The CLOUD Act, Explained

Cyber, Privacy & Data Innovation Alert

The Clarifying Lawful Overseas Use of Data ("CLOUD") Act was enacted into law on March 23, 2018. The Act provides that U.S. law-enforcement orders issued under the Stored Communications Act (SCA) may reach certain data located in other countries – a key question in United States v. Microsoft Corporation, No. 17-2, a case argued before the Supreme Court on February 27.[1] Both the government and Microsoft recently agreed that the closely watched case is now moot following the CLOUD Act.

Recognizing the limits of existing law enforcement tools and privacy laws to govern requests for electronic evidence in the age of cloud computing, the CLOUD Act establishes processes and procedures for law enforcement requests for data in other countries. Most significantly:

  1. The Act expressly provides that U.S. law-enforcement orders issued under the Stored Communications Act (SCA) may reach certain data located in other countries.
  2. The Act also allows certain foreign governments to enter into new bilateral agreements with the United States that will prequalify them to make foreign law-enforcement requests directly to U.S. service providers, rather than via the U.S. government under a mutual legal assistance treaty. This should streamline compliance with foreign law-enforcement requests. 
  3. The Act formalizes the process for companies to challenge a law enforcement request.
  4. The Act imposes certain limits and restrictions on law enforcement requests to address privacy and civil liberty concerns.

Especially once foreign governments enter into new agreements with the U.S., the CLOUD Act should introduce a measure of clarity for providers who previously found themselves in a legal bind caught between two conflicting jurisdictional laws. 

The CLOUD Act's Effects on the Stored Communications Act

The CLOUD Act lays out the circumstances under which a "provider of electronic communication service or remote computing service" must comply with a U.S. law-enforcement order to disclose data within its "possession, custody, or control," even when that data is "located … outside the United States." CLOUD Act § 103(a).

Although the Act expands the geographic scope of the SCA, it does not change who is subject to SCA orders or what type of data is subject to U.S. law-enforcement requests under the SCA. As before the Act's passage, the SCA applies only to providers of "electronic communications services" and "remote computing services" – generally businesses that offer email, electronic messaging, or cloud storage services to the public. 18 U.S.C. §§ 2510(15) (defining electronic communications services), 2711(2) (defining remote computing services).

Also unchanged is that the SCA only regulates access to the content of electronic communications and cloud-stored documents, as well as non-content data relating to electronic communications (like transmission records and user-account information), but not other types of personal or business data. The CLOUD Act simply clarifies that the SCA's rules governing U.S. law-enforcement agents' access to content and non-content information – such as the provision requiring that law enforcement obtain a warrant before demanding that email providers turn over private email content, 18 U.S.C. § 2703(a) – generally apply to data that is stored outside the United States as well.

The CLOUD Act's Executive Agreements Will Provide Clarity for Providers

The centerpiece of the CLOUD Act is a provision allowing the U.S. to establish Executive Agreements under which law-enforcement agencies will be given reciprocal access to data held in each other's countries in order to investigate and prosecute certain crimes.

Before the CLOUD Act, a U.S. provider subject to an order under the SCA seeking data stored overseas may have reasonably feared that complying with such a request could violate foreign law. That fear will only become more acute when the European Union's General Data Protection Regulation (GDPR) enters force next month, as Article 48 of the GDPR prohibits the transfer of data outside the European Union for law enforcement purposes unless doing so is authorized under an international agreement, such as a mutual legal assistance treaty, between the EU and the requesting country.

Similarly, U.S. providers have been concerned that compliance with a foreign government's request for data stored in the U.S. could violate providers' privacy obligations under the SCA, which contains an exception for U.S. law-enforcement requests but not foreign requests. These potential conflicts of law don't just place providers in a bind – they also have limited valid government attempts to obtain information in criminal investigations.

Under the international agreements envisioned by the CLOUD Act, the U.S. and participating foreign governments will lift restrictions on providers' compliance with other countries' legal requests, introducing a measure of clarity for providers who had increasingly been caught in the middle of irreconcilable legal obligations imposed by different jurisdictions.

Formalized Process for Providers to Challenge Law-enforcement Requests

The CLOUD Act sets out a new, formal process for providers to challenge U.S. law-enforcement demands for user data.

Challenges to an order seeking data stored in a country with an Executive Agreement.

With respect to U.S. law-enforcement requests, a U.S. provider served with an SCA order seeking data stored in a country with an Executive Agreement has 14 days to move to modify or quash U.S. legal process under the CLOUD Act. This provision codifies the availability of a pre-enforcement challenge to an SCA warrant like the type Microsoft successfully brought in United States v. Microsoft.

A provider may move to modify or quash if it "reasonably believes":

  • that the "customer or subscriber is not a U.S. person and does not reside in the U.S.," and
  • that disclosure would "create a material risk that the provider would violate the laws" of the foreign government. CLOUD Act §103(b).

A court can then modify or quash if it finds that:

  • disclosure would cause the provider to violate the laws of the foreign government;
  • granting the challenge would serve "the interests of justice"; and
  • the customer or subscriber is not a U.S. person and does not reside in the U.S. Id.

And for purposes of determining what "the interests of justice" require, the Act establishes specific factors for the court to consider, including: (i) the interests of the U.S. and foreign government, (ii) the likelihood and nature of the penalties that would be imposed, (iii) the person and provider's connections to the U.S., or (iv) the importance of the information to the investigation, and the availability of other means to obtain the information. Id.

Additionally, the Act allows providers to inform the foreign government of the law-enforcement request so that the foreign government can object directly to the U.S. government if it wishes.

Challenges to an order seeking data not located in a country with which the U.S. has an executive agreement.

Where the data sought by U.S. law enforcement is not located in a country with which the U.S. has reached such an agreement – and no countries have yet done so – the CLOUD Act expressly preserves the right of a provider to challenge an SCA warrant under "common law … comity analysis." CLOUD Act § 103(c). Indeed, in a recent filing in the Microsoft case at the Supreme Court, following the CLOUD Act's passage the Department of Justice acknowledged that the "CLOUD Act does not affect the availability or application of a common-law comity analysis."

Under that common-law comity analysis, courts may look to factors such as:

  • The importance of the information requested.
  • The degree of specificity of the request.
  • Whether the information originated in the U.S.
  • The availability of alternative means to obtain the information.
  • The U.S. and foreign interests at stake.

Société Nationale Industrielle Aérospatiale v. U.S. District Court for the Southern District of Iowa, 482 U.S. 522, 544 n.28 (1987); see Restatement (Third) of the Foreign Relations Law of the United States § 442 (1987). If, considered together, these factors weigh in favor of the challenge, courts may modify or quash an SCA warrant. Notably, in contrast to the statutory framework established by the CLOUD Act, a common-law challenge is available even where the customer or subscriber is a U.S. person or resides in the U.S. Although those circumstances would likely weigh against the success of a common-law challenge, they do not render relief unobtainable.

Effect on Foreign Law-Enforcement Requests

With respect to foreign law-enforcement requests, before the CLOUD Act providers generally directed foreign law-enforcement agencies to submit requests for mutual legal assistance to the U.S. Department of Justice, so that the request would formally come from a U.S. law-enforcement agency and thus be subject to the SCA's law-enforcement exception.

The CLOUD Act aims to streamline this process by providing that when the U.S. enters into an Executive Agreement with a qualifying foreign country, the foreign law-enforcement requests for data may be responded to directly by providers. In essence, the Executive Agreements preauthorize law-enforcement requests from certain foreign countries.

To address concerns raised by privacy and civil liberty advocates, the Act permits the U.S. to enter into an Executive Agreement with a foreign government only if the Attorney General and the Secretary of State certify to Congress that, among other things, the foreign government provides "robust substantive and procedural protections for privacy and civil liberties" and that it has adopted procedures to "minimize the acquisition, retention, and dissemination of information concerning United States persons." CLOUD Act § 105. Congress is afforded 180 days to disapprove any agreement.

In another important concession to privacy advocates, the Act makes clear that the Executive Agreement cannot mandate that companies subject to a surveillance order be capable of decrypting data stored on its systems (i.e. an "encryption backdoor," a concept embraced by some U.S. law enforcement officials, most notably by the FBI in the wake of the San Bernardino shooting).

The Act also limits the type of orders that may be issued by foreign law enforcement under these Executive Agreements. For example, orders must:

  • Be for the purpose of obtaining information related to "serious crime, including terrorism."
  • "Identify a specific person, account, address, or personal device."
  • Be limited in time and scope.
  • Be justified by "articulable and credible facts."
  • Remain "subject to review or oversight by a court" or "other independent authority," among other requirements. Id.

Last, foreign government orders cannot target U.S. citizen and resident data; those requests must still go through the mutual legal assistance treaty process, which requires consultation with U.S. authorities.

Key Takeaways

  • Now that the CLOUD Act is in effect, providers of "electronic communications services" and "remote computing services" should be aware that data stored outside the United States may now be subject to requests under the Stored Communications Act and must plan accordingly.
  • Providers inclined to challenge an SCA order should consider moving to modify or quash legal process under the now-clarified procedures for doing so under the Act.

When choosing where to store data, providers may consider whether a datacenter will be located in a country that has entered into an Executive Agreement with the United States (once such agreements are reached, likely beginning later this year). Such agreements will better insulate companies from the risk of encountering irreconcilable obligations under two different countries' laws when faced with law-enforcement requests from either U.S. or foreign law-enforcement agencies.

[1] Orrick, Herrington & Sutcliffe LLP is counsel to Microsoft in this case.