After several years of uncertainty over the US government's power to reach data stored overseas, Congress has enacted the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). Signed into law by the President, the CLOUD Act amends the Stored Communications Act to confirm that the US government may obtain data stored abroad.
The CLOUD Act also allows foreign governments under some circumstances to obtain data stored within the United States.
Finally, the CLOUD Act provides a limited procedure for challenging US data warrants based on foreign conflicts of laws; however, the contours of that remedy are untested and not clearly delineated.
1. The CLOUD Act puts new requirements on electronic communications providers to store and produce data to the government
The CLOUD Act puts new obligations on electronic communications providers (such as email providers or cloud storage providers) in the US to preserve and disclose customer data stored overseas with those providers or their subsidiaries. This new provision would apply to any provider within the subpoena power of the US courts and applies to any data within the provider's "custody, control or possession." CLOUD Act § 103(a) (to be codified at 18 U.S.C. § 2713).
Specifically, providers must produce electronic communications content when served with a search warrant. Providers are also required to produce certain non-content records pursuant to either a subpoena, a court order issued upon an intermediate showing, or a warrant. 18 U.S.C. § 2703(a)-(d). In addition, providers must turn over certain non-content records to the Federal Bureau of Investigation in response to a letter request in certain counterintelligence or counterterrorism investigations. 18 U.S.C. § 2709(a).
The CLOUD Act makes clear that these demands for information apply whether the data is stored in the US or abroad. It does not otherwise modify the procedure established by the Stored Communications Act: a search warrant, subpoena or court order issued under the CLOUD Act would be served and executed on the US provider of electronic communication service, which would directly produce the data to the US government.
Moreover, under the long-time provisions of the Stored Communications Act, upon notice from law enforcement, providers must preserve data in their possession for up to 180 days to ensure that these communications remain available. See 18 U.S.C. § 2703(f). The US government may also require providers to create backup copies of certain data it requests. 18 U.S.C. § 2704.
2. The CLOUD Act empowers the executive branch to enter into new executive agreements with foreign governments regarding disclosure of electronic communications
The CLOUD Act gives the US government's executive branch the authority to make new, bilateral "executive agreements" with foreign governments to allow for cross-border electronic data access and exchange. Where such an agreement exists, a foreign government may contact a US provider or local US law enforcement directly and request the provider disclose data stored on US territory. Likewise, the US government would have reciprocal authority to contact a foreign service provider or local law enforcement directly to request information stored on the foreign country's territory.
While the US already has been in negotiations with the United Kingdom to hash out the details of this sort of bilateral executive agreement, the US has not yet entered into an agreement like the one outlined in the CLOUD Act. Other countries' law enforcement authorities have expressed interest in bilateral agreements because of the significant percentage of electronic communications that are stored on US servers. It is uncertain, however, how such agreements will operate in practice.
3. The CLOUD Act establishes a new process for US courts to account for potential conflicts with European data privacy laws in limited circumstances
The CLOUD Act permits providers, in limited situations, to challenge a warrant for electronic data when the provider believes disclosure of the data would lead to a conflict of laws. A court could quash the warrant or subpoena in the "interests of justices" based on a multi-factor test that evaluates the consequences of any legal conflict, the strength of law enforcement's interests, and ties to the US and foreign locations. CLOUD Act § 103(b), to be codified at 18 U.S.C. § 2703(h)(2).
The availability of this procedure is limited to addressing conflicts of law with foreign governments that have entered into CLOUD Act agreements with the US (known as "qualifying foreign governments"). As of yet, no CLOUD Act agreements have been established, and thus providers have no present recourse under this procedure. Furthermore, this procedure is available only if the provider reasonably believes that the subject of the warrant is not a US citizen, lawful US permanent resident or located in the United States.
For now, providers wishing to challenge warrants are left with the CLOUD Act's savings clause. The savings clause applies where the formal procedure for challenging a data warrant is inapplicable (ie, where the data subject is a US person or where the conflict arises from a non-qualifying foreign government). In that case, the CLOUD Act reverts to "common law standards governing the availability or application of comity analysis." Those comity standards have not been well defined by federal courts. The CLOUD Act does not offer further guidance for how and when comity concerns limit US search authority.
Thus, while the CLOUD Act legislative compromise makes some strides in addressing potential conflicts of laws, it does not resolve many of the uncertainties facing providers.
4. The CLOUD Act arrives just before both the US Supreme Court's ruling in the Microsoft case and the effective date of the European Union's General Data Protection Regulation
For companies doing business in Europe, the stakes will be raised significantly on May 25, 2018, when the General Data Protection Regulation (GDPR) becomes effective in the EU. The CLOUD Act does not provide a clear path to relief for providers facing a US demand for data stored in the EU that potentially conflicts with the GDPR's limits on the transfer and processing of data. See GDPR, Art. 48 & 49. Article 48 of the GDPR recognizes foreign warrants or court orders only if they are "based on an international agreement such as mutual legal assistance treaty" between the foreign government and the EU member state. GDPR, Art. 48. It is not clear that a CLOUD Act agreement constitutes a qualifying "international agreement" under Article 48. It further remains to be seen whether the US and foreign governments will enter into CLOUD Act agreements and whether, in the absence of such agreements, US courts will constrain US search warrant authority in light of conflicts of laws.
For more on the GDPR and what it means for your company, see the DLA Piper General Data Protection Regulation Guide.
The CLOUD Act comes just as the US Supreme Court had been considering the question of whether the Stored Communications Act subpoena could reach data accessible in the US but stored overseas in the case of US v. Microsoft. The US government and Microsoft have agreed that the CLOUD Act moots the case and have sought its dismissal. It is likely that the Supreme Court will agree and dismiss the case as moot. (DLA Piper has filed an amicus brief in the Microsoft case on behalf of DigitalEurope, Bitkom, Tech In France, Syntec Numérique and other European national trade organizations.)
Find out more about the meaning of this new law for your business by contacting any of the authors.