The Sun Rises on the CLOUD Act
Last month, Congress passed the CLOUD (“Clarifying Lawful Overseas Use of Data”) Act, legislation designed to address the complex conflict of laws and data localization issues raised by disclosure of data stored in the cloud to U.S. and foreign law enforcement authorities. These issues were first made apparent by the United States v. Microsoft case currently pending before the Supreme Court, but they have long been simmering in the context of international criminal investigations.
As users’ information has moved to the cloud over the last decade, the laws governing its access by U.S. and foreign law enforcement largely remained static. U.S. and foreign law enforcement agencies regularly seek data held by U.S.-based Internet and tech companies for use in investigations and run into a variety of technical and legal obstacles.
At times, U.S. law enforcement has been stymied by likely jurisdictional limitations on the extraterritorial reach of U.S. laws and warrants, as in the Microsoft case. U.S. and foreign law enforcement have long had to use the cumbersome Mutual Legal Assistance Treaty (MLAT) process rather than submit requests directly to some companies because of bars on content disclosure found in U.S. and foreign law.
Both the potential assertion of extraterritorial reach by U.S. law enforcement and foreign law enforcement frustration with the MLAT system have incentivized other countries to consider various types of problematic forced data localization, either to avoid U.S. law enforcement access to data or to facilitate access by their own law enforcement authorities.
The CLOUD Act is the outcome of an iterative legislative process to address both sides of this conflict. First, the Act attempts to set out rules through which U.S. law enforcement can access user information pursuant to lawful process. The second part of the Act incorporates the ideas of a draft legislative framework for bilateral agreements to enable foreign law enforcement requests proposed by DOJ in 2016. Both of these components require some modifications to the Stored Communications Act to permit disclosures of stored cloud data by U.S. providers to U.S. and foreign law enforcement pursuant to appropriate process.
Extraterritoriality of U.S. law enforcement requests
The first component of the CLOUD Act is designed to address and likely moot the U.S. v. Microsoft case. The CLOUD Act allows U.S. law enforcement to use existing legal process to require disclosure of data stored with providers subject to U.S. jurisdiction—unless the provider reasonably believes the customer or subscriber is not a U.S. person; and the disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government.
Courts may quash process for these reasons and if a totality of circumstances indicates that it would be in the interests of justice, a review that is considered a “comity analysis” under international conflicts of law principles.
Notably, the CLOUD Act does not include the “warrant for content” fix, which is the main goal of traditional reform of the Electronic Communications Privacy Act. This fix would require a warrant based on probable cause for law enforcement access to any content data stored in the cloud. Instead, the bill leaves in place the existing legal process required for content; post-Warshak this generally is a warrant (though this may differ for non-U.S. person data).
Bilateral agreements with qualifying foreign nations
The other primary component of the CLOUD Act creates a legislative framework for foreign law enforcement access to data stored with U.S. providers, pursuant to the terms of an executive agreement negotiated between the U.S. and certain qualifying countries. These agreements will be subject to Congressional review over 180 days, which would allow interested stakeholders to raise concerns or objections.
A number of conditions must be met for an executive agreement to be deemed satisfactory under the CLOUD Act, as certified to Congress by the Attorney General with the concurrence of the Secretary of State.
One goal of enabling these agreements is to incentivize governments interested in obtaining evidence direct from U.S. providers to raise the standards of their digital privacy and criminal procedure laws. As a result, the CLOUD Act requires that a qualifying country have “robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement”, which include:
- Respect for the rule of law and principles of nondiscrimination;
- Protection from arbitrary and unlawful interference with privacy;
- Fair trial rights;
- Respect for freedom of expression, association, and peaceful assembly;
- Prohibitions on arbitrary arrest and detention; and
- Prohibitions against torture and cruel, inhuman, or degrading treatment or punishment.
An executive agreement negotiated with a qualifying country must also require the following:
- Requests must be narrow in scope, purpose and duration; incorporate specific rule of law protections; be subject to judicial review or oversight; and meet baseline legal standards around accountability, data minimization and retention, and transparency;
- Foreign government orders may not be used to infringe freedom of speech;
- The foreign government must afford reciprocal rights of data access to the United States government, to include, where applicable, removing restrictions on communications service providers, including providers subject to U.S. jurisdiction; and
- The foreign government must agree to periodic review by the U.S. government of its compliance with the terms of the executive agreement; and the U.S. government must reserve the right to render the executive agreement inapplicable as to any order for which it concludes the executive agreement may not properly be invoked.
The CLOUD Act is the first step in creating a sensible, more privacy-protective system for lawful law enforcement access to data stored in the cloud. The next steps are implementation and improvement.
First, cloud companies and U.S. law enforcement need to see how the CLOUD Act’s rules for governing U.S. law enforcement requests play out in practice. Those rules should be supplemented by the passage of a true “warrant for content” fix to ensure that all content in the cloud, regardless of age, requires a warrant based on probable cause for disclosure to law enforcement.
Next, foreign governments need to ensure their legal regimes meet the substantive and procedural due process requirements necessary to qualify for a bilateral agreement with the United States, so that their law enforcement entities can more easily obtain digital evidence stored with U.S. cloud service providers. For example, as the European Union considers the requirements of its own upcoming rules to help European law enforcement obtain e-evidence from cloud providers, it should consider making the scope, parameters, and procedures of its request tools consistent with those outlined for executive agreements in the CLOUD Act.
Additionally, it may turn out that once some bilateral agreements are in place and operational, the U.S. determines that additional privacy and rule of law requirements are necessary for countries to qualify and recertify in the future.
The development of an improved, more efficient and privacy-protective system for cross-border law enforcement access to data or e-evidence will be a continuous and iterative process. With cooperation, the end result should be a win-win for users and law enforcement: stronger digital privacy protections internationally, coupled with more efficient law enforcement investigations.