A recent ruling by the Court of Appeals for the 2nd Circuit shut down for the time being efforts to force tech companies to turn over users’ personal data. Coupled with news that the U.S is reaching out to foreign governments in an effort to gain access to data held overseas, these developments represent a confluence of privacy rights and public safety issues that has come to the forefront in light of recent terrorist attacks, and highlight the diffuse nature of data in an age of increasing globalization.
This topic is somewhat out of my blog’s wheelhouse, but I feel compelled to report on it because of the precarious state of data confidentiality and the implications for the attorney-client privilege. I encourage all of my clients to bypass Gmail and other standard email platforms in favor of my encrypted client portal. In contrast, email messages and attachments on the big platforms like Gmail, Hotmail, or Yahoo are unencrypted and may be splintered into chunks that are stored on different servers in data centers far from the user’s location.
However, some do not heed my advice, and I offer as a case in point of the perils of using unencrypted client communications one instance in which I experienced the horror of receiving a clearly privileged communication from opposing counsel in a separate matter (a rather prominent attorney in my parts I might add). I surmise that I was the recipient due to a Gmail function that auto-populates recipient fields, and the fact that I have a very common name didn’t help. But I digress…
The current Microsoft litigation, known as the “Microsoft Ireland” case, centered around the district court’s denial of Microsoft’s motion to quash a warrant issued under the Stored Communications Act (18 U.S.C. §§ 2701 et seq.) that ordered the company to produce the contents of a customer’s e‐mail account stored on a server located in Ireland. As a result of its failure to comply Microsoft was held in contempt of court. The data was sought in connection with a drug trafficking investigation.
Microsoft opposed the warrant by disputing the nature and reach of the warrant, arguing that it shouldn’t be forced to produce data held in another country. The government characterized the case as one of “compelled disclosure,” akin to a subpoena requiring the recipient “to deliver records, physical objects, and other materials to the government” regardless of where those materials are located, “so long as they are subject to the recipient’s custody or control.” In support of its position the government presented precedent construing subpoenas as imposing a broad obligation “to produce without regard to a document’s location. “
The Second Circuit court reversed, vacated, and remanded, holding that §2703 of the Stored Communications Act “does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers.” In the aftermath of the decision the Justice Department said the ruling undermines public safety and the pursuit of justice for the victims of crime, and suggested the department might appeal to the Supreme Court. Microsoft President and Chief Legal Officer Brad Smith said it was “a major victory for the protection of people’s privacy rights under their own laws, rather than the reach of foreign governments.”
Going forward, pressure will be on Congress to address this simmering issue that requires a delicate balance between enhancing law enforcement capabilities and protecting fundamental privacy rights.