted a review of a Second Circuit decision upholding Microsoft’s defiance of a U.S. warrant for the production of e-mail messages, stored in a server housed in Ireland, of a man suspected of drug trafficking.

At its simplest, the legal battle between Microsoft and law enforcement is a debate over the reach and intent of a law passed many years (1986) before the coming of age of the Internet.

Microsoft and its allies argue that that law, the Stored Communications Act (SCA), was written at a time when Congress knew virtually nothing about the Internet and what it would become, and that furthermore there is no indication in the language of the law or congressional intent that suggests it could be applied extraterritorially. Continue reading “Reflections on the Microsoft/Ireland Case”

Electronic Privacy Needs ICPA Update

Privacy advocates won an important victory in July when a federal appeals court ruled to limit the access of the U.S. government to individuals’ e-mail accounts.

The U.S. Court of Appeals for the Second Circuit said the federal government did not have the authority to issue search warrants for persons’ e-mails stored on servers outside the United States.  The case was brought by Microsoft Corp. in response to a warrant that would’ve compelled Microsoft to turn over customer e-mails stored on a server it maintained in Ireland.  The court affirmed that the Stored Communications Act (part of the broader Electronic Communications Privacy Act of 1986) did not give the government such powers outside U.S. territory.

This was a key judicial ruling to be sure. But it points up the increasingly urgent need for Congress to update that 1986 ECPA legislation to reflect the realities of today’s global digital environment.

Such legislative efforts have been initiated in recent years, only to languish in committee.  The most notable example was the Law Enforcement Access to Data Stored Abroad (or “LEADS”) Act, introduced in February 2015.

Writing about the LEADS Act when it was introduced, attorney Kurt Wimmer noted in an issue paper for The Media Institute that “cloud computing” as we know it today did not exist when the ECPA was enacted in 1986.  “Our current storage habits for digital records are precisely the opposite of the habits that existed in 1986, when ECPA was adopted,” he wrote.  And so it remains today.

However, there is new hope on the horizon.  On May 25, Reps. Tom Marino (R-Pa.) and Suzan DelBene (D-Wash.) introduced the International Communications Privacy Act (ICPA).  Senators Orrin Hatch (R-Utah), Chris Coons (D- Del.), and Dean Heller (R-Nev.) introduced identical legislation in the Senate.  These bills (H.R. 5323 and S. 2986) follow in the footstep of the LEADS Act in seeking to establish a rule of law for lawful access to data in the global environment.

Reps. Marino and DelBene (who had also introduced the LEADS Act) said in a statement:

“We were pleased that the LEADS Act gained such widespread support with more than 130 cosponsors in the House.  ICPA improves upon this effort by broadening industry recognition, and we believe it will earn an even greater backing from our colleagues in Congress.  This bill guarantees that users of technology have confidence that their privacy rights will be protected by due process while simultaneously ensuring law enforcement agencies have necessary access to information through a clear, legal framework to keep us safe.”

The bill stipulates that U.S. law enforcement could obtain warrants for the electronic information of U.S. persons physically located in the United States, or nationals of foreign countries that have a Law Enforcement Cooperation Agreement with the United States, provided the country does not object to the disclosure.  Thus, the ICPA would maintain the sovereignty of nations in protecting information stored within their borders.

By clarifying the rules surrounding the release of electronic information, the ICPA would not only protect individual privacy but would also improve the competitive posture of American companies doing business in the global digital economy.  Cloud computing will continue to revolutionize everything from newsgathering and financial transactions to the Internet of Things as the future of business migrates ever more rapidly to the cloud.  The rules governing privacy and the protection of information in that space need to be clear.

Updating the ECPA with the International Communications Privacy Act would reflect today’s reality of cloud computing and provide the legal framework needed to protect the privacy of individuals, support law enforcement, and promote a competitive environment for American companies.  Congress can’t afford to let this one languish.