Should American Law Apply to Conduct Occurring Abroad?

CONCLUSION (II)

In emphasizing the foregoing, I do not for a moment mean to suggest that this case is not important, or that significant non-privacy interests may not justify a congressional decision to distinguish records stored domestically from those stored abroad. It is important to recognize, however, that the dispute here is not about privacy, but rather about the international reach of American law. That question is important in its own right, and some further clarifications are in order about the division of responsibility between the courts and Congress in addressing it.

The courts have a significant role in the protection of privacy, because the Constitution sets limits on what even the elected representatives of the people can authorize when it comes to searches and seizures. Specifically, the courts have an independent responsibility to interpret the Fourth Amendment, an explicit check on Congress’s power to authorize unreasonable searches. What searches are unreasonable is of course a difficult question, particularly when courts are assessing statutory authorizations of novel types of searches to deal with novel types of threat. In that context, courts need to be especially cautious, and respectful of the judgments of Congress. See, e.g., ACLU v. Clapper, 785 F.3d 787, 824–25 (2d Cir. 2015). But it is ultimately the courts’ responsibility to ensure that constitutional restraints on searches and seizures are respected.

Whether American law applies to conduct occurring abroad is a different type of question. That too is sometimes a difficult question. It will often be tempting to attempt to protect American interests by extending the reach of American law and undertaking to regulate conduct that occurs beyond our borders. But there are significant practical and policy limitations on the desirability of doing so. We live in a system of independent sovereign nations, in which other countries have their own ideas, sometimes at odds with ours, and their own legitimate interests. The attempt to apply U.S. law to conduct occurring abroad can cause tensions with those other countries, most easily appreciated if we consider the likely American reaction if France or Ireland or Saudi Arabia or Russia proclaimed its right to regulate conduct by Americans within our borders.

But the decision about whether and when to apply U.S. law to actions occurring abroad is a question that is left entirely to Congress. See Benz v. Compania Naviera Hidalgo, S.A., 353 U.S. 138, 147 (1957) (Congress “alone has the facilities necessary to make fairly [the] important policy decision” whether a statute applies extraterritorially). No provision of the Constitution limits Congress’s power to apply its laws to Americans, or to foreigners, abroad, and Congress has on occasion done so, expressly or by clear implication. The courts’ job is simply to do their best to understand what Congress intended. Where Congress has clearly indicated that a law applies extraterritorially, as for example in 18 U.S.C. § 2332(a), which prohibits the murder of U.S. citizens abroad, the courts apply the law as written. See RJR Nabisco, Inc. v. European Cmty., 579 U.S. __, __, 2016 WL 3369423, at *9–10 (June 20, 2016). We do the same when a law clearly applies only domestically.

The latter situation is far more common, so common that it is the ordinary presumption. When Congress makes it a crime to “possess a controlled substance,” 21 U.S.C. § 844(a), it does not say that it is a crime to possess dangerous or addictive drugs in the United States. It speaks absolutely, as if proclaiming a universal rule, but we understand that the law applies only here; it does not prohibit the possession of marijuana by a Dutchman, or even by an American, in the Netherlands. “Congress generally legislates with domestic concerns in mind,” RJR Nabisco, 2016 WL 3369423, at *8, quoting Smith v. United States, 507 U.S. 197, 204 n.5 (1993), and so, unless Congress clearly indicates to the contrary, we presume that statutes have only domestic effect.

I have little trouble agreeing with my colleagues that the SCA does not have extraterritorial effect. As the Supreme Court recently made clear in RJR Nabisco, the presumption applies not only to statutes that straightforwardly regulate or criminalize conduct, but also to jurisdictional, procedural and remedial statutes. Id. at *15–16; see also Loginovskaya v. Batratchenko, 764 F.3d 266, 272 (2d Cir. 2014) (rejecting the argument that the presumption “governs substantive (conduct-regulating) provisions rather than procedural provisions”). Moreover, RJR Nabisco also reemphasized that the relevant question is not whether we think Congress “would have wanted” the statute to apply extraterritorially had it foreseen the precise situation before us, but whether it made clear its intention to give the statute extraterritorial effect. RJR Nabisco, 2016 WL 3369423, at *7. There is no indication whatsoever in the text or legislative history that Congress intended the Act to have application beyond our borders. It would be quite surprising if it had. The statute was adopted in the early days of what is now the internet, when Congress could hardly have foreseen that multinational companies providing digital services of all sorts would one day store vast volumes of communications and other materials for ordinary people and easily be able to move those materials across borders at lightning speed. See Majority Op. at 14.

The tricky part, in a world of transnational transactions taking place in multiple jurisdictions at once, is deciding whether a proposed application of a statute is domestic or extraterritorial. That determination can be complicated even for criminal acts when they touch on multiple jurisdictions, but the problem is particularly acute when we deal not with a simple effort to regulate behavior that – given the physical limitations of human bodies – can often be fixed to a specific location, but with statutes that operate in more complex fashions. If SCA warrants were traditional search warrants, permitting law enforcement agents to search a premises and seize physical objects, the extraterritoriality question would be relatively easy: a warrant authorizing a search of a building physically located in Ireland would plainly be an extraterritorial application of the statute (and it would be virtually inconceivable under ordinary notions of international law that Congress would ever attempt to authorize any such thing). But as the government points out, this case differs from that classic scenario with respect to both the nature of the legal instrument involved and the nature of the evidentiary material the government seeks.

First, the “warrant” required for the government to obtain the emails sought in this case does not appear to be a traditional search warrant. Significantly, the SCA does not describe the warrant as a search warrant. Nor does it contain language implying (let alone saying outright) that the warrant to which it refers authorizes government agents to go to the premises of a service provider without prior notice to the provider, search those premises until they find the computer, server or other device on which the sought communications reside, and seize that device (or duplicate and “seize” the relevant data it contains).[3] Rather, the statute expressly requires the “warrant” not to authorize a search or seizure, but as the procedural mechanism to allow the government to “require a [service provider] to disclose the contents of [certain] electronic communication[s]” without notice to the subscriber or customer. 18 U.S.C. § 2703(b)(1)(A). Parallel provisions permit the government to require equivalent disclosure of the communications by the service provider by a simple administrative subpoena or by a court order, provided only that notice is provided to the subscriber. Id. § 2703(b)(1)(B).[4] Indeed, the various methods of obtaining the communications, with or without notice, are not merely parallel – they all depend on the same verbal phrase. They are simply alternative means, applicable in different circumstances, to “require [the service provider] to disclose [the communications].” Id. § 2703(a), (b).

This difference is significant if we are looking to determine the “focus” of the SCA for purposes of determining whether a particular application of the statute is or is not extraterritorial. See Morrison v. Nat’l Australia Bank Ltd., 561 U.S. 247, 266–69 (2010). A search warrant “particularly describing the place to be searched, and the persons or things to be seized,” U.S. Const. amend. IV, is naturally seen as focused on the place to be searched; as explained above, if the government argued that a statute authorized a search of a place outside the United States, that would clearly be an extraterritorial application of the statute. Here, however, the SCA warrant provision does not purport to authorize any such thing. Just like the parallel subpoena and court order provisions, it simply authorizes the government to require the service provider to disclose certain communications to which it has access.[5] The government quite reasonably argues that the focus of such a provision is not on the place where the service provider stores the communications, but on the place where the service provider discloses the information to the government, as requested.[6]

The nature of the records demanded is also relevantly different from that of the physical documents sought by traditional search warrants. Tangible documents, having a material existence in the physical world, are stored in a particular physical location. Executing a traditional search warrant requires a visit to that location, to visually inspect the documents to select the responsive materials and to take those materials away. Even when tangible documents are sought by subpoena, rather than by search warrant, it is arguable that the focus of the subpoena, for extraterritoriality purposes, is on the place where the documents are stored, since in order to comply with a subpoena seeking documents stored abroad, corporate employees will have to be present in the foreign location where the documents exist to inspect and select the relevant documents, which will then have to be transported out of that location and into the United States.

Electronic “documents,” however, are different. Their location on a computer server in a foreign country is, in important ways, merely virtual. See Orin S. Kerr, The Next Generation Communications Privacy Act, 162 U. Pa. L. Rev. 373, 408 (2014) (explaining that “the very idea of online data being located in a particular physical ‘place’ is becoming rapidly outdated,” because computer files can be fragmented and dispersed across many servers). Corporate employees in the United States can review those records, when responding to the “warrant” or subpoena or court order just as they can do in the ordinary course of business, and provide the relevant materials to the demanding government agency, without ever leaving their desks in the United States. The entire process of compliance takes place domestically.

The government’s characterization of the warrant at issue as domestic, rather than extraterritorial, is thus far from frivolous, and renders this, for me, a very close case to the extent that the presumption against extraterritoriality shapes our interpretation of the statute. One additional potential fact heightens the complexity. We do not know, on this record, whether the customer whose emails were sought by the government is or is not a United States citizen or resident. It is not clear that whether the customer is a United States person or not matters to the rather simplistic “focus” test adopted by the Supreme Court in Morrison, although it would have mattered to the more flexible test utilized by the Second Circuit in that case. See Morrison v. Nat’l Australia Bank Ltd., 547 F.3d 167, 171 (2d Cir. 2008). But it seems to me that it should matter. The Supreme Court has rightly pointed out that the presumption against extraterritoriality is more than simply a means for avoiding conflict with foreign laws. See Morrison, 561 U.S. at 255. At the same time, the presumption that Congress legislates with domestic concerns pre-eminent in its collective mind does not fully answer the question what those domestic concerns are in any given case. See id. at 266. Particularly in connection with statutes that provide tools to law enforcement, one imagines that Congress is concerned with balancing liberty interests of various kinds against the need to enforce domestic law. Thus, when Congress authorizes the (American) government to obtain access to certain information, one might imagine that its focus is on balancing the liberty interests of Americans (and of other persons residing in the U.S.) against the need to enforce American laws. Congress might also reasonably be concerned about the diplomatic consequences of over-extending the reach of American law enforcement officials. This suggests a more complex balancing exercise than identifying a single “focus” of the legislation, the latter approach being better suited to determining whether given conduct fitting within the literal words of a prohibition should be characterized as domestic or extraterritorial.[7]

Because Microsoft relies solely on customers’ self-reporting in classifying customers by residence, and stores emails (but only for the most part, and only in the interests of efficiency and good customer service) on local servers – and because the government did not include in its warrant application such information, if any, as it had about the target of its investigation – we do not know the nationality of the customer. If he or she is Irish (as for all we know the customer is), the case might present a troubling prospect from an international perspective: the Irish government and the European Union would have a considerable grievance if the United States sought to obtain the emails of an Irish national, stored in Ireland, from an American company which had marketed its services to Irish customers in Ireland. The case looks rather different, however – at least to me, and I would hope to the people and officials of Ireland and the E.U. – if the American government is demanding from an American company emails of an American citizen resident in the U.S., which are accessible at the push of a button in Redmond, Washington, and which are stored on a server in Ireland only as a result of the American customer’s misrepresenting his or her residence, for the purpose of facilitating domestic violations of American law, by exploiting a policy of the American company that exists solely for reasons of convenience and that could be changed, either in general or as applied to the particular customer, at the whim of the American company. Given that the extraterritoriality inquiry is essentially an effort to capture the congressional will, it seems to me that it would be remarkably formalistic to classify such a demand as an extraterritorial application of what is effectively the subpoena power of an American court.

These considerations give me considerable pause about treating SCA warrants as extraterritorial whenever the service provider from whom the government seeks to require production has chosen to store the communications on a server located outside the United States. Despite that hesitation, however, I conclude that my colleagues have ultimately reached the correct result. If we frame the question as whether Congress has demonstrated a clear intention to reach situations of this kind in enacting the Act, I think the better answer is that it has not, especially in the case (which could well be this one) of records stored at the behest of a foreign national on servers in his own country. The use of the word “warrant” may not compel the conclusion that Congress intended to reach only domestically-stored communications that could be reached by a conventional search warrant, because, for the reasons given above, that label should not be controlling. Cf. Big Ridge, Inc. v. Fed. Mine Safety & Health Review Comm’n, 715 F.3d 631, 645–46 (7th Cir. 2013) (explaining that “we look to the substance of [the government’s] inspection power rather than how the Act nominally refers to those powers,” and holding that document requests under the Mine Safety and Health Act of 1977 should be treated as administrative subpoenas rather than as a search or seizure). But it is hard to believe that Congress would have used such a loaded term, and incorporated by reference the procedures applicable to purely domestic warrants, if it had given any thought at all to potential transnational applications of the statute. Nor is it likely that Congress contemplated such applications for a single moment. The now-familiar idea of “cloud” storage of personal electronic data by multinational companies was hardly foreseeable to Congress in 1986, and the related prospects for diplomatic strife and implications for American businesses operating on an international scale were surely not on the congressional radar screen when the Act was adopted. We should not lightly assume that Congress chose to permit SCA warrants for communications stored abroad when there is no sign that it considered the consequences of doing so. See Kiobel v. Royal Dutch Petroleum Co., 133 S. Ct. 1659, 1664 (2013) (“The presumption against extraterritorial application helps ensure that the Judiciary does not erroneously adopt an interpretation of U.S. law that carries foreign policy consequences not clearly intended by the political branches.”). Thus, while I think the case is closer – and the government’s arguments more potent – than is reflected in the Court’s opinion, I come out in the same place.

[3] I do note, however, that the particular warrant in this case states that the government “requests the search of” a “PREMISES” and “COMMAND[S]” an officer to “execute” the warrant on or before a certain date and time. J.A. 44. Neither party argues that this case turns on the language in the warrant itself, and the government explains that this language was included only because the warrant “was prepared using the generic template for search warrants.” Gov’t Br. 20. Nevertheless, it is worth emphasizing that the government itself chose the “template” it used to create the warrant it then asked the magistrate judge to sign. It is, to say the least, unimaginative for the government to utilize a warrant form that purports to authorize conduct that the statute under which it is obtained plainly does not permit, and then to turn around and argue that this sort of warrant is completely different from what its language tells us it is, and that the language is unimportant because the government simply used the same formal template it uses under other, more traditional circumstances involving physical searches.

[4] One category of communications – those held “in electronic storage” by an electronic communication service for one hundred and eighty days or less – is reachable only by SCA warrant, with or without notice to the customer. 18 U.S.C. § 2703(a). But, although we ourselves have not addressed the issue, the majority view is that, once the user of an entirely web-based email service (such as Microsoft’s) opens an email he has received, that email is no longer “in electronic storage” on an electronic communication service. See Lazette v. Kulmatycki, 949 F. Supp. 2d 748, 758 (N.D. Ohio 2013); Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965, 987 (C.D. Cal. 2010); United States v. Weaver, 636 F. Supp. 2d 769, 773 (C.D. Ill. 2009); Jennings v. Jennings, 736 S.E.2d 242, 245 (S.C. 2012); id. at 248 (Toal, C.J., concurring in the result); Kerr, A User’s Guide, supra, at 1216–18 & n.61; cf. Anzaldua v. Ne. Ambulance & Fire Prot. Dist., 793 F.3d 822, 840–42 (8th Cir. 2015) (message retained on Gmail server in “sent” folder was not in electronic storage). But see Cheng v. Romo, Civ. No. 11- 10007-DJC, 2013 WL 6814691, at *3–5 (D. Mass. Dec. 20, 2013); Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp. 2d 548, 555 (S.D.N.Y. 2008); cf. Theofel v. FareyJones, 359 F.3d 1066, 1075–77 (9th Cir. 2003) (message is in electronic storage until it “has expired in the normal course”). Under that reading of the statute, only emails that have not yet been opened by the recipient fall into the category described above.

[5] Although the Supreme Court has not addressed the question, there is considerable case law, including in this circuit, permitting the exercise of subpoena powers in precisely the situation in which the government demands records located abroad from an American company, or a foreign company doing business here. See, e.g., Linde v. Arab Bank, PLC, 706 F.3d 92 (2d Cir. 2013); United States v. Bank of Nova Scotia, 740 F.2d 817 (11th Cir. 1984); Marc Rich & Co., A.G. v. United States, 707 F.2d 663 (2d Cir. 1983); United States v. First Nat’l City Bank, 396 F.2d 897, 900–01 (2d Cir. 1968) (“It is no longer open to doubt that a federal court has the power to require the production of documents located in foreign countries if the court has in personam jurisdiction of the person in possession or control of the material.”). At least as far as American courts are concerned (some foreign governments may think otherwise), such demands for the production of records are not seen as categorically impermissible extraterritorial uses of American investigatory powers, in the way that search warrants for foreign locations certainly would be. Compare Restatement (Third) of Foreign Relations Law § 442(1)(a) (“A court or agency in the United States, when authorized by statute or rule of court, may order a person subject to its jurisdiction to produce documents, objects, or other information relevant to an action or investigation, even if the information or the person in possession of the information is outside the United States.”) with id. § 433(1) (“Law enforcement officers of the United States may exercise their functions in the territory of another state only (a) with the consent of the other state and if duly authorized by the United States; and (b) in compliance with the laws both of the United States and of the other state.”).

Microsoft attempts to distinguish the cases cited above on the ground that the subpoenas in those cases required their recipients to disclose only the contents of their own business records, and not the records of a third party “held in trust” by the recipients. Appellant’s Br. 48.

“Email correspondance,” Microsoft explains, is unlike bank records because it “is personal, even intimate,” and “can contain the sum of an individual’s private life.” Id. at 44 (internal quotation marks omitted). Even assuming, however, that Microsoft accurately characterizes the cases it seeks to distinguish, but cf. In re Horowitz, 482 F.2d 72 (2d Cir. 1973) (partially upholding a subpoena requiring an accountant to produce the contents of three locked file cabinets belonging to a client), this privacy-based argument is, as explained above, a red herring. Microsoft does not dispute that the government could have required the disclosure of the emails at issue here if they were stored in the United States, and Microsoft’s decision to store them abroad does not obviously entitle their owner to any higher degree of privacy protection.

[6] As the government notes, the selection of the term “warrant” to describe an instrument that does not operate like a traditional arrest or search warrant is easily explained by the fact that the provision in question, which permits government access to a person’s stored communications without notice to that person, provides the highest level of privacy protection in the statute: the requirement that an independent judicial officer determine that probable cause exists to believe that a crime has been committed and that evidence of that crime may be found in the communications demanded. The showing necessary to obtain judicial authorization to require the service provider to disclose the communications is that associated with traditional warrants; the manner in which the disclosure is obtained by the government, however, is more closely analogous to the workings of subpoenas and court-ordered discovery: the government serves the service provider with an order from a court that requires the service provider to look within its records and disclose the specified information to the government; it does not present to the service provider a court order that permits government agents to search through the service provider’s premises and documents and seize the specified information.

[7] While, for these reasons, it may be impossible to answer satisfactorily the question what the single focus of the SCA is, I note that I have considerable doubts about the answer supplied by the Court, which holds that the SCA provisions at issue here “focus on protecting the privacy of the content of a user’s stored electronic communications.” Majority Op. at 33. Privacy, however, is an abstract concept with no obvious territorial locus; the conclusion that the SCA’s focus is privacy thus does not really help us to distinguish domestic applications of the statute from extraterritorial ones. “The real motor of the Court’s opinion,” Morrison, 561 U.S. at 284 (Stevens, J., concurring in the judgment), then, is less the conclusion that the statute focuses on privacy than the majority’s further determination that the locus of the invasion of privacy is where the private content is stored – a determination that seems to me suspect when the content consists of emails stored in the “cloud.” It seems at least equally persuasive that the invasion of privacy occurs where the person whose privacy is invaded customarily resides.