On March 23, 2018, the Clarifying Lawful Overseas Use of Data Act ("CLOUD Act")1 was quietly enacted as part of the 2,232-page omnibus budget legislation. The law amended the Stored Communications Act ("SCA"), which establishes procedures permitting the US government to seek data from service providers of electronic communication services,2 such as email, or remote computing services,3 including cloud computing (collectively, "providers"). The act did not receive much attention on Capitol Hill, as it was passed with neither review from a House or Senate committee nor a hearing. Nevertheless, the act is having significant implications on companies that utilize data services based or operating in the United States.
What is new
The CLOUD Act made three noteworthy changes to the SCA. First, it amended the mandatory disclosure provisions under the SCA to apply extraterritorially. Before the CLOUD Act, it was unclear whether the SCA could be applied to reach data that was stored outside the US. The Supreme Court was set to resolve this issue in the pending case United States v. Microsoft Corp.4 There, Microsoft had refused to comply with a federal warrant issued to the company, demanding production of an individual's email records in 2013. Microsoft challenged the warrant, arguing that the government could not compel the production of the records because the underlying data was stored in Ireland and the SCA did not apply extraterritorially. In response, the government argued that the SCA did apply extraterritorially because the SCA reached all records in the recipient's custody or control, no matter where the materials are located.
The CLOUD Act amended the disclosure provisions to clarify that the provisions apply extraterritorially. In doing so, it seemingly adopted the government's position in Microsoft. Specifically, it stated that providers must disclose all requested records within the provider's "possession, custody, or control" whether or not the information sought is "located within or outside of the United States.''5 This amendment permits the US authorities to seek data from providers—regardless of where the data is stored—so long as the data is within the provider's "possession, custody, or control." The broad definition of "control" adopted by US courts provides US authorities with broad access to data from providers based or operating in the United States. In light of this new amendment, the Supreme Court mooted the appeal in Microsoft and remanded the case with instructions to the trial court to dismiss the case.
Second, the CLOUD Act authorizes the US attorney general, with concurrence from the US secretary of State, to enter into new types of international agreements that allow foreign governments to access data stored in the United States. These are known as executive agreements.6 Generally, principles of national sovereignty prohibit US or foreign authorities from traveling to each other's respective jurisdictions to serve entities located there with orders compelling disclosure. Instead, those governments must use a Mutual Legal Assistance Treaty ("MLAT") to compel such information, which is often a slow process.
The CLOUD Act creates a framework for an executive agreement between the US and a foreign government that gives such requests legal force. Thus, a provider subject to the jurisdiction of a country with which the US has entered an executive agreement could be served with an order requesting customer data under the SCA and the provider would be compelled to disclose the data, even if the data was stored in the United States. The process for entering these executive agreements is already underway, as the US and the UK have already started negotiations. Nevertheless, the CLOUD Act provides that the US attorney general must certify that a country's legal environment provides certain legal protections, such as defending privacy and civil liberties, before a country can qualify for an executive agreement with US authorities.
Third, the CLOUD Act created a new right for challenging mandatory disclosures when the data at issue is stored in a country with which the United States has an executive agreement.7 It permits providers served with an SCA legal process to file a motion to quash within 14 days of service to challenge the compelled production. A motion to quash or modify may be filed if the provider reasonably believes (1) that customer or subscriber whose data is sought is not a US citizen or legal resident and does not live in the United States, and (2) that the disclosure would create a material risk that the provider would violate the laws of a country with which the US has an executive agreement.
A court may only modify or quash an SCA legal process if it finds (1) that the disclosure would cause the provider to violate the laws of the country at issue; (2) that customer or subscriber whose data is sought is not a US citizen or legal resident and does not live in the United States; and (3) the "interests of justice" factors laid out in the statute8 favor the modification or quashing of the request.
Importantly, the CLOUD Act supplements and does not replace aspects of the current framework for seeking information abroad. The law explicitly preserves the right for a party to bring a challenge for "comity," which arises when a compelled protection conflicts with the law of the country in which production must be made.9 Further, the CLOUD Act also expressly states that it does not affect or modify the current process for seeking data under an MLAT if US authorities choose to utilize that route.10
Who should take particular notice of this alert
The CLOUD Act has a significant impact on international data sharing. Companies should be aware that the US government can now directly seek a warrant for data within the "possession, custody, or control" of providers that are based or operate in the United States, irrespective of where the data is stored. As such, foreign entities whose data would otherwise be outside of the US government's reach should pay particular attention to the CLOUD Act.
The rising tensions between US and European Union laws, predominately caused by the conflict of US enforcement efforts and the EU's focus on the right to data privacy, is of no surprise. Fortunately, challenges under the CLOUD Act to any personal data sought from EU member countries will likely be more robust in light of the upcoming application of the General Data Protection Regulation (GDPR). Thus, companies based outside of the US and US companies with foreign subsidiaries should consult with legal counsel about how the CLOUD Act will impact their respective entities' data.