On March 23, 2018, the omnibus spending bill was signed into law; a portion contains the Clarifying Lawful Overseas Use of Data Act (CLOUD Act).
The CLOUD Act’s main goal is to grant governments timely access to electronic data stored by communication-service providers (such as email service providers, certain cloud service providers and social media providers). The Act allows US law enforcement authorities to access data stored abroad as well as foreign authorities to directly seek disclosure of data held by US-providers “to protect public safety and combat serious crime, including terrorism.”
The CLOUD Act offers some guidance to communication-service providers when they receive orders from the US or foreign governments to disclose data that are not located in the country from which the order comes (e.g., where the FBI issues a search warrant to a US cloud service provider to disclose users’ data stored on one of its servers located in the EU).
U.S. orders accessing data stored abroad. A communication-service provider shall preserve and disclose the contents of a “wire or electronic communication and any record or other information pertaining to a customer or subscriber” within its control, regardless of whether such information is located within or outside of the U.S. However, orders compelling providers to disclose content stored abroad that may be in breach of the laws of a “qualifying foreign government” (i.e. a country that has signed an executive agreement with the United States to facilitate cross-border law enforcement access to data) may be challenged.
The communication-service provider can file a motion to quash or modify the order if reasonably believes that (i) the customer or subscriber is not a United States person or he or she does not reside in the United States and (ii) the required disclosure would create a material risk that laws of a qualifying foreign government would be violated.
The court may modify or quash the order taking into account various factors set out in the CLOUD Act, such as for example the investigative interests of the U.S., the foreign government’s interest in preventing disclosure, the location and nationality of the subscriber or customer in question.
Extraterritorial orders accessing data stored in the United States. Based on the CLOUD Act, foreign governments may enter into a bilateral executive agreement with the United States and become a “qualifying foreign government”. Qualifying foreign governments may serve legal process directly on U.S. communication-service providers according to their own laws. The Act removes barriers that might otherwise prohibit a US provider from complying with the foreign order, but does not compel a US provider to comply with any foreign order.
A government may enter into a bilateral agreement under the CLOUD Act after the Attorney General submitted certain written certifications attesting that the country affords substantive and procedural protections for privacy and civil liberties. Bilateral agreements shall be based on the principle of reciprocity.
The orders that may be submitted by the foreign government directly to a U.S. provider shall:
- be for the purpose of obtaining information relating to a serious crime, including terrorism;
- identify a specific person, account, address, device, or other identifier;
- comply with the foreign government’s domestic law;
- be based on requirements for a reasonable justification based on credible facts;
- be subject to judicial review or overview;
- not be used to infringe freedom of speech.
The CLOUD Act sets a legal framework for cases like the Microsoft one, where the Second Circuit held that the U.S. Government could not force service providers to surrender information stored abroad. However, it will be interesting to see the impact that the CLOUD Act will actually have on current cases related to similar issues and its interaction with the existing Mutual Lateral Assistance Treaties on criminal matters, in place between the United States and other 52 countries.
For more information on cross border transfer of data, contact Francesca Giannoni-Crystal and Federica Romanelli
Originally published on Technethics on April 2018