A bipartisan group of lawmakers introduced bills in the US House and Senate that would significantly amend the Stored Communications Act (SCA),1 which forms Title II of the Electronic Communications Privacy Act, to address issues frequently arising from cross-border data requests by law enforcement.2 If enacted into law, the Clarifying Lawful Overseas Use of Data (CLOUD) Act would (1) require cloud providers operating domestically to comply with SCA-authorized data requests, even when the data is stored abroad, and (2) pave the way for executive agreements that would authorize certain foreign governments to request content directly from US service providers.
A cloud provider served with a cross-border data request will frequently find itself in a catch-22—either comply and violate the privacy laws of one country or refuse and violate the court order of another. As currently written, the SCA contributes to this problem from both ends. First, the law authorizes domestic warrants for stored data, but it is unclear whether those warrants can compel disclosure of data stored in foreign countries, particularly when complying would require violating foreign privacy laws. The Supreme Court took up this issue when it heard arguments in United States v. Microsoft (No. 17-2). Second, the SCA has been interpreted to forbid US service providers from complying with certain data requests from foreign governments made outside of the Mutual Legal Assistance Treaty process despite the fact that refusing would expose the provider to sanctions by the foreign government.3
The CLOUD Act—introduced by Orrin Hatch (R-UT), Christopher Coons (D-DE), Lindsey Graham (R-SC) and Sheldon Whitehouse (D-RI) in the Senate and a bipartisan group of seven representatives in the House—aims to address these issues by (1) clarifying that SCA requests may compel disclosure of data stored abroad and establishing robust mechanisms by which providers may challenge those requests and (2) establishing a framework for executive agreements that would facilitate cross-border data requests by foreign governments.
Domestic Requests for Data Stored Abroad
The CLOUD Act proposes adding an express provision to the SCA to clarify that the law applies to all information within a provider’s “possession, custody, or control, regardless of whether … [it] is located within or outside of the United States.” Specifically, a new 18 U.S.C. § 2713 would read:
“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communications and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”
The bill also creates a number of safeguards for cloud providers. First, providers are immunized from any liability for disclosure resulting from a good faith reliance on a court order. Second, providers may seek to quash or modify a request if the requested data concerns a non-US person, the disclosure would violate foreign laws, and “the interests of justice dictate that the legal process should be modified or quashed.” The bill mandates that evaluating this final criterion requires a court to conduct a comity analysis, taking into account a host of concerns including the sovereign interests involved, the location and nationality of customers whose data is at issue, the nature and extent of the provider’s ties to and presence in the United States, the importance of the information to the investigation and the likelihood of timely and effective access. Moreover, the CLOUD Act expressly preserves the provider’s ability to make common law comity claims where no executive agreement is in place. There are significant questions on how courts would proceed with the comity analysis permitted in the legislation given that US courts have not in the past undertaken this type of analysis regarding digital requests and that US courts often apply more limited doctrines when weighing in on matters of foreign relations.
Foreign Requests for Data Stored Domestically
The CLOUD Act would also create a new framework for entering into bilateral and multilateral executive agreements for cross-border data requests by qualifying foreign nations. To enter into such an executive agreement, the attorney general and the secretary of state would need to certify that (1) the law of the foreign government “affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government,” (2) the foreign government has adopted appropriate procedures to minimize the collecting, storing and spreading of data concerning US persons and (3) the agreement imposes certain obligations on the foreign government.
For example, the foreign government must agree not to use any order subject to the agreement to intentionally target US persons, obtain information at the request of the US government, infringe freedom of speech and so forth. Additionally, the foreign government must afford reciprocal data access rights by removing restrictions that might prevent a provider from disclosing data pursuant to valid US process. Foreign government requests must relate only to serious crimes, including terrorism, and must meet various procedural requirements.
The bill expressly forbids judicial review of the certification, but it does afford Congress a 90-day window to review and potentially reject proposed agreements. The attorney general and secretary of state must renew their determination every five years for the agreement to remain in effect.
The CLOUD Act has garnered support from major technology companies, but it has also faced criticism from civil liberties groups who have argued that, while the CLOUD Act may promote the interests of law enforcement and protect cloud providers from liability for privacy violations, it does nothing to improve SCA’s outdated privacy protections. For example, the law does not require that disclosure be compelled only with a warrant, based on probable cause. Instead, it maintains SCA’s frequently criticized patchwork of orders, subpoenas and warrants for compelled disclosure of stored communications.