The Department of Justice is trying to appeal to the U.S. Supreme Court a landmark email privacy case that bars the government from accessing emails held by U.S. companies but stored on overseas servers.
Justice Department attorneys filed a motion to take the case to the nation’s highest court Friday, claiming a lower federal court “seriously misinterpreted” the Electronic Communications Privacy Act (ECPA), the 31-year-old Reagan-era legislation and the basis of the government’s case, which grants law enforcement default access to any stored electronic communications after 180 days.
The petition comes after the Second Circuit Court of Appeals ruled last July that ECPA “does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer e-mail content that is stored exclusively on foreign servers.”
“The panel reached that unprecedented holding by reasoning that such a disclosure would be an extraterritorial application of the Act — even though the warrant requires disclosure in the United States of information that the provider can access domestically with the click of a computer mouse,” DOJ said in its Friday filing.
Microsoft and DOJ have been battling it out over the Outlook emails of a suspected drug trafficker in Dublin, Ireland since 2014, when the government ordered the Redmond-based tech giant to turn over those emails as part of an FBI investigation.
Under ECPA — passed in 1986 — the government can subpoena U.S. companies’ business records after they’re 180-days old. In recent years, the definition of eligible business records has expanded to include Americans’ stored emails after they reach the six-month threshold.
In an effort to protect users’ private data in the wake of mass surveillance programs disclosed by NSA whistleblower Edward Snowden in 2013, Microsoft — along with the ACLU and others — have spent years fighting the order and lobbying for ECPA reform. They and other privacy advocates argue the DOJ has no authority to compel the Windows maker to turn over data stored on another country’s sovereign soil, and that DOJ must request the emails from the foreign government in question.
The government argues that as a company based in the U.S., Microsoft is obligated to adhere to the law, regardless of the physical location of the server itself.
In July 2014 the U.S. District Court for the Southern District of New York agreed with DOJ and ordered Microsoft to comply with the search warrant. The Second Circuit Court of Appeals overturned that decision last July.
Microsoft President Brad Smith responded to the DOJ motion in a blog post Friday, arguing “[i]t seems backward to keep arguing in court when there is positive momentum in Congress toward better law for everyone.
“The DOJ’s position would put businesses in impossible conflict-of-law situations and hurt the security, jobs, and personal rights of Americans,” Smith wrote, repeating the argument Microsoft made in court that DOJ was forcing it to decide whether to obey U.S. laws or those of another country in Europe, where user data and privacy have much stronger protections than in the U.S.
The case has spurred a round of congressional hearings, including one each in the House and Senate in June, examining the issue of ECPA reform. Revisiting the 31-year-old law with the intention of strengthening privacy protections over Americans’ email has been a rare point of bipartisanship of Capitol Hill since the case went to court.
“The litigation path DOJ is now trying to extend in parallel to legislative progress seeks to require the Supreme Court to decide how a law written three decades ago applies to today’s global internet,” Smith’s post reads. “The previous decision was soundly in our favor, and we’re confident our arguments will be persuasive with the Supreme Court.”
If the decision is reversed, he warned, “there would be little basis for us to reject requests from other governments for American email.”
Congress has yet to pass a bill outlining ECPA reform and updating mutual legal assistance treaties (MLATs), through which the government typically obtains this type of information for criminal proceedings. But the European Union is less than a year away from implementing the General Data Protection Regulation, which would strengthen data privacy protections for EU citizens and make it illegal for a company to bring customer data from Europe into the U.S. in response to a U.S. search warrant.