A recent US court ruling that Microsoft did not have to produce emails hosted on a server outside the US has raised many questions about the scope of the ruling and whether it will impact antitrust investigations. This article will review the Microsoft opinion, consider its impact on whether antitrust authorities can obtain data located on foreign servers, and discuss the approaches of Canada and the European Union.
In July 2016, the Second Circuit of the US Court of Appeals held that a Department of Justice (“DOJ”) search warrant to Microsoft as an internet service provider could not force it to produce customer email data maintained on a server in Dublin, Ireland. In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., No. 14-2985, 2016 WL 3770056 (2d Cir. July 14, 2016). The dispute arose over a search warrant issued pursuant to the Stored Communications Act (“SCA”), which authorizes search warrants for data held by electronic communications and remote computing services. In connection with a New York-based narcotics trafficking investigation targeting an unidentified individual, the DOJ sought disclosure of emails held in a cloud-based account provided by Microsoft. Microsoft refused to turn over the data, arguing that doing so constituted an “extraterritorial” application of the SCA and would violate Irish data privacy law. The government countered that the warrant was not extraterritorial because Microsoft owned and controlled the Irish servers and was able to access and produce the emails from computers in the United States. The district court agreed with the government’s position, relying on precedent holding that US companies can be compelled by subpoena to produce business records stored abroad.
On appeal, the Second Circuit concluded that Congress had not intended the Stored Communication Act’s warrant provisions to apply extraterritorially. The Second Circuit found the key question was not where the warrant was executed (United States) but where the data sought by the warrant was stored (Ireland). As a result, warrants authorized by the SCA are much like ordinary search warrants that can be executed only in the United States because US courts do not have the authority to authorize a search abroad.
The opinion could alter the way that service providers store information, giving companies the ability to evade warrants for electronic data by claiming the data resides outside the United States. In a concurring opinion, Judge Gerard Lynch made it clear that the decision to limit the scope of the warrant resulted from an outdated law, not a choice by Congress to hamstring investigations of foreign conduct that might violate US laws. The SCA, a law adopted in 1986 as part of the Electronic Communications Privacy Act, was passed at the dawn of the Internet age, and like other 30-year old laws dealing with technology, it is hopelessly out of date. Judge Lynch emphasized that Congress should revise the statute, and such proposals have already been introduced.
The decision raised questions about how grand jury subpoenas used in US government investigations should be handled. Unlike a situation where a “subpoena could reach documents located abroad where the subpoenaed foreign defendant was compelled to turn over its own records regarding potential illegal conduct, the effects of which were felt in the United States,” the Second Circuit has “never upheld the use of a subpoena to compel a recipient to produce an item under its control and located overseas when the recipient is merely a caretaker for another individual or entity and that individual, not the subpoena recipient, has a protectable privacy interest in the item.” See Marc Rich & Co., A.G. v. United States, 707 F.2d 663 (2d Cir. 1983). The Second Circuit in Microsoft cited Marc Rich & Co. as setting the standard for subpoenas, and also noted that a line of bank discovery cases have required production abroad because there is no reasonable expectation of privacy with bank records. For instance, in US v. First National City Bank, 396 F.2d 897 (2d Cir. 1968) the Court held that a bank subject to jurisdiction of a federal court was not absolutely entitled to withhold its bank records in Frankfort, Germany, from a US grand jury subpoena. Beyond this, the Microsoft court did not address all potential avenues through which the DOJ could collect overseas data. In certain circumstances, for example, U.S. authorities may seek information by relying on a grand jury subpoena, or through treaties and other processes establish with foreign governments to handle such requests.
In Canada, the power of competition authorities to seize data located on foreign servers has not yet been considered by the courts. The Canadian Competition Act provides that a person executing a search warrant may use a computer system to search, in addition to data on the computer, any data that is “available to” the computer system. Such data could arguably include data accessible from the Canadian computer but located on a foreign server. While the courts have yet to consider whether the Competition Act search powers, in fact, extend to data on foreign servers, Canadian courts have held that search powers in other contexts have such extraterritorial reach. For example, a 2008 tax case concerning records of the online seller eBay held that information was “located in” Canada for purposes of search powers contained in the Canadian Income Tax Act if the data was readily accessible to the Canadian-resident corporation, even though the documents were on servers situated in California, USA, which were owned by the US parent. The Canadian subsidiary in that case had been authorized to access the foreign-located data for use in its business, but had not been authorized to download it to computers in Canada.
In addition to search warrants, competition authorities in Canada have another tool potentially at their disposal in relation to documents and data located on foreign servers. The Competition Act contains a provision pursuant to which the Commissioner of Competition for Canada can obtain a Court Order requiring a Canadian-resident corporation to produce the records of a non-resident affiliated company. A Canadian company can therefore be required to produce, on penalty of sanction, the records of its foreign parent or affiliate (including electronic records located on a foreign server), notwithstanding that it may have no way to compel the cooperation of its parent company or affiliate. While this power is expansive, its constitutional and jurisdictional validity remains uncertain. On at least two occasions, legal challenges to the provision have settled before a court decision, so its validity remains untested by Canadian courts.
In the EU, the European Commission (the "Commission") can access data located on a foreign server if it is “normally accessible” from the premises of the company under inspection. In practice, the type and extent of electronic search conducted by the Commission during an unannounced inspection or ‘dawn raid’ will vary depending on the circumstances of the company being investigated. The Commission’s usual practice is to conduct key word searches on site to find relevant information, searching across different data sources within the company’s IT environment accessed on the premises. Typically the Commission will bring its own IT search capability to the company premises and will use forensic techniques to preserve the chain of custody as it transfers the company’s data onto its own terminals or a separate server for review for potential relevance. Where the company’s servers are located within another Member State the Commission may seek the assistance of the National Competition Authority of that Member State in securing the data directly from the relevant server. Depending on the volume of data involved, downloading data directly from a server can have important resource implications. The Commission is much more likely to experience latency issues in downloading data from a terminal within the company’s premises.
More extensive search procedures are exercised by the UK’s Competition and Markets Authority which can obtain a warrant to allow intrusive searching in business and domestic premises. Where an inspection is carried out under a warrant, the CMA officials have considerable powers to recover data. There is no direct provision enabling the CMA to search data located on a foreign server but, in common with the position under EU law, such data could be copied and taken away where it is ‘accessible’. Section 28A(2)(f) of the Competition Act 1998 entitles the inspecting officers “to require any information which is stored in any electronic form and is accessible from the premises, and which the named officer considers relates to any matter relevant to the investigation, to be produced…”. If there is likely to be significant disruption to business continuity as a result of the latency of the download, then the CMA may seek a voluntary agreement from the company that its mobile unit can travel to the jurisdiction in which the server is located in order to perform the data download. To date, the scope of the CMA’s powers to seize data during an onsite inspection has not been challenged in the UK courts.