left-caret

PH Privacy

CLOUD Act Implements Crucial Statutory Changes Affecting Law Enforcement Access to Data

March 30, 2018

Peter Hegel, Behnam Dayanim, and Rob Silvers

On March 23, 2018, President Trump signed into law, as part of a broader spending bill, the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which enacted crucial statutory changes affecting law enforcement access to data stored by online service providers.

Background of the CLOUD Act

The CLOUD Act aims to resolve simmering conflicts between U.S. authorities and service providers arising from law enforcement requests to obtain data that is stored abroad.  A number of service providers took the position that law enforcement process served under the Stored Communications Act (“SCA”) only applied to data stored on servers located within the United States and not abroad—even though the provider had the capacity to access the data and full remote control of the data.  Circuit and district courts have split on the question of the extraterritorial reach of the SCA, and the issue is currently pending before the Supreme Court in United States v. Microsoft Corp., a closely-watched case raising the question whether the U.S. government can order Microsoft to turn over emails of a drug trafficking investigation suspect where the data is stored on servers in Ireland. In light of the CLOUD Act, it now appears the Microsoft litigation is moot, and that a new and modernized framework will govern law enforcement data requests going forward.

Provisions of the CLOUD Act

The CLOUD Act begins with Congressional acknowledgement of the need for “[t]imely access to electronic data held by communications-service providers [as] an essential component of government efforts to protect public safety and combat serious crime, including terrorism.”  In an effort to facilitate improved access to data by U.S. and foreign government agencies, the CLOUD Act undertakes new changes covering four chief areas: i) it grants U.S. government the ability to compel U.S. service providers to provide requested data located on servers abroad, ii) it provides a process by which technology companies can challenge U.S. law enforcement requests, iii) it provides a framework for new “executive agreements” governing cross-border data requests, iv) it provides some specifics addressing how these executive agreements will be entered into and renewed.

U.S. Government Can Now Reach Data Stored Abroad

The first substantive section of the CLOUD Act amends the SCA such that U.S. government authorities can now compel American service providers to provide data regardless of the location of the server that the data is stored on.  While the U.S. government must still adhere to the normal warrant and subpoena requirements, this portion of the Act directly addresses the central dispute in United States v. Microsoft.

Process for Challenging U.S. Government Requests

The CLOUD Act also creates a new statutory framework whereby service providers may challenge U.S. government process based on the material risk of a conflict with the laws of “qualifying foreign governments.”  Specifically stressing comity, the Act authorizes service providers to challenge warrants when compliance will implicate the service provider in a conflict of laws with other countries.

Pursuant to this framework, a service provider may file a motion to modify or quash the legal process if it reasonably believes that (i) “the customer or subscriber is not a United States person and does not reside in the United States,” and (ii) “the required disclosure would create a material risk of violating the laws of a qualifying foreign government.”

In order for a court to approve the service provider’s motion, the court must find that (i) “the required disclosure would violate the laws of a qualifying foreign government,” (ii) “the interests of justice dictate that the legal process should be modified or quashed,” and (iii) “the customer or subscriber is not a United States person and does not reside in the United States.”

Executive Agreements On Access to Data By Foreign Governments

Prior to the CLOUD Act, when governments attempted to obtain evidence stored in another country, they often had to work through slow and cumbersome mutual legal assistance treaties (“MLATs”).  Through the MLAT process, a foreign government seeking data from a U.S. provider was required to ask the U.S. Department of Justice to obtain a U.S. court order for that information.  The CLOUD Act, however, dramatically changes this, allowing certain foreign governments to directly serve legal process requests on U.S. providers without any intermediary requests to the Justice Department or involvement of U.S. courts.
However, the Act sets up restrictions regarding which foreign governments may enter into an executive agreement.  In order for a foreign government to qualify, the “Attorney General, with the concurrence of the Secretary of State” must evaluate the country and submit a written certification to Congress that (i) the country “affords robust substantive and procedural protections for privacy and civil liberties,” (ii) the country has appropriate procedures in place that minimize the “acquisition, retention, and dissemination of information” about U.S. persons, and (iii) the executive agreement includes limitations preventing the foreign government from intentionally targeting a U.S. person or person located in the U.S., and also from issuing orders at the request of the U.S. government.

Executive and Legislative Requirements for Executive Agreements

The CLOUD Act ends with language governing how the executive agreements will be entered into and renewed.  Specifically, once the Attorney General certifies a new executive agreement, the Attorney General must notify and provide a copy to Congress for review.  Unless Congress enacts a joint resolution of disapproval within 180 days, the executive agreement will enter into force.

Once the executive agreement is entered into force, the Attorney General must review the executive agreement and the underlying qualifications of the foreign country every five years.  Upon such review, the Attorney General must then submit a report to Congress documenting the reasons for renewal, any substantive changes to the agreement or to foreign law, and “how the agreement has been implemented and what problems or controversies, if any, have arisen.”