On March 23, 2018, President Trump signed into law the Consolidated Appropriations Act, 2018, which contained a section entitled the Clarifying Lawful Overseas Use of Data (CLOUD) Act. The CLOUD Act significantly revises the rules underlying law enforcement requests for access to communications information stored abroad, and may have far-reaching implications for companies that collect, transmit, and store such communications.
The CLOUD Act resolves an ambiguity in federal law that increasingly served as a flashpoint between tech companies and law enforcement. Most prominently, this question was posed to the U.S. Supreme Court in United States v. Microsoft Corp, a case originating in 2013 that the Court heard on February 27, 2018. In Microsoft, the United States argued that U.S.-based service providers could be compelled to turn over responsive data when served with a warrant, whether held in America or abroad. Microsoft argued that the government’s warrant authority only reached data held in the U.S. itself. Before the Court handed down a decision, however, the CLOUD Act was passed, and with the case moot, the Court remanded and dismissed it at the request of both sides.
The CLOUD Act resolves the question regarding law enforcement access to information stored abroad by amending the Stored Communications Act (SCA)1 a component of the Electronic Communications Privacy Act of 1986 (ECPA). ECPA and the SCA predate widespread use of the Internet and therefore did not contemplate the evolving services now available via the Internet, including those provided by cloud providers and similar companies that may store data in distant data centers for business and security reasons. Nonetheless, ECPA and the SCA establish the rules by which the government may access information about customers held by, among others, Internet service providers, email services, cloud storage services, and similar service providers. The SCA also prohibits the disclosure of certain information held by these entities except for reasons enumerated in the statute, including complying with law enforcement requests. Service providers have been concerned that disclosures required by the law of foreign nations may violate the SCA as such a disclosure is not among the enumerated reasons disclosure is permitted, putting them in the position of choosing which country’s law to abide.
Historically, when U.S. law enforcement sought information held abroad (and vice versa), the request would be made pursuant to a Mutual Legal Assistance Treaty (MLAT). These agreements allow one nation to channel a diplomatic request for information to the other, overcoming traditional foreign jurisdictional hurdles. The MLAT system has been criticized, however, for being too slow given the rate of modern, digital communications, and an MLAT does not exist between the U.S. and all foreign nations. Further, because of the limitations of the MLAT system, some countries have considered imposing data localization requirements—laws requiring companies to store data within the country’s boundaries—so that it would always be accessible to law enforcement.
The CLOUD Act aims to reduce the reliance on MLATs and may discourage the adoption of data localization requirements by making two significant changes to the SCA. First, the act requires service providers to respond to law enforcement requests to preserve or produce customer information in accordance with the SCA, even if a provider stores that information abroad. Specifically, the CLOUD Act requires a “provider of electronic communication service or remote computing service” to comply with a U.S. law-enforcement order to disclose data within its “possession, custody, or control,” even when that data is “located … outside the United States.”2 This change expands the geographic range of the SCA without altering the types of information or the entities covered by the SCA, and it thereby effectively resolves the ambiguity the Supreme Court was considering in the Microsoft case.
Simultaneously, the CLOUD Act creates a new statutory basis for service providers to move to quash an order based on comity grounds. In limited situations, when the U.S. seeks the data of a foreigner located outside the U.S., and the request generates a conflict with the law of a “qualifying” foreign government, the service provider may challenge the request. A “qualifying” foreign government is one that has entered into an executive agreement with the U.S., as discussed further below. This provision helps resolve the concern service providers had about complying with multiple nations’ conflicting laws.
Second, the act allows foreign governments that qualify under new rules to directly submit requests for information held by U.S.-based service providers, and vice versa. More specifically, Section 105 of the CLOUD Act creates a pathway for the U.S. to enter into executive agreements with foreign governments that meet certain privacy and human rights requirements. If the U.S. enters into an agreement with such a country, the U.S. and the foreign country may directly make requests to service providers in the other country. Foreign governments only qualify if the U.S. Attorney General, in conjunction with the U.S. Secretary of State, certifies in writing, and with an accompanying explanation, that the foreign government “affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement.” For instance, a prospective qualifying country must have “protection from arbitrary and unlawful interference with privacy,” fair trial rights, and freedom of expression. Qualifying foreign governments must adopt minimization procedures with respect to the acquisition, retention, and dissemination of U.S. person data, and agreements entered into pursuant to this provision of the CLOUD Act are subject to review and disapproval by Congress.
Requests made by qualifying foreign governments to U.S. service providers must abide by a number of limitations, including:
- a prohibition on intentionally targeting a U.S. person. For such data, all foreign governments will continue to be required to utilize the MLAT mechanism and obtain a warrant based on probable cause;
- a prohibition on indirectly targeting U.S. persons and prohibition on the foreign government from sharing that data back with the U.S. (unless it relates to “significant harm, or the threat thereof, to the U.S. or U.S. persons, including crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud”);
- a requirement that requests pertain to a specific person;
- a requirement that requests be based on “articulable and credible facts”—a standard meant to mimic the U.S.’s probable cause standard;
- a requirement that requests be “subject to review or oversight by a court, judge, magistrate, or other independent authority”;
- a prohibition on the use of data to infringe on freedom of speech and other human rights standards; and
- a requirement that the foreign government agree to compliance reviews by the U.S.
In addition, live intercept orders must meet additional criteria. They must be for a “fixed, limited duration” and “not last any longer than is reasonably necessary to accomplish the approved purposes.” Additionally, they may be issued “only if the same information could not reasonably be obtained by another less intrusive method.”
A coalition of privacy, civil liberties, and human rights organizations, including the ACLU and Center for Democracy & Technology (CDT) sent a letter to Congress urging opposition to the CLOUD Act before its passage, stating that it “fails to protect the rights of Americans and individuals abroad, and would place too much authority in the hands of the executive branch with few mechanisms to prevent abuse.”3 Additionally, the Electronic Frontier Foundation (EFF), criticized the act because it bypasses the legal safeguards of the MLAT regime, and because “U.S. law enforcement agencies (from local police to federal agents) can now compel U.S. and foreign technology companies to disclose communications data of U.S. and foreign users that is stored overseas, regardless of the data’s physical location, potentially bypassing the countries’ privacy and data protection laws.”4 Some companies, on the other hand, provided support for the CLOUD Act. Microsoft, for example, stated in a blog post after the act’s passage that the act “is an important milestone in the journey to modernize the law, enable enforcement officials to do their jobs and protect people’s privacy rights across borders,” but that “it’s not the end of the road” and “[t]here remains important and urgent work ahead of us.”5
The United Kingdom is widely expected to be the first foreign nation to enter into an executive agreement under the CLOUD Act, as the U.S. had entered into negotiations with the UK on a similar executive agreement before the CLOUD Act was proposed. Additionally, reports indicate that the European Union is working on legislation that would provide EU law enforcement with access to U.S.-stored data, regardless of potential conflicts with ECPA.
Although the ambiguity that necessitated the CLOUD Act has been resolved, new challenges concerning its implementation are only just arising. With the act signed and executive agreements being negotiated, companies that collect and store information implicated by the SCA and CLOUD Act will need to revise or create policies to account for the requests for information stored abroad, which are likely to dramatically increase, and a new species of requests—those from foreign governments, which may deserve special scrutiny.
1 18 U.S.C. 121.
2 CLOUD Act § 103(a).
3 ACLU, CDT, EFF, et. al., Coalition Letter on CLOUD Act (2018), available at https://www.aclu.org/letter/coalition-letter-cloud-act.
4 Katitzk Rodriguez, The U.S. CLOUD Act and the EU: A Privacy Protection Race to the Bottom, EFF Deeplinks (Apr. 9, 2018), https://www.eff.org/deeplinks/2018/04/us-cloud-act-and-eu-privacy-protection-race-bottom.
5 Brad Smith, The CLOUD Act is an important step forward, but now more steps need to follow, Microsoft On the Issues (Apr. 3, 2018), https://blogs.microsoft.com/on-the-issues/2018/04/03/the-cloud-act-is-an-important-step-forward-but-now-more-steps-need-to-follow/.