By Tandy Mathis
On Friday, March 23, 2018, Congress passed a 2,232 page omnibus spending bill. Included in the bill was a bipartisan act known as the “Clarifying Lawful Overseas Use of Data Act” or CLOUD Act, which will allow United States law enforcement to access the data stored abroad for U.S. citizens and will provide some relief to foreign law enforcement agencies to access the data of their citizens when that data is stored in the U.S..
The CLOUD Act Overhauls an Outdated Stored Communications Act (SCA) and an Overburdened Mutual Legal Assistance Treaty (MLAT) Act
At its core, the CLOUD Act is a response by Congress to an outdated SCA and MLAT system. Today, data is rarely kept where it is created. The ease and cost savings of data storage mean that many communications and social platforms store data around the world. Over the years, U.S. law enforcement agencies have increasingly faced opposition by communications service providers to provide the data of U.S. citizens and residents if that data was located abroad. Communications service providers have argued that the SCA does not have the extraterritorial scope to allow U.S. law enforcement to seek data held outside of the U.S. In turn, foreign officials have faced an increasingly overburdened MLAT system to access the data of their own citizens held within the U.S., causing some foreign countries to demand that the data of their citizens be kept in country. China has already passed data localization laws which will require many companies to relocate the data of China’s citizens to data centers located on Chinese soil.
The CLOUD Act amends the Stored Communications Act and settles the question of whether the U.S. can compel production of communications and records stored abroad. The CLOUD Act, in Section 103(a), adds a new provision, Section 2713, to the SCA:
A provider of electronic communication service or remote computing service shall comply with the obligations of [the SCA requiring disclosure of customer communications or records to a governmental entity via warrant, court order, subpoena, or other enumerated means] to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
This change to the SCA likely moots the currently pending Supreme Court case, United States v. Microsoft Corp., No 17-2 (argued Feb. 27, 2018). The pending case began in 2013 when Microsoft received a U.S. law enforcement request to turn over a customer’s email data from the company’s cloud in relation to a narcotics investigation. After realizing the customer’s emails were stored at an Irish data center, Microsoft refused to comply. Instead, Microsoft insisted that the U.S. should work with Irish authorities. Microsoft argued before the Supreme Court that the SCA does not explicitly address whether the law applies abroad, which means it should be assumed to apply only within U.S. borders.
Along with other tech firms, Microsoft has supported the CLOUD Act because it would allow communications service providers to turn information over to U.S. law enforcement for legitimate requests pertaining to U.S. citizens if it does not breach the law of a foreign country. Microsoft and other tech firms have worried for some time that giving up data stored abroad, without legal compulsion to do so, would make individuals in other countries hesitant to trust U.S. providers if their own privacy laws were not respected, thereby causing tech companies to lose foreign customers.
The CLOUD Act in Section 104 also authorizes the Executive Branch to enter into international agreements which would allow certain foreign governments to access information held within the U.S. Currently, the only way for foreign governments to access data of its own citizens held within the U.S. is through the strained MLAT process, which causes frustration for both the foreign government that cannot gain access to the data they need and the companies that find themselves stuck between the rock of foreign legal process and the hard place of U.S. statutory provisions which prohibit companies from complying with foreign law requests for certain data. Important to note is that this section also does not allow a private cause of action against a provider that discloses information pursuant to the legal process under SCA or in response to a qualified foreign government with a valid executive agreement.
Section 105 of the CLOUD Act provides the framework for executive agreements by adding a new provision, Section 2523, to the Wire and Electronics Communications Interception and Interception of Oral Communications statute to Title 18, Chapter 119 of the United States Code. Executive agreements are considered satisfactory “if the Attorney General, with the concurrence of the Secretary of State” determine and provide written certification that: (1) the law of the foreign government “affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement” (including a determination that the foreign government’s criminal justice system and respect for human rights is up to international standards); (2) the foreign government has adopted procedures to minimize the acquisition, retention, and dissemination of information concerning U.S. persons; and (3) the foreign government must not target U.S. persons or person living in the U.S. and it must not be used by the U.S. to circumvent the U.S. government’s own restrictions on data collection.
Any orders issued under an executive agreement must relate to serious crimes, including terrorism, and must be based on “reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.” Orders issued must also be subject to judicial review or other independent authority, must not infringe upon freedom of speech, and must meet the minimization procedures set for under the Foreign Intelligence Surveillance Act, among other requirements.
The CLOUD Act Addresses Conflicting Laws
The CLOUD Act in Section 103(b) attempts to address comity issues that cross-border data requests can create. The bill further amends the SCA by creating a new Section 2703(h) allowing recipients of legal process under the SCA to file a motion to quash or modify within 14 days of being served if the provider reasonably believes the subscriber is not a U.S. citizen or resident and if the required disclosure would create a material risk that the provider would violate the laws of a “qualifying foreign government.”
After a motion to quash or modify is filed, the government has an opportunity to respond. The court may then modify or quash the legal process, but only if the court finds: (1) “the required disclosure would cause the provider to violate the laws of a qualifying foreign government”; (2) “based on the totality of the circumstances, the interests of justice dictate that the legal process should be modified or quashed”; and (3) “the customer or subscriber is not a United States person and does not reside in the United States.” The bill further enumerates factors the court must consider when analyzing the “totality of the circumstances. “
It is important to reiterate that this recourse is only available where the provider believes the warrant subject is not a citizen or permanent resident of the United States and, most importantly, the conflicting law is that of a “qualifying foreign government.” A qualifying foreign government is one that, among other factors, has entered into an executive agreement under Section 2523 (described above) with the United States.
Currently, there are not any executive agreements in place under the CLOUD Act with foreign governments.
In situations where there is a potential conflict with foreign data privacy laws of a country without an executive agreement in place with the U.S., or where the conflict involves a U.S. person, then according to Section 103(c) of the CLOUD Act, common law standards governing the availability or application of the comity analysis will apply.
The CLOUD Act and GDPR
Are the CLOUD Act and the EU’s General Data Protection Regulation (GDPR) compatible? Article 48 of the GDPR explicitly prohibits the transfer of an EU resident’s personal data in response to a foreign legal requirement or investigation (including the U.S.) unless there is a MLAT or other international agreement. It is important to remember that communication service providers will have to perform an analysis of the data privacy laws where the warrant subject resides before transferring to the U.S. personal data of an EU resident in response to U.S. law enforcement requests if an executive agreement is not in place. Part of that analysis will be consideration of the GDPR’s enforcement provision. The enforcement provision states that violation of the regulation’s data transfer provisions fall under the higher fine band for non-compliance (up to 4% worldwide annual turnover). This puts communication service providers in the difficult position of violating either a U.S. government request or the GDPR. While the U.S. can enter into an executive agreement with EU member states under Section 104 of the CLOUD Act, it remains to be seen if the U.S. will do so prior to the GDPR going into effect on May 25, 2018.
It also remains to be seen what effect this bill will have on other arrangements between the U.S. and EU. When Safe Harbor was overturned by the EU, it was because the European Court of Justice found that the U.S. had lower privacy standards than were permitted under EU law and largely because of concerns of U.S. governmental access to EU citizens’ personal data. The U.S./EU Privacy Shield, which effectively replaced the Safe Harbor, pledges protections essentially equivalent to those protections provided by the EU. One of the main Privacy Shield principles is that “adequate protection” should be applied to the personal data of EU citizens. The CLOUD Act would require a U.S. company to turn over personal data held in EU member states to a U.S. law enforcement agency. It is unlikely the European Court of Justice will ignore such a change in U.S. privacy law. Some have also argued that the CLOUD Act lowers privacy standards because it infringes upon the Fourth Amendment right against unreasonable searches and seizures
While the CLOUD Act seems to have cleared the way for the U.S. and qualifying foreign countries to request data located in each other’s countries, it does not resolve conflict of law situations where the conflicting law is that of an “unqualified” foreign country. The CLOUD Act, therefore, leaves data transfers in those situations just as uncertain as before.
Tandy Mathis practices on Moore & Van Allen’s Litigation and Privacy & Data Security groups, focusing primarily on information management issues, including discovery, privacy, and data security. With more than a decade of experience, she helps clients understand their obligations to protect data and advises on how they can lawfully collect, use, and share personal information.