Arnold & Porter Discusses How CLOUD Act Revamps Government Access to Data
The massive 2,232-page, $1.3 trillion spending bill signed into law on March 23 by President Trump does more than just fund the government. The bill also contains a provision that will have a significant impact on data privacy. Tacked on the end of the spending bill is the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which revamps the decades-old regime governing how law enforcement can access data stored abroad by service providers. Under the CLOUD Act, US officials can compel service providers to provide data regardless of where that data is stored.
First, a bit of background. The Stored Communications Act (SCA), passed as part of the Electronic Communications Privacy Act of 1986 (ECPA), permits the government to compel a service provider to produce its customer and user data by means of a court order.1 The problem is that the SCA does not specify whether such a court order applies to data stored abroad. As a result, some companies, notably Microsoft, have argued that the "presumption against extraterritoriality," which holds that US laws are presumed to apply only within the territory of the United States, applies to the SCA and thus SCA court orders do not apply to data stored abroad. Indeed, just last month the Supreme Court heard argument on this issue in United States v. Microsoft, a case where Microsoft refused to comply with a SCA warrant to produce data located in Ireland.
The CLOUD Act seeks to clean up this morass. It adds a new section to the SCA, which states:
A provider . . . shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
Thus, the CLOUD Act makes clear that the test for the application of any SCA court order is whether the information sought is within the provider's control, and not where the provider stores that information.
While privacy advocates might balk at this new provision, the CLOUD Act includes some safeguards. For one, the provider can file a motion to quash when it "reasonably believes" the "customer or subscriber is not a United States person and does not reside in the United States" and there is a "material risk" that production of the compelled data would violate the laws of a "qualifying foreign government." As to this latter point, interference with the domestic affairs of a foreign country has been a prickly issue under the original SCA framework. Providers would sometimes find themselves in a catch-22, required by a warrant to produce data stored in foreign countries but simultaneously prohibited from disclosing the data under foreign law. The CLOUD Act addresses this issue by requiring the court to perform a comity analysis whenever the provider files a motion to quash.
The other significant import of the CLOUD Act is that it addresses the opposite situation where a foreign country requests data stored inside the United States. Before the CLOUD Act, foreign authorities seeking to obtain data in the United States had to resort to cumbersome data-sharing and legal assistance treaties, such as mutual legal assistance treaties (MLATs). As Justice Alito noted during oral argument in Microsoft, this process generally required months, if not years, before data sharing requests were completed, which allowed investigations to go stale and cases to go cold. The CLOUD Act should expedite the process and replace, at least to an extent, MLATs.
The CLOUD Act permits providers to disclose information to a foreign government if that government has an executive agreement with the United States. But not all foreign governments will be able to enter into such an agreement. Rather, such agreements will (at least by design) be limited to so-called "rule-of-law" countries because prior to any agreement the "Attorney General, with the concurrence of the Secretary of State" must determine and certify to Congress that the foreign country has various safeguards, such as "robust substantive and procedural protections for privacy and civil liberties" or "appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons subject to the agreement."
Additionally, even if a foreign government qualifies and enters into an executive agreement with the United States, their orders to produce data must meet a number of requirements." For example, foreign orders must concern only "serious crimes, including terrorism," "be based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation," and not target US persons or persons located within the United States. In short, the CLOUD Act's privacy safeguards set conditions that must be met before a foreign country enters into an executive agreement with the United States, and restricts the scope of orders issued by that foreign jurisdiction that will be recognized under the executive agreement.
The CLOUD Act should offer law enforcement a potent tool to use in their investigations, and those concerned with their privacy additional safeguards and assurances that their data will be accessed properly.