Microsoft’s four-year legal battle over the U.S. government’s ability to subpoena customer email stored outside of the United States ended abruptly thanks to the passage of new legislation directly governing the subject matter. On March 23, 2018, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was signed into law as part of the omnibus spending bill. Only three weeks earlier, Microsoft and the United States each appeared before the U.S. Supreme Court to present argument on the appropriate reach of the government in warrants issued under the Stored Communications Act (SCA). After the passage of the CLOUD Act, the court vacated the prior lower court decisions and directed the district court to dismiss the case as moot. While the CLOUD Act provides clarity as to the permissible reach of the U.S. government, it raises issues of potential conflicts with the laws of other countries, especially as data privacy laws are being strengthened in Europe and elsewhere.

‘Microsoft” Case

The Microsoft case arose when the U.S. government obtained a warrant under Section 2703 of the SCA for email content and information from a Microsoft Network (msn.com) email account. Microsoft had moved to quash the warrant to the extent that it sought information stored on servers outside the United States, specifically in Ireland. The legal question presented was whether a probable-cause-based warrant issued by a magistrate judge under the SCA reaches digitally-stored materials within a service provider’s control, but stored abroad. The U.S. Court of Appeals for the Second Circuit, reversing the district court, held that the SCA did not require service providers to produce email content stored outside the U.S. The Supreme Court granted certiorari and heard argument on February 27, 2018.