The CLOUD Act: What Compliance Means for Firms
The Clarifying Lawful Overseas Use of Data (CLOUD) Act (“the Act”) gives U.S. law enforcement agencies access to firms’ communications records stores outside the United States for use in criminal investigations.
The CLOUD Act compels firms that physically store data in servers outside the United States to comply with court-issued Stored Communications Act (SCA) warrants (“warrants”) for digital evidence. Firms must comply with SCA warrants even when there are laws in domiciliary countries preventing firms from giving foreign investigatory bodies (e.g., the Justice Dept.) access to that data. However, the CLOUD Act provides the U.S. government with the power to make bilateral data-sharing agreements with foreign nations that immunize data-storing firms from liability under foreign data privacy laws.
The Act primarily concerns communications service providers (CSPs) and remote computing service providers in practice, but generally applies to any data stored abroad by companies that do business in the United States. Furthermore, data stored in the United States can be subjected to foreign investigatory warrants as per the aforementioned bilateral CLOUD Act agreements.
Firms located in, doing business in, or storing data in the United States or any nation party to a CLOUD Act agreement face subjectivity to foreign authorities. They must learn when compliance with warrants may still risk violating data privacy laws in the country hosting their data so that they may appropriately respond. Furthermore, wholly U.S.-based firms must understand how bilateral agreements created subject to CLOUD Act authority can make domestic firms subject to foreign investigative authorities.
What is the CLOUD Act?
Signed into law by President Trump in March 2018, the CLOUD Act was partially catalyzed by a dispute between Microsoft and the U.S. government that culminated in the 2018 Supreme Court decision: United States v. Microsoft. The goal of the CLOUD Act is to overcome the disconnect between data location and the legal grounds for collection thus easing the collection of electronic evidence by U.S. authorities from firms with global operations.
After being issued an SCA warrant for data related to a criminal investigation physically stored on servers in Ireland, Microsoft refused to comply, arguing that the SCA’s investigative authority does not extend to firms located outside the territorial jurisdiction of the United States. The CLOUD Act, which passed while the case was still being argued, gave explicit legal authority to the Department of Justice to issue warrants for data physically stored outside the United States. This rendered the Microsoft case moot, but there were much broader ramifications to the Act than settling this dispute.
The Act also addresses efforts to improve upon the slower and less-responsive data access authorities provided by mutual legal assistance treaties (MLATs). According to the Department of Justice, reliance on MLATs has been a significant barrier to investigative efforts involving digital evidence. In recent years, the number of MLAT requests has increased dramatically. In addition, firms often move data between physical servers in various countries. These obstacles strain the MLAT system and cause significant delays in criminal investigations that depend upon digital evidence depend.
The CLOUD Act seeks to build fast and responsive cooperative frameworks between law enforcement agencies from the United States and its allies with disparate data privacy laws. Such frameworks would ideally make criminal investigations involving transnational evidence easier and more efficient, and these efforts have historically been supported by large technology firms like Microsoft, Google, and Apple.
The Two Prongs of the CLOUD Act
The CLOUD Act entails two major areas of extraterritorial jurisdiction expansion. First, as relevant to the Microsoft case, the Act amends federal law and authorizes U.S. law enforcement agencies to unilaterally demand access to data stored outside the United States via SCA warrants. Firms can still challenge warrants through applicable legal mechanisms if compliance would violate laws of the country in which the requested communications data is stored, but the CLOUD Act codifies their extraterritorial reach and renders moot challenges refuting extraterritorial jurisdiction.
Second, the Act provides the U.S. government with powers to nullify foreign data privacy law entirely. The Act empowers the Executive branch to form bilateral agreements with foreign nations that mutually extend extraterritorial jurisdiction over stored data from one party state into the other. CLOUD Act agreements help the U.S. government avoid legal conflicts over data privacy when exercising investigatory powers on data stored abroad, and these agreements give the same power to bilateral agreement partner states.
The first, CLOUD Act agreement was signed in 2019 by the United States and the United Kingdom. Australia next entered into a CLOUD Act Agreement in December 2021. Negotiations with the European Union on an agreement began in 2019 but have not concluded. The U.S. and Canada announced negotiations for an Agreement in March 2022.
Firms located in a country party to a bilateral CLOUD agreement served with SCA warrants do not risk violating the laws of their host nation by complying with warrants issued by U.S. law enforcement. Firms located in countries not party to bilateral agreements can only directly dispute issued warrants through applicable legal mechanisms and have no grounds to challenge them based on a lack of jurisdiction, as Microsoft attempted in their 2018 case.
Extended Powers and Limitations
CLOUD Act agreements run both ways; law enforcement in either nation can submit orders for electronic evidence for combating serious crime directly to CSPs. Under these bilateral agreements, a foreign warrant can be submitted to a firm in control of potential digital evidence without involving the government of a CSP’s host nation.
Though the Act lays out some requirements with respect to a potential partner nation’s data privacy and judicial process standards when forming these bilateral agreements, the formation of an initial agreement needs only certification from the U.S. Executive branch. Congress can object to new agreements, but there is no formal approval required from the legislative or judicial branches.
The DOJ clarified that CLOUD Act agreements do not impose jurisdiction on domestic or foreign CSPs where it previously did not already exist. There must be jurisdictional standing according to the issuing court before a warrant can be put into effect.
While SCA warrants are still only applicable to stored communications data relevant to criminal investigations, the CLOUD Act establishes clear statutory authority for these warrants to be enforced extraterritorially. Furthermore, neither U.S. nor foreign states party to CLOUD Act agreements can force domiciliary companies to comply with warrants for stored data issued by third-party foreign agencies.
What the CLOUD Act Means for Firms
The CLOUD Act is an extraterritorial expansion of U.S. law enforcement powers, but those powers are not without limits.
If a firm is based out of or stores data in a country that is party to a bilateral CLOUD Act agreement, it is important to note that any data located in that country is subject to SCA warrants issued by U.S. law enforcement agencies. Furthermore, even if a nation hosting a firm or its stored data is not party to a CLOUD Act agreement, data is still subject to U.S. warrants due to extraterritoriality.
In addition, the Act’s investigative powers are bilateral in nature: foreign nations that are party to CLOUD Act agreements have the authority to order access to data stored in the United States. The only limitations on this authority are those of preexisting jurisdiction.
Even if compliance with a warrant would risk violating conflicting privacy laws of the domiciliary nation, the authority of warrants for stored data access issued under the scope of the Act cannot be obviated. Rather, the Act reaffirms the extraterritorial reach of such warrants. In situations involving conflicts of data privacy law, firms are left to rely on foreign judiciaries or other applicable administrative systems solutions.
Ultimately, the CLOUD Act directly touches a variety of global firms which store data in multiple foreign jurisdictions. It represents a new and necessary compliance focus for any company with a global digital footprint.
The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials herein are for general informational purposes only.