In the global digital economy, companies increasingly face conflicts between legal demands to produce data and local laws that restrict production of data. Congress recently enacted the CLOUD Act to address these conflicts in the context of the Stored Communications Act, 18 U.S.C. §§ 2701-2712 (“SCA”). Under the SCA, companies have struggled with how to respond to United States Government (“USG”) demands for data held in foreign jurisdictions where such disclosure may violate local laws in the jurisdiction where the data is stored.
The CLOUD Act – which stands for the Clarifying Lawful Overseas Use of Data – amends the SCA by adding § 2713, and establishes a procedure for a provider of electronic communication service (“Provider”) to seek protection from mandatory disclosure of non-US data to the USG where disclosure would violate the non-US law of the jurisdiction where the data is stored. The CLOUD Act also establishes a framework for qualifying foreign governments to procure non-US data stored in the US without creating legal liability under the SCA for the provider of electronic communications services. The Act also clarifies requirements to preserve data stored abroad even if the company plans to utilize the procedures available to contest disclosure.
A threshold requirement for invoking the protective procedures under the CLOUD Act to apply is that the data at issue must be stored in a qualifying foreign country. A qualifying foreign country is one that has entered into an Executive Agreement with the USG governing access to data in this context. The CLOUD Act prescribes certain pre-requisites for a foreign government to be eligible to enter into such an Executive Agreement, including that such foreign country must have robust substantive and procedural civil liberties protections that are comparable to those in the US. It is anticipated that the USG may enter into such an Executive Agreement with the United Kingdom and subsequent agreements will later be adopted. Several of the key takeaways from the CLOUD Act are as follows:
1. Preservation. Providers must preserve, backup, or disclose the contents of a wire or electronic communications, or any other records or information pertaining to their customers or subscribers, within the Providers' possession, custody, or control, regardless of whether that information is located within or outside the United States.
2. Motion to Quash or Modify Within 14 Days. Providers may object under the CLOUD Act to a USG demand by filing a motion to quash or modify, and a court may grant the motion only if: (a) the disclosure would cause the Provider to violate the law in a qualifying foreign jurisdiction; (b) based on the totality of circumstances, justice requires that the disclosure should be quashed or modified; and (c) the subscribers at issue are not US persons or US residents. In order to quash a disclosure order served pursuant to the SCA, a Provider must file the motion with the court within fourteen (14) days of receipt of the SCA demand. The court will ultimately decide whether to quash or modify the order based on the totality of circumstances.
3. Other Legal Demands Beyond the SCA. The CLOUD Act only applies in the context of the SCA. It does not apply by its terms to other types of disclosure or production demands, such as civil litigation demands, regulatory oversight and disclosure requirements, grand jury subpoenas, USA PATRIOT Act demands, national security letters, and the like. It may, however, provide companies responding to such other demands with some persuasive authority when seeking protections from the extraterritorial application of disclosure demands based on comity or other theories. See, e.g., Societe Nationale Industrielle Aerospatiale v. United States District Court for the Southern District of Iowa, 482 U.S. 522 (1987).
4. Global Privacy and Data Governance Programs. Companies need to design their global privacy and data governance programs to help address conflicts between legal demands to produce data and local privacy and data restrictions on data production. The CLOUD Act, MLATs, and other mechanisms are providing certain avenues to help address these issues in narrow circumstances, but company programs should be designed to: (i) resist production of data except where it is strictly legally required, (ii) reduce potential local law risk where disclosure is required, and (iii) provide managers with the opportunity to make strategic decisions when neither of the above offer a complete solution.
More will be known about the CLOUD Act as Executive Agreements are reached with qualifying foreign governments and the Act is applied in practice.