Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

Ninth Circuit Extends the Protections of the ECPA to Foreign Citizens


 Thanks to Steven Spagnolo for his substantial assistance in drafting this entry.

On October 3rd, the Court of Appeals for the Ninth Circuit became the first appeals court to extend the protections of the Electronic Communications Privacy Act (“ECPA”) to non-U.S. citizens when it held in Suzlon Energy Ltd. v. Microsoft Corp. that the Stored Communications Act (“SCA”) provisions of the ECPA protect the confidentiality of all email communications stored in the United States, not just those of U.S. citizens.  This broadening of the jurisdictional scope of the ECPA and SCA is likely to result in increased data privacy protection for foreign citizens, at least with regard to email communications that are physically stored on servers located in the U.S. In addition, the expanded scope of the law may simplify the process by which electronic communications service providers respond to requests for stored communications, likely alleviating the need to engage in an assessment of the citizenship of the data subject whose communications are sought.  

The case concerned Suzlon Energy’s subpoena demanding that Microsoft turn over the contents of email communications belonging to Rajagopalan Sridhar, an Indian citizen who had an account with Microsoft’s cloud-based Hotmail email service, for use in a pending civil fraud proceeding against Sridhar in Australia.  Microsoft refused to provide the requested information, which was housed on its servers in the U.S., on the basis that doing so would violate the SCA’s provision prohibiting an “electronic communication service” from divulging the “contents of a communication while in electronic storage by that service.”  Suzlon Energy sought the court’s assistance in obtaining the contents of Sridhar’s email communications, arguing that Congress only intended the law to apply to U.S. citizens.

In finding that the protections of this provision of the SCA are not limited solely to U.S. citizens, the three-judge panel relied on the plain text of the statute.  In pertinent part, the SCA’s protections extend to “any person or entity who — (A) uses an electronic communication service; and (B) is duly authorized by the provider of such service to engage in such use,” and the court interpreted “any person” to truly mean any person, including non-U.S. citizens.  In support of this interpretation, the court cited to the fact that Congress included numerous exceptions and limitations to the SCA provision in question, but citizenship was not among them, evidencing a desire to not restrict the provision’s application solely to U.S. citizens. 

To this point, District Judge Andrew J. Guilford, writing for the panel, stated that “Congress knows how to explicitly limit a statute to U.S. citizens when it intends to so.”

Although the case was decided on an interpretation of the plain text of the statute, the court also examined the legislative history for its “instructive value.”  It concluded that although the legislative history demonstrated that Congress’ intent in passing the SCA was to protect the privacy interests of U.S. citizens, it did not necessarily follow that Congress intended to exclude non-U.S. citizens from the purview of the statute.  In fact, the court stated that extending the SCA to cover “all domestic communications, regardless of who sent them” is necessary to fully protect U.S. citizens.  In addition, the court noted that a contrary interpretation of the SCA would put email service providers in the “untenable” position of having to determine the citizenship status of its account holders, an exercise that would be “costly, fact-intensive, and difficult.”  

This holding strengthens the privacy protections of the SCA, and of the broader ECPA (including its wiretapping provisions), extending the scope of individuals to which it applies past that of the 4th Amendment by providing protection to all persons, including non-U.S. citizens.  Provided the Ninth Circuit’s decision remains undisturbed, email communications housed within the U.S. will be protected by the SCA, regardless of the citizenship of the owner of the content. The Ninth Circuit’s interpretation would seemingly be welcome news to those in the European Union who have voiced concerns about the inadequacy of privacy protections for European Union data subjects while their content is stored in the U.S.  On the contrary, the decision may not be as well received by law enforcement agencies as it could make their job more difficult, at least with respect to investigations of non-U.S. citizens.  In many cases, a warrant is necessary to obtain the content of email communications protected by the SCA, and by broadening the coverage of the SCA to also include non-U.S. citizens, the Ninth Circuit’s decision would require law enforcement to follow established procedures for all email accounts.

While this case extended the reach of the ECPA, the court made clear that its holding was limited to data stored in the U.S., electing to not address whether the ECPA applies to documents stored or acts occurring outside the U.S.  The court stated that “it’s clear that the ECPA at least applies whenever the requested documents are stored in the United States.  The Court does not address here whether the ECPA applies to documents stored or acts occurring outside of the United States.”

As it addressed the limitations of its holding, the court cited to Zheng v. Yahoo! Inc., in which a different Ninth Circuit panel found that the ECPA does not cover acts that occur outside of the U.S., namely the interception of email communications under the ECPA’s wiretapping provisions.  However, the holding in Zheng did not specifically address whether the ECPA would apply to data stored outside the U.S.  As a result, there remains some uncertainty as to whether the ECPA will protect email communications stored on foreign soil.

Although the jurisdictional limit of the ECPA and SCA must be drawn somewhere, the fact that the location of the server which houses the email communications could be dispositive as to whether those communications are protected by the SCA is a potential cause for concern. From the end user’s perspective, it would be difficult to know and likely impossible to control where email communications are stored, resulting in end users being at the mercy of email and Internet service providers with respect to whether their data is protected by the SCA.  From the perspective of service providers that house data both within and outside of the U.S., the necessity to determine where the data is housed when responding to requests for stored communications could create an additional layer of complexity in the process.

Ultimately, both end users and service providers will likely benefit from the expanded jurisdictional scope of the ECPA and SCA. For end users, those likely benefits take the form of additional data privacy protections, and for service providers, the ability to respond uniformly to requests for stored communications without regard for the citizenship of the data subject in question. However, both end users and service providers should be cognizant of the potential limitation on this expanded scope of the ECPA and SCA to data which is stored on servers in the U.S.