As part of the recently enacted federal spending bill, the US Congress has passed a momentous piece of legislation directly affecting providers of electronic communication services like email service providers and social media networks. The so-called CLOUD Act, by amending the Stored Communications Act, 18 USC. §§ 2701 et seq. (SCA), makes clear that American law enforcement officials can compel US providers to produce data even if it is stored outside the United States. It also establishes new rules facilitating foreign law enforcement access to data stored within the United States. The CLOUD Act effectively moots the central question in a pending, potentially landmark case before the US Supreme Court, and it may have ripple effects on other multinational companies that hold data in different jurisdictions.
The Case of the Extraterritorial Warrant
On February 27, the US Supreme Court heard oral argument in United States v. Microsoft Corp., in which the company had received a US warrant under the SCA for data held in Ireland. While the parties agree that the SCA had lacked extraterritorial reach, they disputed whether the warrant at issue in this case was extraterritorial. Microsoft argued that the warrant was extraterritorial because it sought information stored in Ireland. The government argued that the warrant was domestic because Microsoft could comply by “undertaking acts entirely within the US.” Brief for United States at 25, United States v. Microsoft Corp., 138 S. Ct. 356 (2017) (No. 17-2).
As a practical matter, when the Department of Justice served Microsoft with the warrant, Microsoft faced three choices: (1) comply with the US government’s interpretation of the SCA and potentially violate Irish law or impinge on Irish sovereignty;1 (2) comply with Irish law and be held in contempt in the United States; or (3) seek to quash the SCA warrant to the extent it requires Microsoft to violate Irish law and thus force the United States to use a Mutual Legal Assistance Treaty (MLAT). Microsoft chose the third option. Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197, 200-01 (2d Cir. 2016), cert. granted sub nom. United States v. Microsoft Corp., 138 S. Ct. 356 (2017).
The Purpose of the CLOUD Act
With passage of the CLOUD Act, Congress has likely mooted the central question in Microsoft by implementing Section 2713 of the SCA. This new section requires that electronic communication service providers and remote computing service providers “comply with the obligations of [the SCA] to preserve, back up, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” CLOUD Act § 103(a), to be codified at 18 USC. § 2713.
This new rule clarifying the SCA warrant power’s reach to “information located within or outside of the United States” applies to a number of SCA obligations, including those pursuant to a warrant for content; warrant, subpoena or other search authorization for non-content records; or pursuant to National Security Letters. Providers, upon request by a government entity, must preserve data in their possession for at least 90 days (180 days if the government entity requests) pending the issuance of a court order or other process. See 18 USC. § 2703(f). Id. The new provision would also apply to 18 USC. § 2704, which requires service providers to create backup copies of electronic communications sought by a government entity.
The CLOUD Act also attempts to address the ever-growing conflict of law issues facing multinational companies. The Act permits providers, within 14 days of service, to make a motion to modify or quash a warrant if “the required disclosure would create a material risk” that would violate the law of a qualifying foreign government. CLOUD Act § 103(b), to be codified at 18 USC. § 2703(h)(2). The court can grant the provider’s request, but only upon finding that: (1) “the required disclosure would cause the provider to violate the laws of a qualifying foreign government”; (2) “based on the totality of the circumstances, the interests of justice dictate that the legal process should be modified or quashed”; and (3) “the customer or subscriber is not a United States person and does not reside in the United States.” Id.
Limitations of the CLOUD Act
The courts’ ability to grant a provider’s motion, however, is more limited than it may appear. In addition to the requirement that the subject reside outside of the United States, the “totality of the circumstances” analysis dictated by the Act requires the court to take into account the following factors, where “appropriate”:
- the interests of both the United States and the government entity seeking the disclosure;
- the interests of the foreign government in preventing a disclosure;
- the likelihood of the provider facing penalties owing to “inconsistent legal requirements”;
- the location and nationality of the customer whose communications are being sought;
- the nature and extent of the provider’s ties to and presence in the United States;
- the importance of the information to the investigation being undertaken; and
- the availability of alternate means of disclosure. CLOUD Act § 103(b), to be codified at 18 USC § 2703(h)(3).
In addition to these factors, the court may consider the foreign government’s interest in preventing the disclosure, which implies that foreign governments may need to assert their equities in US courts. Alternatively, providers themselves could attest to the foreign government’s interests. Id.
Perhaps most limiting is the fact that this “comity analysis” can be undertaken only when the conflict exists with a “qualifying” foreign government, which has signed a bilateral executive agreement, allowing for both nations to access data stored within the other’s borders. CLOUD Act Section 2523 adds a provision to Title 18, Chapter 119 of the US Code, which mandates that both the Attorney General and the Secretary of State certify that the foreign government’s laws afford “robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement.” CLOUD Act § 105(a), to be codified at 18 USC. § 2523(b).
As a further limitation, orders issued pursuant to the CLOUD Act Agreement must (1) relate to prevention, detection, investigation or prosecution of a particular “serious crime”; (2) identify a specific person, account, device or identifier; (3) be in compliance under the law of the foreign government; (4) be justified by “articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation”; (5) be subject to “review or oversight by a court, judge, magistrate, or other independent authority,” and (6) only grant a wiretap authorization for a fixed amount of time no longer than reasonably necessary to accomplish its purpose and only if there is no “less intrusive” method of obtaining the desired information.
The CLOUD Act does not allow a foreign government to use the communications of a US person against that person unless those communications relate to “significant harm” against the US or US persons. Id. The Act goes on to list examples of what would constitute “significant harm,” like terrorism, child exploitation, transnational organized crime or significant financial fraud. Id.
Importantly, the CLOUD Act does not require the US government to disclose data to a foreign government. Instead, the Act aims to improve upon the MLAT process by making it easier for governments to share information.
As much as the CLOUD Act clarifies, there are still questions left unanswered, including whether or how the SCA applies to non-US companies, and what companies will do in the absence of these executive agreements, or where the conflict involves a US person or any person inside the US.
The Act does include a savings clause, which provides that the CLOUD Act shall not “be construed to modify or otherwise affect the common law standards governing the availability or application of comity analysis . . . to instances of compulsory process issued under [the SCA] and not covered under [Section 2703](h)(2).” See CLOUD Act § 103(c). In other words, for all cases not covered by new Section 2703(h), the CLOUD Act does not change the (undefined) “common law” comity standards, which currently apply to the SCA process.
Litigation will most likely focus on what those standards are and how they might be applied, both at the federal and the state level. In the meantime, the CLOUD Act should effectively moot the Microsoft case currently before the Supreme Court.
It is also an open question as to how other nations will view this new process. At the closing session of the Global International Association of Privacy Professionals Conference in Washington DC, European Parliament Member, Viviane Reding of Luxembourg, who in her previous position as vice president of the European Commission oversaw drafting of Europe’s forthcoming General Data Protection Regulation (GDPR), spoke about the “erosion of trust” that led to more restrictive rules on cross-border data flows, and noted the CLOUD Act in this regard.