Earlier today, Congress passed the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), amending key aspects of U.S. surveillance law and providing a framework for cross-border data access for law enforcement purposes. The Act addresses two problems that have been the subject of heated debate for the past five years. First, by amending the Stored Communications Act, 18 U.S.C. §§ 2701et seq.(SCA), the CLOUD Act clarifies that American law enforcement authorities can compel providers of electronic communication services — such as major email service providers and social media networks — to produce data stored outside the United States. Second, the Act establishes new rules facilitating foreign law enforcement access to data stored inside the United States. In short, this new legislation impacts any provider that may receive either US or foreign orders to produce data in furtherance of criminal investigations.
1. Amendments to the Compulsory Process Provisions of the Stored Communications Act
a. Clarifying That the SCA Reaches Data Stored Outside the United States
The CLOUD Act’s most immediate effect is to explicitly allow American law enforcement authorities to issue SCA warrants for electronic data that is stored outside the United States. This amendment may moot a prominent case currently pending in the Supreme Court – United States v. Microsoft Corp., No. 17-2 (argued Feb. 27, 2018).
The Microsoft case has been working its way through the courts since 2013, when Microsoft refused to comply with a federal warrant demanding production of email records. Microsoft argued that because the requested records were stored in Ireland, US law enforcement had no authority to compel their production. The district court upheld the warrant, but the Second Circuit reversed, holding that the SCA does not apply extraterritorially and that the location of the data – not whether a company could control it from inside the United States – was dispositive. Courts in other circuits, however, have come to the opposite conclusion. See, e.g., In re Information Associated with One Yahoo Email Address That Is Stored at Premises Controlled by Yahoo, No. 17-M- 1234, 2017 WL 706307, at *3 (E.D. Wis. Feb. 21, 2017); In re the Search of Content That Is Stored at Premises Controlled by Google, No. 16-mc-80263, 2017 WL 3478809, at *5 (N.D. Cal. Aug. 14, 2017).
(Jenner & Block filed an amicus brief in the Supreme Court on behalf of the European Commission in Microsoft. David Bitkower and Natalie Orpett previously discussed the Microsoft case and prospects for legislative fixes in this article.)
The CLOUD Act resolves the central question in Microsoft by creating a new Section 2713 of the SCA, which provides that electronic communication service providers and remote computing service providers must “comply with the obligations of [the SCA] to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” CLOUD Act § 103(a), to be codified at 18 U.S.C. § 2713 (emphasis added). This new rule clarifying the SCA warrant power’s reach to overseas data applies to a number of SCA obligations, including:
- Production of data pursuant to government requests: Electronic communication service providers (such as email providers) and remote computing service providers (including certain cloud storage providers) must produce electronic communications content pursuant to a search warrant. Providers are also required to produce certain non-content records pursuant to either a subpoena, a court order issued upon an intermediate showing, or a warrant. See 18 U.S.C. § 2703(a)-(d). Finally, providers must produce certain non-content records to the Federal Bureau of Investigation pursuant to letter requests in counterintelligence or counterterrorism investigations. See 18 U.S.C. § 2709(a).
- Data preservation obligations: Providers must preserve data in their possession for up to 180 days prior to the issuance of any compulsory process. See 18 U.S.C. § 2703(f). In addition, under a seldom-used provision of the SCA, providers may also be required to create backup copies of certain data requested by the government. See 18 U.S.C. § 2704.
b. Adopting Procedures to Address Potential Conflicts of Laws
The CLOUD Act also amends the SCA by adding two new provisions to address the possibility that foreign data privacy laws may bar providers from producing data stored abroad to U.S. authorities. This responds to an argument that was not directly raised in the Microsoft case, but that has garnered much attention – that is, would a provider be obligated to produce data to US authorities if doing so would have been precluded by foreign law? The question has become more timely as providers anticipate the May 25, 2018 effective date of the European Union’s General Data Protection Regulation (GDPR).
The CLOUD Act’s first approach to possible conflicts of law applies in a narrow set of circumstances in which the United States has reached an executive agreement with a “qualifying foreign government.” CLOUD Act § 103(b), to be codified at 18 U.S.C. § 2703(h). The second, which applies in all other circumstances, reverts to a more ambiguous savings clause. See CLOUD Act § 103(c) (providing a rule of construction for new 18 U.S.C. § 2703(h)).
i. Resolving conflicts of law with “qualifying foreign countries”
First, the new Section 2703(h) provides for a judicial comity analysis when SCA warrants lead to conflicts of law. Under this section, providers may move, within fourteen days of service, to modify or quash a warrant if there is a “material risk” that complying with the warrant would violate the law of a qualifying foreign government. CLOUD Act § 103(b), to be codified at 18 U.S.C. § 2703(h)(2).
The court is empowered to modify or quash the warrant, but only upon finding that: (1) disclosure would in fact cause a violation of the laws of a qualifying foreign government; (2) “based on the totality of the circumstances, the interests of justice dictate” that the warrant be modified or quashed; and (3) the account subscriber is a non-U.S. person who resides abroad. CLOUD Act § 103(b), to be codified at 18 U.S.C. § 2703(h)(2). In considering “the totality of the circumstances,” the court must consider, “as appropriate,” the following factors:
- the investigative interests of the US governmental entity seeking the disclosure and the importance of the information to the investigation;
- the foreign government’s interest in preventing the disclosure;
- the risk of penalties on the provider (or its employees) as a result of the conflict;
- the location and nationality of the subject of the warrant and their connection to the United States;
- the nature and extent of the provider’s ties to and presence in the United States; and
- the availability of alternate means of disclosure.
As noted, however, this mechanism is available only in a subset of conflicts: First, the provider must reasonably believe that the subject of the warrant is not a citizen or lawful permanent resident of the United States or located in the United States. Second, and crucially, the mechanism is only available when the conflicting law is that of a “qualifying foreign government” – that is, a country that has signed an executive agreement with the United States to facilitate cross-border law enforcement access to data (as discussed further in Part 2 below). No country has yet obtained that status, and it is unclear whether more than a small circle of countries will seek and be eligible to do so. Moreover, the very purpose of the executive agreements is to minimize the likelihood that cross-border data requests result in conflicts of laws. Thus, the significance of Section 2703(h)’s statutory mechanism for resolving conflicts of law is unclear. It will not be applicable in any pending cases, nor in any future litigation until an executive agreement is signed.
ii. Resolving conflicts of law in other situations
In all other cases presenting a potential conflict with foreign data privacy laws, the CLOUD Act reverts to a savings clause. See CLOUD Act § 103(c). That clause provides that the CLOUD Act shall not “be construed to modify or otherwise affect the common law standards governing the availability or application of comity analysis . . . to instances of compulsory process issued under [the SCA] and not covered under [Section 2703](h)(2).” In other words, for all cases not covered by new Section 2703(h) – that is, all cases where the conflict does not arise with the laws of a qualifying foreign government, or where the conflict involves a U.S. person or any person inside the United States – the CLOUD Act does not change whatever “common law” comity standards currently apply to SCA process.
But the Act does not actually confirm that such a comity analysis is available in the first place, let alone spell out what standards would govern such an analysis. And case law is of limited help – federal courts have not been asked to apply common law comity standards to SCA process in the past (though they have done so with respect to other conflicts of law). When a court ultimately does confront these issues, it will face a host of thorny substantive and procedural questions, with no clear guidance from Congress on how to answer them.
As a result, the next recipient of an SCA warrant seeking overseas data faces a narrowed, but still uncertain, legal landscape. Challenging the warrant on the grounds that it does not have extraterritorial reach is not an option – Section 2713 affirms that it does. But if that warrant conflicts with local law where the data is stored, providers will have no more guidance than they do today, at least until the first executive agreement comes into force – and then, only with respect to data subject to that country’s laws.
2. Creation of a Framework for International Agreements to Facilitate Cross-Border Law Enforcement Access to Electronic Data
The more ambitious aspect of the CLOUD Act is its creation of a legal framework that would permit foreign and US law enforcement to access electronic data stored in each other’s territory without a mutual legal assistance treaty (MLAT) request. This part of the CLOUD Act enumerates the requirements for a foreign country to become eligible for an executive agreement with the United States (a "CLOUD Act Agreement"). It then sets forth procedures for handling production orders issued by such countries – specifically, by providing exemptions from certain US data privacy laws.
a. Qualifications for Obtaining an Agreement
A country qualifies for a CLOUD Act Agreement only if the U.S. Attorney General, with the concurrence of the Secretary of State, certifies that the country’s laws afford “robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement.” CLOUD Act § 105(a), to be codified at 18 U.S.C. § 2523(b). Before making a certification, the Attorney General must consider a series of factors relating to the country’s criminal justice system and respect for civil and human rights. In addition, the CLOUD Act Agreement cannot be used by the foreign government to target U.S. persons or persons in the United States.
Orders issued pursuant to the CLOUD Act Agreement must (1) relate to a “serious crime,” rather than be issued purely for intelligence purposes; (2) identify a specific person, account, device, or identifier; (3) be lawful under local law; (4) be justified by “articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation”; and (5) be subject to “review or oversight by a court, judge, magistrate, or other independent authority.” CLOUD Act § 105(a), to be codified at 18 U.S.C. § 2523(b)(4)(D). The Agreement must also grant the United States reciprocal rights with respect to data subject to the foreign government’s law.
b. Effect of a Qualifying Agreement
Once a country signs a CLOUD Act Agreement with the United States, its qualifying surveillance orders receive privileged status under US data privacy law. Importantly, nothing in the CLOUD Act authorizes the foreign government to mandate disclosure. Rather, a CLOUD Act Agreement would permit the United States to remove barriers in existing American law that could prevent a US provider from complying with the foreign order. Specifically, for qualifying orders only, the CLOUD Act:
- Adds a provision to the Wiretap Act – which otherwise makes it a felony to facilitate electronic surveillance by a foreign government over data held in the United States – permitting compliance with qualifying wiretap orders;
- Adds a provision to the SCA – which otherwise makes it a civil violation to hand over communications content to a foreign government – permitting compliance with qualifying production orders; and
- Adds a similar provision to the Pen Register and Trap and Trace statute, which otherwise makes it a misdemeanor to provide live transactional data to a foreign government.
The Justice Department has indicated that it is negotiating an agreement with the United Kingdom, which could provide a roadmap for future negotiations with other countries. Reaching CLOUD Act Agreements with multiple countries would alleviate some of current burden on the MLAT system, thereby freeing up MLAT resources for non-qualifying governments.
3. Implications and Open Questions
The CLOUD Act’s most immediate effect will be on the Microsoft case and similar litigation in lower courts across the country. It is now clear that the warrants in those cases, and in future cases, can properly reach data stored outside the United States. In other words, Microsoft, as well as other pending cases confronting similar questions, may now be moot.
This development will be welcomed by law enforcement authorities, as well as providers seeking clarity as to the scope of their obligations under US law. In addition, providers have advocated for an international framework, such as the one established by the CLOUD Act, as a long-term solution to the problem of legal conflicts in the digital age. On the flip side, providers receiving SCA warrants in the near term where such international agreements are not widespread will need to consider what remedies they may have, either under new SCA Section 2703(h) (a remote scenario for the foreseeable future), or under common law comity standards (if they are in fact deemed applicable to the SCA).
Notably, prominent American providers are not alone in confronting a new legal landscape under the CLOUD Act. Companies that provide email service to their employees, as well as companies and individuals that rely on remote computing services, may also be affected.
Despite its scope, the CLOUD Act leaves several key questions unresolved. For example:
- The CLOUD Act’s savings clause, which applies much more broadly than its express comity mechanism, leaves major questions unanswered. The first challenges to SCA warrants under the CLOUD Act will thus play an outsize role in determining how these warrants will be treated by providers, law enforcement, and the courts.
- The SCA applies to American state-level authorities as well. Any comity analysis, whether under Section 2713(h) or under the common law, may thus be conducted in state courts as well. Although the federal government appears to have conceded the availability of a comity analysis under the SCA in testimony before Congress, state authorities may take a different approach.
- Although the SCA’s reach is clearly not limited by the location of the data, it may still be limited by the location of the provider. The CLOUD Act does not address which providers are subject to the jurisdiction of SCA legal process in the first instance.
- The CLOUD Act provides access to data outside the United States without respect to the type of process – search warrant, court order, or subpoena – used. The Act thus sidesteps the constitutional and policy debate about whether certain content or location information may be obtained without a warrant.
- The CLOUD Act is clarifying only for some types of providers. It permits a provider of electronic communication service "to the public" – such as free email providers – to raise a challenge under Section 2703(h). But other electronic communication service providers – such as companies and universities – may not be covered by that section, and must rely on the more ambiguous savings clause.
The new CLOUD Act affects providers of electronic communication and cloud services, those who use their services, and anyone who might be affected by cross-border crime. Companies – whether large tech providers or those that provide basic email services to their employees – should consider if they are prepared to respond to an SCA warrant under this new regime.