The CLOUD Act, which was signed into law on Friday, will significantly change the rules governing certain types of data stored overseas by U.S. businesses. Passed as part of a 2,232-page spending bill, the CLOUD Act addresses a question that U.S. tech companies and other digital service providers have long been grappling with: May the U.S. government compel a company operating in the United States to produce data that it stores outside the country?
The CLOUD Act makes clear that in the case of legal process served under the Stored Communications Act (SCA), which applies to certain types of digital service providers, the answer is yes. The law will also allow U.S. businesses covered by the SCA to respond to certain foreign governments’ requests for records that are stored here in the United States.
U.S. clients should be aware that businesses covered by the SCA may now be ordered to disclose records regardless of where the records are stored, provided that all of the other requirements of the law are met. If the U.S. government enters into certain Executive Agreements with other countries, clients covered by the SCA may also be permitted to disclose records held in the United States pursuant to orders issued by foreign governments.
U.S. Law Enforcement Requests for Data Held Overseas
The first part of the CLOUD Act (short for “Clarifying Lawful Overseas Use of Data”) requires U.S. companies that are served with court orders under the SCA to turn over data no matter where the data is stored—so long as it is within the U.S. company’s “possession, custody, or control.” The Supreme Court heard argument on this very issue last month in United States v. Microsoft, in which Microsoft argued that the SCA prior to enactment of the CLOUD Act did not cover requests for the contents of communications stored overseas. Many other tech companies took the same position. The CLOUD Act now effectively moots the question that was presented in Microsoft: It leaves no doubt that the SCA applies to data stored overseas by companies subject to jurisdiction in the United States.
However, clients should be aware that the SCA does not apply to all types of businesses or all types of data. It applies to providers of “electronic communication services” and “remote computing services.” Generally speaking, these terms include businesses that facilitate electronic communications by customers (e.g., e-mail or electronic messaging) and businesses that provide members of the public with computer storage services (e.g., cloud computing services). The types of records sought can include the contents of stored communications as well as information about individual subscribers.
The CLOUD Act also contains a provision that U.S. tech companies strongly supported: It allows providers served with orders or subpoenas under the SCA to file a petition to modify or quash the order or subpoena if the provider reasonably believes that (1) the target of the request is not a U.S. person and does not reside in the United States; and (2) the required disclosure creates a material risk that the provider would violate the laws of another country with which the U.S. government has an Executive Agreement (discussed in the next part below). A court can quash the subpoena or order if it finds that both of these factors are met and that the overall interests of justice favor the provider’s challenge. The statute lists a number of considerations that must be taken into account in the interests-of-justice assessment, including considerations of international comity.
Providers may also be able to raise international comity-based challenges where an order would force the provider to violate the laws of another country with which the United States does not have an Executive Agreement. In that circumstance, the provider’s arguments would have to be based on common law comity considerations rather than any provision of the CLOUD Act. At oral argument in the Microsoft case, the government’s attorney stated the government’s position that such challenges can be pursued only in the context of a contempt proceeding, rather than by motion to quash the subpoena or order.
Requests by Foreign Governments for Data Held in the United States
The CLOUD Act’s second component will allow the U.S. government to enter into Executive Agreements with other countries that will permit U.S. companies covered by the SCA and other provisions of the Electronic Communications Privacy Act to respond to those other countries’ requests for data. This aspect of the legislation resembles a proposal introduced by the Obama administration in 2016, which was designed to enable data-sharing between the United States and the U.K.
Under the SCA as it currently stands, a U.S. company subject to the SCA that is served with a court order or other request for data by a foreign government is generally prohibited from complying. The CLOUD Act changes this by permitting these types of businesses to respond to requests from foreign governments that have entered into an Executive Agreement with the United States. For example, if an Executive Agreement between the United States and the U.K. is reached, a U.S. company that is subject to the U.K.’s jurisdiction could be served with an order under the laws of the U.K. to produce customer data; if that data is stored in the United States, the company would be permitted to disclose it.
The CLOUD Act sets numerous parameters for these Executive Agreements, which will need to be approved on an individualized basis by the Attorney General and the Secretary of State. Congress will also have 180 days in which it can vote to disapprove a new proposed Executive Agreement. Key requirements include the following:
- The other country’s laws must afford robust protections for privacy, civil liberties, and other human rights;
- The other country must adopt procedures to minimize the collection and dissemination of information provided under the agreement that concerns U.S. persons;
- The agreement must prohibit the other country from intentionally targeting U.S. persons or anyone else who is located in the United States; and
- The agreement must prohibit the other country from issuing orders for data at the behest of the U.S. government or a third country.
Additionally, orders issued under these Executive Agreements must:
- Be for the purpose of investigating or preventing serious crimes;
- Target a specific person or identifier (such as an e-mail account or phone number);
- Be reasonably justified based on articulable and credible facts; and
- Be subject to oversight or review by a court or other independent authority.
In sum, the CLOUD Act significantly alters the legal landscape for U.S. businesses covered by the SCA when they are served with requests by the U.S. government for data that they store overseas. It will also significantly change the rules for U.S. businesses covered by the SCA that are served with requests by other governments for data that is stored here. The impact of this second part of the law, however, will only become effective once the U.S. government begins entering into Executive Agreements with other countries.