Actual Impact of 2018 U.S. CLOUD Act Still Hazy
Over a year following enactment of the U.S. “Clarifying Lawful Overseas Use of Data” or CLOUD Act, significant questions remain unanswered about the law and its potential impact on global investigations involving cloud stored data.
The CLOUD Act does two things. First, it explicitly authorizes U.S. law enforcement to obtain data held by U.S. Cloud Service Providers (“CSPs”) regardless of where in the world the data is physically stored. Second, the Act creates a framework for the negotiation of bilateral treaties that would give other countries the ability to access cloud data stored by U.S. CSPs.
Beyond that, considerable uncertainty still exists around how the Act will be applied. Because of the circumstances surrounding its enactment—the CLOUD Act was included in an emergency spending bill signed into law by President Trump to avoid a federal government shutdown—there is no legislative history, no committee hearings were held or reports issued, and no floor debate regarding the Act. And the Act itself contains no reporting requirements regarding either law enforcement’s use of these expanded powers or treaty negotiations with foreign governments.
To date, no U.S. Courts have issued opinions clarifying these issues.2 Interestingly, the U.S. Department of Justice recently issued a white paper on the CLOUD Act that focused more on what the Act does not do than what it does. For example, according to the White Paper the Act does not expand U.S. investigative authority or jurisdiction, impose U.S. legal process requirements on other countries, allow the U.S. Government to obtain any “new” data not already within its law enforcement reach, or steal trade secrets of foreign corporations.3 This “we are from the Government and here to help” theme is echoed in the broader blogosphere coverage on the CLOUD Act.
What we do know from the CSPs’ voluntary self-reporting is that U.S. CSPs are receiving legal process requests in unprecedented numbers (reported in a consolidated format here for the first time). Whether that increase is tied to the CLOUD Act or the simple fact that increasing volumes of commercial and personal data are being stored in the Cloud is unclear. We also know that the United States and the UK are in negotiations to establish a CLOUD Act treaty and that the United Kingdom has passed a law similar to the CLOUD Act last year to enable entry into such an agreement.
Given these uncertainties and developments, as well as the massive movement of data to cloud storage, we thought it appropriate to step back and provide an overview of key issues for global companies trying to successfully navigate many of these relatively uncharted areas. Key topics in this update include:
- A brief (we promise) reminder summary of the CLOUD Act;
- Overview of issues left unresolved by the CLOUD Act;
- Self-reporting by U.S. CSPs;An analysis of the DOJ’s new White Paper;
- The mixed responses from European countries to the CLOUD Act; and
- Issues to watch in 2019 and beyond
What the CLOUD Act Does
The CLOUD Act makes two significant changes to U.S. law. First, it expands the explicit reach of U.S. law enforcement to data stored in the cloud. The Stored Communication Act (“SCA”) allows U.S. law enforcement agencies to demand customer information from CSPs, including the content of electronic communications, but the statute was unclear about whether this authority extended to data stored outside the United States.4 The CLOUD Act now grants federal and state law enforcement officials explicit authority to issue subpoenas or seek warrants or court orders forcing CSPs subject to U.S. jurisdiction to preserve and produce data wherever the CSPs decide to store it on a global basis. See "Forecasting the Impact of the New US CLOUD Act."
The CLOUD Act also introduces a new mechanism for cross-border law enforcement with so-called “Qualified Foreign Governments” (“QFGs”). Once certified as such, QFGs obtain several privileges, the most significant of which is that the Act allows U.S. CSPs to comply with law enforcement requests from QFGs that would otherwise violate U.S. law without any oversight from the U.S. government or having to rely on MLAT requests.5
To be recognized as QFGs, countries must first satisfy a list of criteria to ensure that they have “adequate” laws regarding human rights, civil liberties, cybercrime, and government data collection. The foreign government must then enter a bilateral agreement with the U.S. Government. The Act specifies a laundry list of provisions the agreement must include—primarily to prevent the targeting U.S. persons and limit how the foreign government stores and uses data it acquires. Once an agreement is reached, it must be certified by the Attorney General and Secretary of State and sent to Congress, which has 90 days to veto the agreement. See "Forecasting the Impact of the New US CLOUD Act."
QFGs enjoy two other advantages. First, when U.S. law enforcement seeks data stored in the QFG’s jurisdiction, the CSPs can notify the QFG of the law enforcement request even where a U.S. court has ordered the CSP to keep the request secret pursuant to 18 U.S.C. § 2705(b)) of the SCA. Second, QFGs can move to limit or quash requests from U.S. law enforcement that conflict with the QFG’s domestic law. See "Forecasting the Impact of the New US CLOUD Act."