The Clarifying Lawful Overseas Use of Data Act (Pub. L. No. 115-141 (2018), or the CLOUD Act, was enacted in the U.S. on March 23, 2018, in response to difficulties U.S. law enforcement agencies (LEAs) had when attempting to gain access to data held by cloud service providers through Stored Communication Act (SCA) warrants, as the SCA did not contemplate cloud computing when it was enacted into law; likewise, LEAs were also forced to utilize U.S. Senate-approved mutual legal-assistance treaties (T.I.A.S. No. 10-201 or MLATs) or letters rogatory to access data stored overseas.
The CLOUD Act was occasioned by the U.S. v. Microsoft litigation, in which Microsoft had argued that it was not required to provide access to its users’ private data stored on Dublin servers. Microsoft lost the case in 2014, but won an appeal in 2016. The U.S. Supreme Court heard argument on the case in February 2018. Demonstrating the CLOUD Act’s importance for LEA, in late March 2018 (immediately following the CLOUD Act’s passage), the U.S. Department of Justice (DOJ) asked the U.S. Supreme Court to drop the pending Microsoft litigation as moot, as the DOJ could (and did) alternatively use the CLOUD Act to issue a new warrant for the data held by Microsoft in Dublin.
The CLOUD Act has two major routes of application that impact cross-border data sharing:
First, the CLOUD Act empowers U.S. LEAs to compel U.S. organizations (or other organizations under U.S. jurisdiction) providing “electronic communications services” and “remote computing services” to allow access to certain types of data stored outside the U.S. U.S. LEAs can serve a search warrant for an organization’s data and the organization will have to comply, even when the data is stored in a foreign jurisdiction. In sum, the CLOUD Act provides an avenue for LEAs (at any level, from federal agents to local police) to require U.S. organizations to provide access to user communication data regardless of where that data is stored. The CLOUD Act focuses on whether the recipient of a request has control over the data ‒ specifically, whether there is “possession, custody, or control,” as used in both U.S. civil and criminal law to define a party’s requirement to produce evidence pursuant to a subpoena, document request, regulatory inquiry or similar.
Second, the CLOUD Act provides the executive branch of the U.S. with the ability to execute so-called executive agreements with other countries, allowing these nations to share stored user data regardless of hosting nation privacy laws. Unlike the MLATs, these agreements do not require congressional approval for execution and are instead unilaterally decided by the U.S. executive branch, headed by the president. Those executive agreements will exist between the U.S. and reciprocating foreign governments, and approved agreements will also provide foreign governments with a new mechanism for obtaining data directly from U.S. organizations.
The recipient of a request provided under the CLOUD Act may now ask a court to quash or modify the request if (a) the person(s) whose data is sought is not a U.S. person and does not live in the U.S.; (b) compliance with the warrant conflicts with the law of the nation where the data are actually stored; and (c) the court undertakes a comity analysis to conclude whether, on balance, disclosure is or is not warranted. This process is additive, as the court must reach all three in the affirmative to quash or modify that request. Note too that the analysis of “possession, custody, and control” noted above has different meanings in different U.S. jurisdictions; and in particular, the U.S. Second Circuit (which covers the U.S. states of Connecticut, New York and Vermont in federal matters) has one of the broadest applications of “possession, custody, and control” of all federal circuits.
Given its recency, the CLOUD Act’s compatibility with the European Union’s General Data Protection Regulation (GDPR) is also an open question. Some commentators note significant concerns related to data transfers under the GDPR and related CLOUD Act applications – specifically, whether executive agreements will be sufficient to address conditions set out in GDPR Articles 44 to 50, which relate to whether executive agreements could be considered “necessary for important reasons of public interest.”
Organizations facing obligations under the CLOUD Act should consider conducting a directed risk analysis that examines those areas of operation where cloud data hosting is implicated, including any cloud-based email or communication services. In instances where sensitive, proprietary or confidential data is communicated, an encrypted email service and/or encrypted containers for such data should be considered, as this may present a scenario in which even though the data container is provided in response to an LEA warrant, the data inside might not be accessible to a recipient given current computing abilities.
Organizations that currently use the cloud for storage and/or communication should consider a compartmentalized cloud strategy that defines data storage locations for certain types of data; here, public or non-proprietary information might be stored in public cloud services or in locations where no direct oversight is required (at lower cost to the organization), whereas other data might be stored in cloud data locations operated by (and subject to) European-managed service operators. Here, too, the use of encrypted containers for such data should be a consideration.
Organizations utilizing international cloud service providers might require such providers to use a “warrant canary” clause on the providers’ website(s), whereby the website would maintain a statement indicating that a CLOUD Act warrant has not been used to procure user information maintained by the provider; if such a circumstance were to occur, the provider would be obligated to remove that statement, and its absence would serve as an indicator to the provider’s users of the CLOUD Act’s application (hence, the “canary”).
In sum, the CLOUD Act allows U.S. LEAs to issue warrants for access to data held by U.S. organizations (or other organizations under U.S. jurisdiction), even if such data is held outside the U.S., and even if such data involves individuals other than U.S. citizens. The CLOUD Act applies only to the contents of electronic communications, documents stored in the cloud, and certain types of transmission and account information, and does not necessarily reach an organization’s business records. However, if an individual’s email or documents are stored in a cloud-based service, and the service responds to a CLOUD Act warrant, such materials could include business records. Warrant recipients may oppose the requests in court, but while it’s currently unclear whether the recipients would be able to directly alert the data owners of such a request, it seems unlikely, and so-called warrant canaries might be providers’ only notice option.