In today’s global society, many large corporations have operations in countries throughout the world. There are many reasons for this, ranging from favorable tax treatment in the host country to establishing better product distribution. Recently, United States corporations having international locales and operations have had to confront whether their international operations are subject to specific United States laws.
Microsoft recently confronted this very issue. Microsoft conducts business in multiple countries, and stores email account information of its customers in foreign countries. In December 2013, the United States government obtained a warrant from a federal district court in New York, pursuant to the Stored Communications Act (18 U.S.C. § 2701 et seq.), requiring Microsoft to disclose emails of a particular customer the government believed was involved in criminal activity. Upon service of the warrant, Microsoft determined the requested information was stored in Microsoft’s data center in Dublin, Ireland. Because the requested information was outside of the jurisdiction of the federal court, Microsoft refused to produce the information and was subsequently held in contempt by the federal court for its failure to abide by the warrant. On appeal, the United States Circuit Court for the Second Circuit reversed, holding that the warrant was invalid and did not reach activity in a foreign country.
In a case of first impression, the United States government sought further review in the United States Supreme Court. The Supreme Court agreed to hear the case and decide the issue of “whether a United States provider of e-mail services must disclose to the Government electronic communications within its control even if the provider stores the communications abroad.” United States v. Microsoft Corporation, (slip opinion April 17, 2018), 584 U.S. (2018).
On April 17, 2018, the Supreme Court dismissed the appeal given recent congressional legislation Id. Specifically, on March 23, 2018, Congress enacted, and the President signed into law, the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”). The CLOUD Act amended the Stored Communications Act, under which the Microsoft warrant was issued, to require email service providers to “preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located.” Id. (citing CLOUD Act § 103(a)(1)).
The CLOUD Act provides some certainty regarding the obligations of United States businesses conducting operations in foreign countries, at least with respect to electronic information of their customers. Businesses located in the United States can no longer avoid producing foreign based information of their customers. It will be interesting to see how the CLOUD Act will affect both operations of businesses in the United States and the United States government’s use of the Act to acquire customer information.