The CLOUD Act: What new legislation overhauling U.S. laws for obtaining data means for businesses in Asia
For businesses in Asia, the bottom line of the CLOUD Act is that law enforcement agencies both within and outside of the United States will now have increased access to data globally.
On March 23, 2018, President Trump signed into law the “Clarifying Lawful Overseas Use of Data” or “CLOUD” Act, closely watched U.S. legislation amending the Stored Communication Act (SCA)1, that changes the way courts in the United States will review certain requests from U.S. law enforcement agencies for content stored outside the United States, and that creates a new mechanism for law enforcement agencies around the world to request data stored in the United States. For businesses in Asia, the bottom line of the CLOUD Act is that law enforcement agencies both within and outside of the United States will now have increased access to data globally.
The CLOUD Act, which passed in Congress with limited debate as part of a massive 2,232-page spending bill, was supported by the Trump Administration and many leading technology companies but had drawn criticism from prominent privacy advocates in the United States and elsewhere. The law addresses a narrow but important question that had just made its way to the U.S. Supreme Court in the case of United States v. Microsoft: May the U.S. Department of Justice use a court order under the SCA to compel Microsoft to produce emails that it had stored outside the United States? Microsoft had argued that the answer was no, citing among other arguments the risk that such orders could subject it to conflicting obligations under U.S. law and the law of the jurisdiction where the data was stored. The U.S. Department of Justice disagreed, arguing the relevant question was not where the information was stored but whether Microsoft employees in the United States had access to it.
The CLOUD Act effectively moots the question presented in Microsoft (which the parties have asked the Court to dismiss as moot): It leaves no doubt that, going forward, the SCA reaches data under the “possession, custody, or control” of any provider subject to U.S. jurisdiction, regardless of where the data is stored. However, as discussed below, the law also gives Microsoft and other similarly situated companies a better vehicle to raise conflict-of-law concerns. In addition, the CLOUD Act addresses the inverse of the scenario at issue in the Microsoft case: It creates a new mechanism—which is dependent on future bilateral agreements between the United States and other nations—for non-U.S. governments to request data stored in the United States from U.S. companies.
The bottom line of the CLOUD Act is that law enforcement agencies both within and outside of the United States will now have increased access to data globally. U.S. businesses covered by the relevant provision of the SCA may now be ordered to disclose records regardless of where such records are stored, provided that the other requirements in the law are met2. And—in certain circumstances, discussed below—non-U.S. regulators may request and obtain data located and stored in the United States.
U.S. law enforcement requests for data held overseas
The first part of the CLOUD Act requires a company that is served with a valid court order under the SCA to turn over data no matter where the data is stored—so long as it is within the company’s “possession, custody, or control.” The Supreme Court heard argument on this very issue in February in the Microsoft case.
Importantly, the SCA does not apply to all types of businesses or all types of data. It applies to providers of “electronic communications services” and “remote computing services.” Generally speaking, these terms include businesses that facilitate electronic communications by customers (e.g., e-mail or electronic messaging) and businesses that provide members of the public with computer storage services (e.g., cloud computing services). See 18 U.S.C. §§ 2510(15), 2711(2). These businesses are generally prohibited from disclosing the contents of communications to the government (or to anyone else) other than through the process set out in the SCA, which includes judicial review.
While the CLOUD Act makes clear that the SCA can reach data stored outside the United States, it contains a limitation that Microsoft and other technology companies strongly supported: The provision allows providers served with orders or subpoenas under the SCA to file a petition to modify or quash the order or subpoena if the provider reasonably believes that (1) the target of the request is not a U.S. person and does not reside in the United States; and (2) the required disclosure creates a material risk that the provider would violate the laws of another country with which the U.S. government has an Executive Agreement (discussed in the next part below). A court can quash the subpoena or order if it finds that both of these factors are met and that the overall interests of justice favor the provider’s challenge. The statute lists a number of considerations that must be taken into account in the interests-of-justice assessment, including considerations of international comity.
Providers may also be able to raise international comity-based challenges where an order would force the provider to violate the laws of another country with which the United States does not have an Executive Agreement.
In that circumstance, the provider’s arguments would have to be based on common law comity considerations rather than any provision of the CLOUD Act.
At oral argument in the Microsoft case, the government’s attorney stated the government’s position that such challenges can be pursued only in the context of a contempt proceeding, rather than by motion to quash the subpoena or order.
Requests by foreign governments for data held in the United States
The CLOUD Act’s second component will allow the U.S. government to enter into Executive Agreements with other countries that will permit U.S. companies covered by the SCA and other provisions of the Electronic Communications Privacy Act to respond to those other countries’ requests for data. This aspect of the legislation resembles a proposal introduced by the Obama administration in 2016, which was designed to enable data-sharing between the United States and the U.K and could pave the way for agreements with other countries.
Under the SCA as it currently stands, a U.S. company subject to the SCA that is served with a court order or other request for data by a foreign government is generally prohibited from complying. The CLOUD Act changes this by permitting these types of businesses to respond to requests from foreign governments that have entered into an Executive Agreement with the United States3. For example, if an Executive Agreement between the United States and Singapore is reached, a U.S. company that is subject to Singapore’s jurisdiction could be served with an order under the laws of Singapore to produce customer data; if that data is stored in the United States, the company would be permitted to disclose it. The CLOUD Act sets numerous parameters for these Executive Agreements, which will need to be approved on an individualised basis by the Attorney General and the Secretary of State. Congress will also have 180 days in which it can vote to disapprove a new proposed Executive Agreement. Key requirements include the following:
- The other country’s laws must afford robust protections for privacy, civil liberties, and other human rights;
- The other country must adopt procedures to minimise the collection and dissemination of information provided under the agreement that concerns U.S. persons;
- The agreement must prohibit the other country from intentionally targeting U.S. persons or anyone else who is located in the United States; and
- The agreement must prohibit the other country from issuing orders for data at the behest of the U.S. government or a third country.
Additionally, orders issued under these Executive Agreements must:
- Be for the purpose of investigating or preventing serious crimes;
- Target a specific person or identifier (such as an e-mail account or phone number);
- Be reasonably justified based on articulable and credible facts; and
- Be subject to oversight or review by a court or other independent authority.
The introduction of an Executive Agreement regime will significantly reduce the hurdles for authorities in foreign countries seeking to compel production of documents and data located in the United States. Generally speaking, prior to the coming into force of the CLOUD Act and in respect of countries with which the United States does not have an Executive Agreement, the only option available to foreign authorities seeking production of a document or data in the United States is to make a specific request to obtain evidence to the U.S. Department of Justice’s Office of International Affairs (OIA). Absent the CLOUD Act, the gathering of evidence for foreign investigations, prosecutions and criminal proceedings more generally have to go through the OIA. After receiving a request, the OIA then processes the request and—assuming the OIA were to cooperate with the request—takes its own measures to compel production of the requested evidence before sharing the evidence with the foreign authorities.
The process is cumbersome and time-consuming, and is significantly shortened with the introduction of the CLOUD Act by permitting persons in the United States to comply with a foreign production request without the foreign authority having to go through the OIA first. In practice, the change ushered in by the CLOUD Act will be relevant for two categories of businesses operating in Asia: (1) United States-based companies that mainly store their consumer data in the United States that have operations in Asia and assets under management from Asia-based clients; and (2) Asia-based companies that store data in the United States. For both of these categories of companies, it is important to note that the CLOUD Act makes it far easier for regulators and investigators in Asian countries to request and obtain data from those companies if such data is located or stored in the United States.
In sum, the CLOUD Act significantly alters the legal landscape for certain businesses covered by the SCA when they are served with requests by the U.S. government for data that they store outside the United States. The impact of this change will chiefly be felt by providers of “electronic communications services” and “remote computing services” subject to U.S. jurisdiction as well as by customers of those companies. The CLOUD Act may also significantly change the rules for U.S. businesses covered by the SCA that are served with requests by other governments for data that is stored in the United States. Such changes, however, will only begin to be felt once the U.S. government has started entering into Executive Agreements with other governments.
Morrison & Foerster LLP is an international law firm with 16 offices located throughout the United States, Asia, and Europe. The firm has over 1,000 lawyers who advise clients across a range of industries and practices, including corporate/M&A, private equity and fund formation, banking and finance, data privacy and security, intellectual property, litigation, anti- corruption and compliance.
More from Daniel P. Levison, Morrison & Foerster