Defogging the CLOUD Act

Earlier this year, Congress passed the Clarifying Lawful Overseas Use of Data ("CLOUD") Act. The CLOUD Act is significant because it allows US law enforcement authorities to access the data of US companies held abroad and could allow foreign governments who have entered into an executive agreement with the US to obtain data stored by US companies on servers located in the US. The legislation updates the 1986 Electronic Communications Privacy Act ("ECPA") and its amendment, the Stored Communications Act ("SCA"), which protect wire, oral and electronic communications, including data that is stored electronically.

Although the aim of the SCA was to protect user privacy in the light of increased use of international service providers, the CLOUD Act raises significant concerns regarding the lack of transparency in international data transfers among governments, further extraterritorial reach for foreign governments and the weakening of data protection rights. This comes at a time when data transfers between the US and the European Union are under the microscope given that the Privacy Shield mechanism is due for review in September 2018. There is also significant opportunity for foreign governments without stringent data privacy laws to obtain data under executive agreements without any judicial oversight or other legal protections.

1. Why was the CLOUD Act passed?

On April 15, 2016, Microsoft filed suit against the US Department of Justice and Attorney General in Washington (where Microsoft is headquartered), seeking a declaration that a provision of the ECPA was unconstitutional because it prohibited Microsoft from notifying its customers when a warrant was issued permitting the government to search and seize personal information stored in the Microsoft cloud. Under the SCA a warrant was issued and Microsoft was ordered to allow the US government to seize the email data of a Microsoft customer who was subject to a US narcotics trafficking investigation. Although Microsoft complied with the warrant by producing data stored in the US, it refused to provide any data stored in its overseas facilities in Dublin, Ireland, arguing that the SCA did not grant extraterritorial application and that providing the data would violate the privacy rights the SCA legislation had been enacted to protect. The court agreed that the SCA did not grant a US government warrant any extraterritorial application.

The court's decision was important because it provided an impetus for Congress, having faced pressure from technology companies, civil rights groups and US courts (including the Supreme Court), to implement legislation to address the uncertainty regarding the authority of US law enforcement agencies to access the data of US companies held abroad. The Microsoft v. United States case was dismissed in April 2018 because of the CLOUD Act’s passage.

The CLOUD Act also amends the ECPA so that US companies will be able to comply with lawful foreign law enforcement requests, even if such foreign requests conflict with US law. The legal framework proposed to achieve this - via individual executive agreements with the US - is complex as countries must meet a strict set of requirements, have robust protection for privacy and civil liberties in place and be able to provide reasonable justification for the request.

2. How does the CLOUD Act affect the data of US citizens?

Primarily, data of US citizens that is stored outside the US by a US company will now be accessible to US law enforcement if a valid warrant or subpoena has been issued. Prior to the passage of the CLOUD Act, US law enforcement officials could only access overseas data with the cooperation of the relevant company or using Mutual Legal Assistance Treaties, which require two-thirds approval in the US Senate. The executive agreements contemplated by the CLOUD Act, however, don’t require any Congressional or judicial review and may be entered into upon certification by the Attorney General. There is no process in place for further Congressional or judicial review for incoming foreign governmental requests for access to the data of both US and non-US individuals or any review of compliance with the executive agreement and other CLOUD Act requirements, potentially eroding basic legal protections under US law. Prior to the CLOUD Act, US companies were not required to release electronic communications unless they were provided with a probable cause warrant signed by a US judge. The CLOUD Act effectively eliminates this requirement for foreign governments that have entered into executive agreements.

3. How does the CLOUD Act affect the data of non-US citizens?

For data stored by a US Company in the US, the CLOUD Act doesn’t alter the process a US law enforcement agency needs to undertake in order to access such data. However, the CLOUD Act will affect the data of any person whose information is stored by a US company, including the data of non-US citizens. Post-CLOUD Act, if a US law enforcement agency makes a request for customer data held overseas, the service provider can make a motion to quash the request to a US court if it reasonably believes that (i) the relevant customer or subscriber is not a US person and does not reside in the US and (ii) the required disclosure would create a material risk that the service provider would violate the laws of a qualifying foreign government, ie one with an executive agreement in place.

A US court will quash the request if it finds that (i) the required disclosure would cause the provider to violate the laws of a qualifying foreign government, (ii) looking at the circumstances, the interests of justice dictate that the legal process should be modified or quashed and (iii) the customer or subscriber is not a US person and does not reside in the US. In making its determination under prong (ii), a US court may consider the interests of the US and applicable foreign governments, the location and nationality of the subscriber or customer whose communications are being sought and the nature and extent of the subscriber or customer’s connection to the US.

4. Implications and concerns raised by CLOUD Act

Although there are clear benefits to moving away from litigation, as demonstrated by the Microsoft v United States case, the CLOUD Act does raise serious concerns about the lack of transparency in international data transfers among law enforcement authorities and regulators and the weakening of data protection rights. At a time when the European Commission is due to undertake its annual review of the Privacy Shield mechanism, particularly when concerns have been raised about the ongoing ability of US intelligence agencies to collect data relating to non-US citizens located outside the US and the apparent failure of the US to meet the requirements of the Privacy Shield mechanism, the implementation of the CLOUD Act will increase the tension between the US and EU with respect to international data transfers. It is unlikely that the Privacy Shield program will be suspended but the enactment of the CLOUD Act may precipitate a renegotiation of the terms of the Privacy Shield mechanism.