As the United States v. Microsoft case hurtles toward oral arguments in the U.S. Supreme Court on February 27, the nearly impossible has happened: Congress introduced legislation on the very issues the Supreme Court case seeks to solve. This week, bipartisan members from the House and the Senate introduced the Clarifying Lawful Overseas Use of Data (CLOUD) Act, legislation that reflects cooperation amongst Congress, the Department of Justice, and tech companies like Microsoft on the issue of law enforcement access to data stored overseas.
This is huge news for users of the cloud, whether they are customers, small businesses, or major international companies. The cloud is inherently international, and Congress is long overdue to update the laws that govern when and how U.S. law enforcement investigators can access data in the cloud, wherever its servers may be located.
At its core, the CLOUD Act seeks to provide a framework that defines cross-border access to data in a way that reduces international conflicts and upholds sovereign privacy laws. By authorizing bilateral comity agreements, the CLOUD Act takes businesses out of the middle and makes governments responsible for mitigating conflicting laws on cross-border access to data.
While the introduction of the CLOUD Act is an important first step in finding a solution to conflicts in law enforcement requests for data, many of you are probably wondering how this legislation compares to the one we’ve been advocating for, the International Communications Privacy Act (ICPA).
We hope this Q&A will help provide some clarity and answers the questions you may have about the new CLOUD Act.
Q: ICPA was proposed as a solution to clarify rules in lawful access to data. Will the CLOUD Act also address conflicts between U.S. and foreign data access laws?
A: Yes. ICPA legislation would have required U.S. investigators, at the beginning of their investigations, to notify the foreign government and the U.S. company that holds the data of a request for a foreign citizen’s data. This notification requirement would have given the foreign government an opportunity to challenge the investigation based on a potential conflict between the U.S. law enforcement request and their sovereign law. In a different way, the CLOUD Act provides a path for foreign countries to enter bilateral comity agreements with the United States that address potential conflicts in data access laws before requests for data are made.
Q: What would be different if I received an order for data stored abroad under the CLOUD Act?
A: When comparing ICPA and the CLOUD Act, there aren’t many meaningful differences in protocol when a company receives a request for data stored overseas. Under the CLOUD Act, however, you can be more confident that a conflict with a foreign government’s law will not prevent you from complying with U.S. law enforcement requests. This confidence is important because lack of clarity has been a key issue under the current law as foreign “blocking statutes” often penalize companies for complying with lawful data requests issued by U.S. investigators.
We have long sought to improve the clarity of the law defining the reach of U.S. warrants for data. Without legal clarity, conflicts often weigh in favor of law enforcement investigators whose primary purpose is to access data. If the extent of U.S. law enforcement authority is unclear, it will unfairly advantage the investigators over the targets or recipients of investigative orders. The CLOUD Act provides a bilateral framework for countries to clarify the responsibilities of companies, U.S. law enforcement, and foreign governments when faced with lawful requests for data.
Q: Why does the CLOUD Act authorize bilateral agreements? Why can’t they be multilateral and address several countries at once? What about the EU?
A: The U.S. and the EU have a history of seeking bilateral agreements such as the Privacy Shield, which is designed to address differences in the two governments’ approach to data privacy. Similarly, the U.S. and EU governments should seek a bilateral comity agreement under the CLOUD Act. But for countries that are not part of an overarching government or confederacy, each of those governments should separately forge an agreement with the U.S. to ensure that their citizens are afforded the appropriate rights and protections. The bilateral approach in the CLOUD Act helps facilitate U.S. law enforcement requests for data while ensuring the privacy and due process rights other governments provide apply to their citizens. In other words, a bilateral comity agreement provides a nuanced framework that ensures the rules that govern law enforcement access to data are based on a person’s citizenship, not the location of their data.
Q: I have customers in countries all around the world. How long will it take the United States to enter bilateral comity agreements with the countries where I do business?
A: In countries that have legal systems with basic human rights protections, the comity agreements should fall into place quickly. Human rights protections are the main qualifying requirements for countries to enter comity agreements under the CLOUD Act; therefore, countries that lack basic due process protections will be required to update their laws before they can enter comity agreements. This process may take some time, and in some instances, it may not happen at all.
In countries that do not enter a bilateral comity agreement with the United States, their existing sovereign law applies, but the United States would have the authority to issue warrants for data stored there. This has nearly the same effect under the CLOUD Act as it would have under ICPA.
Under ICPA, countries that did not have mutual legal assistance treaties (MLATs) with the United States—likely many of the same countries that would not qualify for bilateral comity agreements—would be subject to U.S. requests for data. ICPA would have allowed the U.S. to investigate citizens of non-MLAT countries without notifying their governments—similarly, the CLOUD Act would allow the U.S. to investigate non-comity agreement countries without notifying those governments.
Q: If the bilateral agreements under the CLOUD Act seek to remove conflicts between foreign laws and U.S. laws, how do foreign governments ensure their citizens are protected by due process requirements?
A: Under the CLOUD Act’s bilateral comity agreements, a government’s due process rights are intended to follow and protect their citizen wherever they may be.
For example, if the United Kingdom seeks to investigate a British citizen who has data stored by an American provider in the United States, the British investigators must meet the due process requirements of the United Kingdom, not the United States. This makes sense because the British citizen being investigated—even if he or she is a criminal—can ostensibly participate in British democracy but likely cannot vote in the United States. From a political perspective, the British person being investigated “deserves” British due process protections; it would be less appropriate to apply American due process to protect his or her rights.
In summary, the CLOUD Act ensures citizenship rights follow a person wherever his or her data may be stored in a way that ICPA was unable to do on its own.
Q: What is the effect of the CLOUD Act’s bilateral comity agreements on the European Commission’s General Data Protection Regulation (GDPR)? Doesn’t GDPR’s Article 48 prohibit a data holder’s compliance with an order issued by the U.S. government?
A: Article 48 of the GDPR addresses investigative orders issued by foreign (including U.S.) authorities with respect to EU citizens. We have expressed concern over the potential conflict Article 48 could create with U.S. law enforcement requests. But legal experts have not yet come to a consensus on whether Article 48 of the GDPR prohibits compliance with law enforcement requests for data. One reason for this is that member countries’ data protection authorities can enforce Article 48 and may interpret it in different ways. We are expecting that the U.S. will seek to enter a comity agreement with the EU itself, encompassing the countries that comprise the Union. This will go a long ways toward resolving the Article 48 question.
In order to enter a bilateral comity agreement with the United States, the CLOUD Act requires an interested country to change certain of its laws if they conflict with the two governments’ ability to share data as part of lawful investigations. If the U.S. is able to enter a comity agreement with the EU itself, either the EU could update its law to remove the conflict, or stipulate that orders issued under the agreement do not conflict with Article 48.
It will be interesting to see how the GDPR issue is resolved. Laws like Article 48 are among the tougher problems to solve between governments, and we will be watching closely and advocating for certainty in this area.