Since it was enacted in March 2018, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) has been controversial with privacy advocates in the United States and the subject of sustained criticism by the European Parliament and other organizations abroad. Over the past year, companies that store data outside the United States have been pressed by non-U.S. customers and counterparts to explain whether the CLOUD Act creates new risk that their data may now be within reach of the U.S. government and have had to re-examine existing data storage arrangements.
There remains a good deal of confusion about what changes the CLOUD Act made to U.S. law and the practical implications for many companies. One year later, the U.S. Department of Justice (DOJ) has launched a campaign to promote a greater understanding and appreciation of what the CLOUD Act accomplishes. This effort includes recent remarks Deputy Assistant Attorney General Richard Downing delivered at the Academy of European Law Conference, a dedicated resource page on the DOJ website for CLOUD Act materials, and a new white paper titled “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act.” Companies grappling with whether and how to respond to the CLOUD Act should take note of the DOJ’s comments and what they foreshadow.
As we wrote last year, the CLOUD Act has two distinct components. First, the Act allows the U.S. government to enter into Executive Agreements with other countries that will permit companies subject to U.S. jurisdiction to respond to those other countries’ requests for data. (To date, no such bilateral agreements have been executed.) Second, the Act amends the Stored Communications Act (SCA) to clarify that companies subject to U.S. jurisdiction served with court orders must turn over data they control regardless of where it is stored. Both the framework for executive agreements and the amendments to the SCA have been the subject of criticism and, in some cases, misinformation. DOJ’s white paper is an effort to respond to critics and educate the public about the effect, scope, and impact of the Act, including in the following key areas.
U.S. Law Enforcement Access to Overseas Data
Passage of the CLOUD Act was catalyzed by Microsoft’s high-profile litigation over a U.S. law enforcement request for customer data stored by the company in Ireland. The CLOUD Act had the effect of requiring Microsoft to provide to law enforcement data that the U.S. Court of Appeals for the Second Circuit previously had ruled was beyond the reach of a warrant under the SCA, effectively resolving the pending Supreme Court review of that issue. This practical effect has led some commentators to view the CLOUD Act’s amendment of the SCA as expanding the authority of U.S. law enforcement to obtain data overseas that would otherwise be beyond its reach. In contrast, the DOJ describes the amendment as “restoring the widely accepted and long-standing understanding of U.S. law,” noting that the Microsoft decision was the first time an appellate court held that the SCA did not authorize the government to require disclosure of data stored abroad from companies subject to U.S. jurisdiction. The Department makes clear that it views the SCA amendment as a clarification that does not create new authority for U.S. law enforcement to obtain information.
Jurisdiction over Global Communications Service Providers (CSPs)
Some have suggested that executive agreements, insofar as they could require a U.S.-based global CSP to comply with a foreign government order to provide electronic data, would impose a new obligation on such providers. The DOJ makes clear, however, that the CLOUD Act does not impose any new obligation to comply with a foreign government order or establish, by itself, that a foreign government has jurisdiction over a CSP. Rather, in the situation where a foreign country has jurisdiction over a CSP under its domestic law, DOJ provides that an executive agreement under the CLOUD Act would only eliminate any potential conflict with U.S. law for qualifying government orders. Removing the potential conflict between the SCA and another country’s law, in the DOJ’s view, in no way affects whether that country has jurisdiction over the CSP.
Mutual Legal Assistance Treaties (MLATs)
The focus on executive agreements under the CLOUD Act can leave the misimpression that the MLAT process – the traditional method of obtaining evidence in such cases – is no longer available. In fact, the MLAT process remains available even in cases where data might also be available pursuant to an executive agreement. The DOJ hopes that executive agreements will ultimately ease the burden on the MLAT process, but for now, with no executive agreements in place, the MLAT system remains the primary mechanism by which law enforcement agencies can seek the assistance of their foreign counterparts to obtain electronic data overseas.
Another piece of misinformation that the white paper responds to is the idea that the CLOUD Act could require providers to decrypt certain data or communications in response to law enforcement. The CLOUD Act requires that executive agreements be “encryption neutral,” neither requiring decryption nor foreclosing governments from ordering decryption to the extent authorized by their laws. This posture reserves the challenges posed to law enforcement by end-to-end encryption for separate discussions among governments, companies, and other stakeholders.
Privacy and Human Rights
Perhaps the loudest criticism of the CLOUD Act has come from privacy, civil liberties, and human rights organizations that argue the law does not do enough to ensure that executive agreements do not give foreign governments with questionable privacy and human rights records greater surveillance authorities and capabilities.
Companies who have heard these criticisms may find it useful to note that DOJ has now offered a strong defense of the safeguards in the statute, describing the CLOUD Act as “a new paradigm: an efficient, privacy and civil liberties-protective approach.” To begin with, DOJ notes that the U.S. cannot enter an agreement with a foreign country unless the Attorney General certifies that the partner country has robust substantive and procedural protections for privacy that meet standards in the statute. The white paper also points to executive and congressional oversight, as well as the requirement that orders pursuant to executive agreements must be lawfully obtained under the domestic system of the country seeking the data; must target specific individuals or accounts; must have a reasonable justification based on articulable and credible fact, particularity, legality, and severity; and must be subject to review or oversight by an independent authority, such as a judge or magistrate. DOJ expects that these and other standards in the law will be a significant motivation for countries that wish to enter into an executive agreement with the United States to increase protections for privacy and civil liberties. Although the white paper is unlikely to allay all concerns, it is part of a broader effort by the Department to bring greater awareness to the significant protections and safeguards that are included in the law.
Rather than announcing a new policy or case, the DOJ white paper and related remarks are part of a coordinated effort to build support for the CLOUD Act both domestically and abroad. DOJ is making the case that there is great potential for executive agreements under the CLOUD Act to promote public safety, but the fact remains that there are no executive agreements more than a year after the law’s enactment. Thus it remains to be seen whether the framework will significantly change how U.S. and foreign law enforcement agencies obtain and share electronic evidence across international borders. If and when there is progress toward one or more executive agreements, such as that reportedly under negotiation with the U.K., global CSPs will need to pay close attention to how the terms of such agreements and any related changes to laws in foreign countries can affect their obligations to respond to certain requests for electronic data.
While DOJ has made significant efforts to correct widespread misconceptions regarding the CLOUD Act and to anchor it in long-standing U.S. government policy, the legislation will no doubt continue to be a source of controversy and highlight differences in approach between the U.S. and European governments. Companies who are caught up in such controversies may find the DOJ paper useful in clarifying what the legislation has and has not changed and the important safeguards built into U.S. law.