The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) amends the Stored Communications Act (SCA) and moots the Supreme Court's consideration of a dispute between the U.S. government and Microsoft over whether Microsoft must produce, based on a warrant under the SCA, the contents of a customer's email account stored on a server located outside the United States.
In the Microsoft case, the United States District Court for the Southern District of New York issued a warrant, served on Microsoft at its Redmond, Washington headquarters, directing Microsoft to seize and produce the email account of a customer alleged to be trafficking drugs. Microsoft complied with the warrant as to data stored in the U.S. Part of the customer's account's content was stored on servers in Ireland, and Microsoft moved to quash the warrant as to that foreign-stored data. The district court denied the motion to quash, and Microsoft appealed. The Second Circuit sided with Microsoft, holding that SCA does not authorize a U.S. court to issue and enforce an SCA warrant as to a customer's electronic communications stored on servers outside the U.S. The Second Circuit focused on the location of the data, not on the customer's location or citizenship. It held that enforcing the warrant to compel Microsoft to seize the contents of the customer's communications stored in Ireland constitutes an unlawful, extraterritorial application of the SCA's warrant provision.
The case was argued before the Supreme Court in February 2018, with part of the argument focusing on the possible enactment of the CLOUD Act. In March 2018, Congress passed and the President signed into law the CLOUD Act, updating the SCA. Thereafter, April 2018, the Supreme Court dismissed the Microsoft case as moot, meaning we will not have the benefit of the Supreme Court weighing in on the decades-old SCA.
What does the CLOUD Act do? First, it amends the SCA to make clear that an internet service or cloud storage provider must preserve and disclose consumer data regardless of whether the data is held overseas:
A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
Second, the CLOUD Act includes a provision allowing the provider to challenge the subpoena where the provider reasonably believes that the customer or subscriber is not a United States person and does not reside in the United States, and that the required disclosure would create a material risk that in producing the data, the provider would violate the laws of a qualifying foreign government.
Third, the CLOUD Act provides that the executive branch may enter into executive agreements to permit internet service or cloud storage providers to disclose to a qualifying foreign governmental entity data of subscribers/customers who are nationals or residents of the foreign government.
Fourth, where the executive branch has entered into an executive agreement with a qualifying foreign governmental entity, the CLOUD Act sets forth a comity framework to determine whether, based on the totality of circumstances, the interests of justice dictate that a subpoena should be modified or quashed. The framework provides that a court considering a challenge to a subpoena weigh the investigatory interests of the United States governmental entity seeking to compel disclosure, the interest of the qualifying foreign government in preventing disclosure, the likelihood and extent of penalties (for instance, under the General Data Protection Regulation (GDPR)) to the provider as a result of inconsistent legal obligations, the location and nationality of the subscriber/customer whose information is sought, and the possibility of access to the information through other means with fewer negative consequences. To date, the executive branch has not entered into executive agreements with any foreign governments, meaning there are no qualifying foreign governmental entities to which to apply the comity framework. In the absence of those agreements, common law standards of comity apply, and those common law standards in this area are not well developed or defined.
With GDPR upon us, the interplay between the CLOUD Act's requirements of disclosure and the GDPR's limits on data transfer will present challenges for internet service and cloud data storage providers.