On Friday morning, March 23, President Trump signed the $1.3 trillion omnibus spending bill into law, including the Clarifying Lawful Overseas Use of Data (CLOUD) Act, and in doing so established a sea change in the rules for cross-border government access to the contents of electronic communications. The CLOUD Act consists of three core components: (1) resolving the main issue in the Microsoft Ireland case pending before the U.S. Supreme Court, (2) providing a process for entities to request a comity analysis for potential conflicts with non-U.S. legal obligations, and (3) removing legal barriers to complying with foreign law enforcement requests from approved governments for the content of electronic communications, subject to novel legal protections.
Resolving the Microsoft Ireland Issue
The new law resolves the main dispute in the case, started in 2013, where the U.S. Department of Justice has sought the content of emails held by Microsoft in Ireland. Microsoft argued that prior law authorized this sort of access only for data held within the territorial boundaries of the United States. On Microsoft’s view, the U.S. could access the requested data by making a request under a Mutual Legal Assistance Treaty to the foreign nation, such as Ireland. The Department of Justice, by contrast, argued that it could require production of emails and the content of other electronic communications stored anywhere in the world.
Microsoft won in the Second Circuit. At the Supreme Court argument, Microsoft argued that the decision would better be made in Congress, which could legislate an overall solution to resolving the interests of different countries for cross-border requests for data. The CLOUD Act, introduced in Congress on a bipartisan basis, and supported in Congress both by the service providers and the administration, is the legislative resolution of the legal dispute in the Microsoft Ireland case.
The CLOUD Act amends the Stored Communications Act by adding a new section (18 U.S.C. § 2713) requiring covered service providers to “disclose” (and also “preserve” and “backup”) the contents and associated records of electronic communications that are in the provider’s “possession, custody, or control,” regardless of where the data is physically located. This language tracks the doctrine in a series of cases following United States v. Bank of Nova Scotia. Under the Bank of Nova Scotia doctrine, the U.S. has been able to compel banks to produce foreign-held records where the records are in the “possession, custody or control” of the bank.
Invoking Comity Analysis in Law Enforcement Requests
While the U.S. government gained greater access to stored content than Microsoft had argued existed under prior law, the CLOUD Act has two comity provisions that provide potentially significant limits on U.S. government access.
The first provision, which will be codified at 18 U.S.C. §2703(h)(2), applies to requests that create possible conflicts with “qualifying” foreign governments – the governments that have in place the sort of executive agreements with the U.S. that are described below. In such instances, to account for potential conflicts with their foreign legal obligations, the Act allows service providers subject to legal process to motion to modify or quash where the service provider reasonably believes that
(a) the customer/subscriber is not a U.S. person and does not reside in the U.S., and
(b) disclosing the relevant data would cause the provider to violate foreign law.
As one example, if there is an executive agreement in the future with a member of the European Union, then this comity analysis would apply if the General Data Protection Regulation (GDPR) or other European law made it unlawful for the service provider to provide the data to the U.S. government.
The provider has 14 days to file such motion after receiving process, though the government or court may agree to extend the deadline. The court may modify or quash the process, as appropriate, if it finds that
(a) the required disclosure would cause the provider to violate the laws of a qualifying foreign government;
(b) based on the totality of the circumstances, the interests of justice dictate that the legal process should be modified or quashed; and
(c) the customer or subscriber is not a United States person and does not reside in the United States.
In determining the “totality of the circumstances,” the Act directs the court to perform a comity analysis accounting for the interests of the United States, the interests of the applicable foreign government, the likelihood and type of penalties the service provider might suffer if it complies with the process, and more. CLOUD Act Sec. 103(b) (to be codified at 18 U.S.C. § 2703(h)(3)).
The second comity provision states that the comity procedure just described does not modify or otherwise affect common law or other comity standards. Thus, comity law is changed only for the sub-set of requests for communications covered by Section 2703(h)(2).
Certification and Review of Foreign Governments
Section 105 of the CLOUD Act creates a new legal regime where foreign governments may enter into executive agreements with the U.S. government to gain streamlined access to the content of electronic communications, such as emails and social network posts. Section 105 arises out of extensive academic and policy discussion in recent years, as shown at the home page of the Georgia Tech Cross-Border Access to Data Project, led by Professor Peter Swire, who is also Senior Counsel to Alston & Bird.
Under prior law, U.S. service providers needed a probable cause warrant, signed by a U.S. judge, to release the content of electronic communications. (The same blocking rules did not apply to non-content information about the communications.) The CLOUD Act removes this blocking provision of the Electronic Communications Privacy Act (ECPA) where foreign law enforcement requests come from a qualifying country, and the individual request meets the law’s requirements. In such instances, the foreign government can gain access to content directly from the service provider, instead of going through the often-lengthy process of a Mutual Legal Assistance Treaty request.
The CLOUD Act establishes a process for the President to create an executive agreement with a foreign country that would qualify it to take advantage of these changes to ECPA. The U.S. Attorney General and Secretary of State would need to agree that the executive agreement meets each of a long list of criteria, demonstrating that the country has “robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement.” Congress will have 180 days to disapprove of any such executive agreement, under streamlined legislative procedures.
The Act requires the Attorney General and Secretary of State to review these approvals every five years and submit a report to Congress outlining the reasons for the renewal, any substantive changes to the agreement or to the foreign country’s relevant laws and procedures, and any issues that have arisen as a result of the agreement during the past five years. If the Attorney General and Secretary of State do not renew their approval of a foreign country, then the relevant ECPA blocking provisions would once again apply to any requests from that government.
Significant requirements for the foreign requests include:
• Prohibits targeting of US citizen and resident data. For such data foreign governments would still need to go through the MLA system and obtain a warrant based on probable cause.
• Prohibits indirect targeting of US citizen data and prohibits the foreign government from sharing that data back with the United States unless it relates to significant harm or the threat of such harm to the United States or United States persons.
• Requires that requests be particularized – targeting a specific person, account, address, personal device or other identifier.
• Requires that requests be based on “articulable and credible facts.”
• Requires that requests be subject to review or oversight by a court, judge, or magistrate or other independent authority;
• Requires that any live intercept orders be for a “fixed, limited duration” and “not last any longer than is reasonably necessary to accomplish the approved purposes” and be issued “only if the same information could not reasonably be obtained by another less intrusive measures.”
• Prohibits use of data to infringe on freedom of speech, and requires the country to meet a list of human rights standard, such as prohibition on torture.
• Requires the country to adopt minimization procedures regarding information concerning U.S. persons.
• Requires the foreign government to agree to compliance reviews, so that the U.S. government can monitor implementation of the executive agreement.
The passage of the CLOUD Act will cause a number of changes in the near and short term, including mooting the Microsoft Ireland case currently before the U.S. Supreme Court. Under the CLOUD Act, Microsoft would be subject to the legal process at issue despite the physical location of the data in Ireland. It would retain the opportunity to challenge that process under the comity provisions in the Act.
Foreign governments who wish to gain streamlined access to communications content now have a strong incentive to implement privacy controls that meet the Act’s requirements. In return, once executive agreements are in effect, those countries will gain increased access to data held by U.S. service providers relevant to foreign law enforcement efforts.
Once executive agreements are in place, service providers will need to prepare for increased demands for data held abroad, and will need to make timely objections where those requests may conflict with foreign legal requirements, such as the European Union’s GDPR.