One of the big internet cases of this year, the Microsoft Ireland case, has come to an end about a month ago as the 2nd Circuit Court has handed down its ruling in favour of Microsoft. The case made quite a splash and has been covered before at the RENFORCE blog. With the verdict in, the time is ripe to revisit it and look at it again, this time from a different angle.
The case started when Microsoft was served with a (domestic) search warrant by the U.S. government under the Electronic Communications Privacy Act to produce information relating to a drugs trafficking and money laundering case. The warrant included the production of e-mails stored behind the msn.com domain, which is operated by Microsoft. Microsoft declined to comply with the warrant as far as the e-mails were concerned because, according to Microsoft, those e-mails were located on servers in Ireland and only there, and therefore not susceptible to a domestic search warrant.
On first instance the District Court ruled in favour of the government, but Microsoft appealed and was supported with numerous amicus briefs from within and outside of the industry, including Ireland.
All U.S. law is subject to the presumption against extraterritoriality, which boils down to the view that all US laws only apply within the U.S. unless Congress explicitly intends for a statute to have extraterritorial effect. Search warrants (for physical items) cannot be executed abroad or compel a third party to generate the same effect. Microsoft claimed that, since no explicit congressional intent to the contrary for digital content exists, that same rule ought to apply to, amongst other things, e-mails. Microsoft therefore asserted that a domestic search warrant for data stored abroad cannot be given and does not have to be executed. The US government on the other hand reasoned firstly that Microsoft is a U.S. based company. It is this fact that controls applicable law, not the location of the storage of data. Secondly, the U.S. government asserted that the relevant law does not contain limits to records not stored domestically. Finally it argued that the order compelling Microsoft to produce the required documents occurs domestically, not abroad, so no extraterritorial effect is required or caused.
This case has made full clear that, as it stands now, the US government cannot order U.S. based companies to produce data that is stored on servers that are located outside of the U.S., which is likely to be of interest to much more companies than just Microsoft. Perhaps even more interesting however are the effects of this case outside the U.S. legal order.
For instance, it will be interesting to see how things develop on the European side after this verdict. Microsoft won this case through their own claim the data was NOT present within the United States, but actually located in Ireland (which also means that Microsoft can tell with certainty where data is located). Large U.S. tech companies, like Microsoft, have in the past often been reluctant to go along with ‘local production orders’ in Europe, claiming they ought to be addressed to their U.S. corporate headquarters. These headquarters are, according to U.S. law, the controlling legal entities in control of the data and its location. But in this case Microsoft effectively took the position that although they are a U.S.-based company, being the controlling legal entity is not decisive, but rather the actual location of storage is. And they won. You can’t have your cake and eat it too.
The European Investigation Order (EIO) is readying itself for its intended position as the pre-eminent instrument of judicial cooperation in criminal matters in the EU, with a strong focus on speed and efficiency. Against this background, European States are bound to take note of this verdict and, looking for prompter mutual legal assistance with much less paperwork and legal norms from a very different systems of law, start sending requests for information intra Europe under its rules. One big caveat there is that Ireland has, for now, not yet opted in to the EIO. Nevertheless it may still cooperate under other European cooperation mechanisms that are likely to be more efficient than requests for mutual assistance outside of Europe.
Perhaps even more interesting academically is a point of pure and fundamental international law. Enforcement jurisdiction (the part that covers investigative measures during a criminal case) is often claimed by the United States under an expansion of the territoriality principle called the effects doctrine. It allows for claiming jurisdiction when the effects of an act (or omission?) occur within a state´s jurisdiction even though no single material-constituent part of a crime is or has been within one’s borders. The effects doctrine was largely developed by the U.S. mainly in anti-cartel cases but has with the rise of internet seen considerable use in that area too, as in this case.
It seems odd that on the one hand you would claim jurisdiction based on the effects of a criminal act abroad inside your territory, but on the other hand would deny or ignore the effects that your enforcement acts have within another jurisdiction. This too seems to be a case of trying to have your cake and eat it too.
It is frequently heard from both practitioners and in academic circles that unless there are ´boots on the ground´ (i.e. physical presence), foreign investigation measures cannot breach the sovereignty of a state. According to those opinions, looking up information on the internet, gaining access to such information over the internet or taking the route the US tried to take here by creating a (fictional) territorial nexus, cannot breach the sovereignty of another nation. These arguments seem to be getting a little long in the tooth. After all, it is undeniable that a search warrant in case like this creates a longa manu effect in the legal order where the data resides, in this case Ireland, even if it is served locally. Had the decision gone the other way, Ireland would have had little to no say about the surrender or extent of the surrender of the e-mails. But does, within certain boundaries of international law, not every sovereign state have absolute and exclusionary power to control what enforcement activities are or are not deployed within its territory and to what extent? Both Ireland and Microsoft certainly and strongly defended that position, with many others in support.
Even if one could agree with the reasons behind the U.S. approach in this, the approach itself is flawed. There are, as touched upon in the RENFORCE blog referenced in the beginning of this blog, reasons to discuss whether or not sovereignty and its corollary non-intervention should in some circumstances be reconsidered. This however should not be done at a purely domestic level, from a purely domestic viewpoint.
This stone has hit the water squarely and with the initial splash died down, it will be interesting to see what effects the ripples create in the pond of public international law.
 Amongst which the ones by Apple, Amazon and a host of other American and international companies
 Amongst which the ones by Jan Philip Albrecht, EU MEP occupied with data privacy; the Electronic Frontier Foundation and Digital Rights Ireland
 Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014