The CLOUD Act, Explained

Cyber, Privacy & Data Innovation Alert
April.06.2018

The Clarifying Lawful Overseas Use of Data ("CLOUD") Act was enacted into law on March 23, 2018. The Act provides that U.S. law-enforcement orders issued under the Stored Communications Act (SCA) may reach certain data located in other countries – a key question in United States v. Microsoft Corporation, No. 17-2, a case argued before the Supreme Court on February 27.^[1] Both the government and Microsoft recently agreed that the closely watched case is now moot following the CLOUD Act.

Recognizing the limits of existing law enforcement tools and privacy laws to govern requests for electronic evidence in the age of cloud computing, the CLOUD Act establishes processes and procedures for law enforcement requests for data in other countries. Most significantly:

The Act expressly provides that U.S. law-enforcement orders issued under the Stored Communications Act (SCA) may reach certain data located in other countries.
The Act also allows certain foreign governments to enter into new bilateral agreements with the United States that will prequalify them to make foreign law-enforcement requests directly to U.S. service providers, rather than via the U.S. government under a mutual legal assistance treaty. This should streamline compliance with foreign law-enforcement requests.
The Act formalizes the process for companies to challenge a law enforcement request.
The Act imposes certain limits and restrictions on law enforcement requests to address privacy and civil liberty concerns.

Especially once foreign governments enter into new agreements with the U.S., the CLOUD Act should introduce a measure of clarity for providers who previously found themselves in a legal bind caught between two conflicting jurisdictional laws.

The CLOUD Act's Effects on the Stored Communications Act

The CLOUD Act lays out the circumstances under which a "provider of electronic communication service or remote computing service" must comply with a U.S. law-enforcement order to disclose data within its "possession, custody, or control," even when that data is "located … outside the United States." CLOUD Act § 103(a).

Although the Act expands the geographic scope of the SCA, it does not change who is subject to SCA orders or what type of data is subject to U.S. law-enforcement requests under the SCA. As before the Act's passage, the SCA applies only to providers of "electronic communications services" and "remote computing services" – generally businesses that offer email, electronic messaging, or cloud storage services to the public. 18 U.S.C. §§ 2510(15) (defining electronic communications services), 2711(2) (defining remote computing services).

Also unchanged is that the SCA only regulates access to the content of electronic communications and cloud-stored documents, as well as non-content data relating to electronic communications (like transmission records and user-account information), but not other types of personal or business data. The CLOUD Act simply clarifies that the SCA's rules governing U.S. law-enforcement agents' access to content and non-content information – such as the provision requiring that law enforcement obtain a warrant before demanding that email providers turn over private email content, 18 U.S.C. § 2703(a) – generally apply to data that is stored outside the United States as well.

The CLOUD Act's Executive Agreements Will Provide Clarity for Providers

The centerpiece of the CLOUD Act is a provision allowing the U.S. to establish Executive Agreements under which law-enforcement agencies will be given reciprocal access to data held in each other's countries in order to investigate and prosecute certain crimes.

Before the CLOUD Act, a U.S. provider subject to an order under the SCA seeking data stored overseas may have reasonably feared that complying with such a request could violate foreign law. That fear will only become more acute when the European Union's General Data Protection Regulation (GDPR) enters force next month, as Article 48 of the GDPR prohibits the transfer of data outside the European Union for law enforcement purposes unless doing so is authorized under an international agreement, such as a mutual legal assistance treaty, between the EU and the requesting country.

Similarly, U.S. providers have been concerned that compliance with a foreign government's request for data stored in the U.S. could violate providers' privacy obligations under the SCA, which contains an exception for U.S. law-enforcement requests but not foreign requests. These potential conflicts of law don't just place providers in a bind – they also have limited valid government attempts to obtain information in criminal investigations.

Under the international agreements envisioned by the CLOUD Act, the U.S. and participating foreign governments will lift restrictions on providers' compliance with other countries' legal requests, introducing a measure of clarity for providers who had increasingly been caught in the middle of irreconcilable legal obligations imposed by different jurisdictions.

Formalized Process for Providers to Challenge Law-enforcement Requests

The CLOUD Act sets out a new, formal process for providers to challenge U.S. law-enforcement demands for user data.

Challenges to an order seeking data stored in a country with an Executive Agreement.

With respect to U.S. law-enforcement requests, a U.S. provider served with an SCA order seeking data stored in a country with an Executive Agreement has 14 days to move to modify or quash U.S. legal process under the CLOUD Act. This provision codifies the availability of a pre-enforcement challenge to an SCA warrant like the type Microsoft successfully brought in United States v. Microsoft.

A provider may move to modify or quash if it "reasonably believes":

that the "customer or subscriber is not a U.S. person and does not reside in the U.S.," and
that disclosure would "create a material risk that the provider would violate the laws" of the foreign government. CLOUD Act §103(b).

A court can then modify or quash if it finds that:

disclosure would cause the provider to violate the laws of the foreign government;
granting the challenge would serve "the interests of justice"; and
the customer or subscriber is not a U.S. person and does not reside in the U.S. Id.

And for purposes of determining what "the interests of justice" require, the Act establishes specific factors for the court to consider, including: (i) the interests of the U.S. and foreign government, (ii) the likelihood and nature of the penalties that would be imposed, (iii) the person and provider's connections to the U.S., or (iv) the importance of the information to the investigation, and the availability of other means to obtain the information. Id.

Additionally, the Act allows providers to inform the foreign government of the law-enforcement request so that the foreign government can object directly to the U.S. government if it wishes.

Challenges to an order seeking data not located in a country with which the U.S. has an executive agreement.

Where the data sought by U.S. law enforcement is not located in a country with which the U.S. has reached such an agreement – and no countries have yet done so – the CLOUD Act expressly preserves the right of a provider to challenge an SCA warrant under "common law … comity analysis." CLOUD Act § 103(c). Indeed, in a recent filing in the Microsoft case at the Supreme Court, following the CLOUD Act's passage the Department of Justice acknowledged that the "CLOUD Act does not affect the availability or application of a common-law comity analysis."

Under that common-law comity analysis, courts may look to factors such as:

The importance of the information requested.
The degree of specificity of the request.
Whether the information originated in the U.S.
The availability of alternative means to obtain the information.
The U.S. and foreign interests at stake.

Société Nationale Industrielle Aérospatiale v. U.S. District Court for the Southern District of Iowa, 482 U.S. 522, 544 n.28 (1987); see Restatement (Third) of the Foreign Relations Law of the United States § 442 (1987). If, considered together, these factors weigh in favor of the challenge, courts may modify or quash an SCA warrant. Notably, in contrast to the statutory framework established by the CLOUD Act, a common-law challenge is available even where the customer or subscriber is a U.S. person or resides in the U.S. Although those circumstances would likely weigh against the success of a common-law challenge, they do not render relief unobtainable.

Effect on Foreign Law-Enforcement Requests

With respect to foreign law-enforcement requests, before the CLOUD Act providers generally directed foreign law-enforcement agencies to submit requests for mutual legal assistance to the U.S. Department of Justice, so that the request would formally come from a U.S. law-enforcement agency and thus be subject to the SCA's law-enforcement exception.

The CLOUD Act aims to streamline this process by providing that when the U.S. enters into an Executive Agreement with a qualifying foreign country, the foreign law-enforcement requests for data may be responded to directly by providers. In essence, the Executive Agreements preauthorize law-enforcement requests from certain foreign countries.

To address concerns raised by privacy and civil liberty advocates, the Act permits the U.S. to enter into an Executive Agreement with a foreign government only if the Attorney General and the Secretary of State certify to Congress that, among other things, the foreign government provides "robust substantive and procedural protections for privacy and civil liberties" and that it has adopted procedures to "minimize the acquisition, retention, and dissemination of information concerning United States persons." CLOUD Act § 105. Congress is afforded 180 days to disapprove any agreement.

In another important concession to privacy advocates, the Act makes clear that the Executive Agreement cannot mandate that companies subject to a surveillance order be capable of decrypting data stored on its systems (i.e. an "encryption backdoor," a concept embraced by some U.S. law enforcement officials, most notably by the FBI in the wake of the San Bernardino shooting).

The Act also limits the type of orders that may be issued by foreign law enforcement under these Executive Agreements. For example, orders must:

Be for the purpose of obtaining information related to "serious crime, including terrorism."
"Identify a specific person, account, address, or personal device."
Be limited in time and scope.
Be justified by "articulable and credible facts."
Remain "subject to review or oversight by a court" or "other independent authority," among other requirements. Id.

Last, foreign government orders cannot target U.S. citizen and resident data; those requests must still go through the mutual legal assistance treaty process, which requires consultation with U.S. authorities.

Key Takeaways

Now that the CLOUD Act is in effect, providers of "electronic communications services" and "remote computing services" should be aware that data stored outside the United States may now be subject to requests under the Stored Communications Act and must plan accordingly.
Providers inclined to challenge an SCA order should consider moving to modify or quash legal process under the now-clarified procedures for doing so under the Act.

When choosing where to store data, providers may consider whether a datacenter will be located in a country that has entered into an Executive Agreement with the United States (once such agreements are reached, likely beginning later this year). Such agreements will better insulate companies from the risk of encountering irreconcilable obligations under two different countries' laws when faced with law-enforcement requests from either U.S. or foreign law-enforcement agencies.

^[1] Orrick, Herrington & Sutcliffe LLP is counsel to Microsoft in this case.

Authors

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

Robert Loeb Partner, Supreme Court & Appellate, Bankruptcy Litigation

Washington, D.C.

See my bio

D:+1 202 339 8475
E: [email protected]

Practice:

Finance Sector
Supreme Court & Appellate
Bankruptcy Litigation
Complex Litigation & Dispute Resolution
Energy
Litigation and IP
White Collar, Investigations, Securities Litigation & Compliance

vCard

See full bio

Robert Loeb Partner

Washington, D.C.

The breadth and depth of Bob's appellate experience, and his consistent track record of success in high-stakes matters, are why clients, including top tech and energy companies, trust him with their most important cases.

The National Law Journal’s Litigator of the Week column recently recognized Bob’s appellate major wins in energy and product liability cases for Broadreach Power and Johnson & Johnson. Bob’s recent victories also include Fifth Circuit wins for energy clients Cheniere and Eni. In the Cheniere-Midship case, Bob obtained an emergency stay from the court of appeals of the regulating agency proceedings and, then after oral argument, achieved a full victory. And for Eni, Bob convinced the Fifth Circuit to vacate a $300M judgment against Eni in a dispute with another energy company. These types of big wins in the most challenging cases show why both Chambers and Legal 500 rank Bob among the Country’s top appellate advocates.

Bob has argued before the Supreme Court multiple times (including a 9-0 victory regarding application of the Fourth Amendment to rental cars), and has filed hundreds of briefs in the Supreme Court. He has also handled cases in highest state courts in California, New York, Maine, Kentucky and New Jersey.

Before joining Orrick, Bob served as one of the leaders of an elite appellate group at the Department of Justice. There, in addition to major national security, commercial, and administrative law, Bob supervised bankruptcy appeals. At Orrick, Bob has continued to handle big ticket bankruptcy matters, such as a billion-dollar dispute over whether DHL’s claim was discharged by United’s bankruptcy, appeals from the City of Stockton bankruptcy confirmation, and a Ninth Circuit matter involving the interplay of the Takings Clause and bankruptcy law.

Bob’s recent work includes matters for Johnson & Johnson, Avon, Microsoft, Eni, Cheniere Energy, Freeport LNG, Broadreach Power, LS Power, Exxon, Medidata, Renco, MSC Cruise Line, Golden 1 Credit Union, Credit Suisse, TravelCenters of America, Gannett, and the City of Stockton.

Emily S. Tabatabai Partner, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.; Houston

See my bio

D:+1 202 339 8698
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Companies Group
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Emily S. Tabatabai Partner

Washington, D.C.; Houston

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Children’s Online Privacy Protection Act (COPPA)
Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
Family Educational Rights and Privacy Act (FERPA)
California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Washington My Health My Data Act and other state health privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.