[co-author: Catherine Adams, Trainee solicitor]

Over a year following enactment of the U.S. “Clarifying Lawful Overseas Use of Data” or CLOUD Act,¹ significant questions remain unanswered about the law and its potential impact on global investigations involving cloud stored data.

The CLOUD Act does two things. First, it explicitly authorizes U.S. law enforcement to obtain data held by U.S. Cloud Service Providers (“CSPs”) regardless of where in the world the data is physically stored. Second, the Act creates a framework for the negotiation of bilateral treaties that would give other countries the ability to access cloud data stored by U.S. CSPs.

Beyond that, considerable uncertainty still exists around how the Act will be applied. Because of the circumstances surrounding its enactment—the CLOUD Act was included in an emergency spending bill signed into law by President Trump to avoid a federal government shutdown—there is no legislative history, no committee hearings were held or reports issued, and no floor debate regarding the Act. And the Act itself contains no reporting requirements regarding either law enforcement’s use of these expanded powers or treaty negotiations with foreign governments.

To date, no U.S. Courts have issued opinions clarifying these issues.² Interestingly, the U.S. Department of Justice recently issued a white paper on the CLOUD Act that focused more on what the Act does not do than what it does. For example, according to the White Paper the Act does not expand U.S. investigative authority or jurisdiction, impose U.S. legal process requirements on other countries, allow the U.S. Government to obtain any “new” data not already within its law enforcement reach, or steal trade secrets of foreign corporations.³ This “we are from the Government and here to help” theme is echoed in the broader blogosphere coverage on the CLOUD Act.

What we do know from the CSPs’ voluntary self-reporting is that U.S. CSPs are receiving legal process requests in unprecedented numbers (reported in a consolidated format here for the first time). Whether that increase is tied to the CLOUD Act or the simple fact that increasing volumes of commercial and personal data are being stored in the Cloud is unclear. We also know that the United States and the UK are in negotiations to establish a CLOUD Act treaty and that the United Kingdom has passed a law similar to the CLOUD Act last year to enable entry into such an agreement.

Given these uncertainties and developments, as well as the massive movement of data to cloud storage, we thought it appropriate to step back and provide an overview of key issues for global companies trying to successfully navigate many of these relatively uncharted areas. Key topics in this update include:

• A brief (we promise) reminder summary of the CLOUD Act;
• Overview of issues left unresolved by the CLOUD Act;
• Self-reporting by U.S. CSPs;
• An analysis of the DOJ’s new White Paper;
• The mixed responses from European countries to the CLOUD Act; and
• Issues to watch in 2019 and beyond

What the CLOUD Act Does

The CLOUD Act makes two significant changes to U.S. law. First, it expands the explicit reach of U.S. law enforcement to data stored in the cloud. The Stored Communication Act (“SCA”) allows U.S. law enforcement agencies to demand customer information from CSPs, including the content of electronic communications, but the statute was unclear about whether this authority extended to data stored outside the United States.⁴ The CLOUD Act now grants federal and state law enforcement officials explicit authority to issue subpoenas or seek warrants or court orders forcing CSPs subject to U.S. jurisdiction to preserve and produce data wherever the CSPs decide to store it on a global basis. See "Forecasting the Impact of the New US CLOUD Act."

The CLOUD Act also introduces a new mechanism for cross-border law enforcement with so-called “Qualified Foreign Governments” (“QFGs”). Once certified as such, QFGs obtain several privileges, the most significant of which is that the Act allows U.S. CSPs to comply with law enforcement requests from QFGs that would otherwise violate U.S. law without any oversight from the U.S. government or having to rely on MLAT requests.⁵

To be recognized as QFGs, countries must first satisfy a list of criteria to ensure that they have “adequate” laws regarding human rights, civil liberties, cybercrime, and government data collection. The foreign government must then enter a bilateral agreement with the U.S. Government. The Act specifies a laundry list of provisions the agreement must include—primarily to prevent the targeting U.S. persons and limit how the foreign government stores and uses data it acquires. Once an agreement is reached, it must be certified by the Attorney General and Secretary of State and sent to Congress, which has 90 days to veto the agreement. See "Forecasting the Impact of the New US CLOUD Act."

QFGs enjoy two other advantages. First, when U.S. law enforcement seeks data stored in the QFG’s jurisdiction, the CSPs can notify the QFG of the law enforcement request even where a U.S. court has ordered the CSP to keep the request secret pursuant to 18 U.S.C. § 2705(b)) of the SCA. Second, QFGs can move to limit or quash requests from U.S. law enforcement that conflict with the QFG’s domestic law. See "Forecasting the Impact of the New US CLOUD Act."

Several additional features of the Act are worth highlighting:

• The CLOUD Act imposes no new requirements on CSPs vis-à-vis foreign governments; it merely permits them to cooperate with QFGs if they so choose.
• The CLOUD Act confers no rights on the creator or owner of the data. The Act never requires CSPs or foreign governments to disclose data requests to the customer. Nor does the Act provide a mechanism for the customer to challenge U.S. or foreign government requests
• The Act does not define the “cloud” or “cloud services” but incorporates existing definitions from the 1986 Electronic Communications Privacy Act, see 18 U.S.C. §§ 2510(12), which have been interpreted broadly by U.S. courts to apply to e-mail, instant messaging, videoconferencing, wireless calling, remote or backup data storage, and cloud hosting or processing.
• The Act imposes no transparency or reporting requirements on the Attorney General or State Department regarding negotiations with foreign governments seeking GFQ status under the Act other than the final certification to Congress. This means that the U.S. public may not learn of a potential agreement with a QFG until it has already been signed
• It is unclear what will happen where an extraterritorial data request conflicts with the law of the country where the data is stored. The CLOUD Act allows CSPs to challenge subpoenas that conflict with laws of QFGs only. In other contexts, courts have applied common law comity analysis to subpoenas that conflict with foreign law. See, e.g., United States v. Field, 532 F.2d 404, 407 (5th Cir. 1976). It is possible that U.S. courts will take a similar approach to CLOUD Act subpoenas, but it is also possible that the Act’s singling out of QFGs means that other countries’ laws should receive no such accommodation.

CSP Self-Reporting

The “Big Five” CSPs—Amazon, Apple, Facebook, Google, and Microsoft—all currently publicly disclose how many law enforcement requests they receive. These disclosures are purely voluntary (not required by the CLOUD Act) and are perhaps done so the CSPs can demonstrate their commitment to protecting customer privacy even in the face of legal process from U.S. law enforcement. As demonstrated in the graph below, these reports show that CSPs received significantly more legal process requests in 2018 than in 2017. It is difficult to tell how much of that growth is due to increased requests for data stored abroad by U.S. CSPs because requests had also been increasing steadily on an annual basis over the three years before passage of the CLOUD Act.

Moreover, these reports do not reveal how the CLOUD Act has changed how CSPs respond to government requests. For example, while some of the reports show how often the CSPs challenge government requests, they do not indicate how many of those challenges are based on potential conflicts with foreign law. A search of publicly available court filings do not reveal whether any such challenges have been made by CSPs—though it is possible that some have been made under seal.

DOJ White Paper

The new DOJ White Paper provides some guidance on how the Justice Department interprets the CLOUD Act, though it does not address many of the most important questions raised above. It is also important to understand that such white papers – should they be viewed as “guidance documents” – are purely informational, do not rise to the level of regulation or rule, and are not legally binding on the Department.⁶

The primary purpose of the White Paper appears to be to explain why the CLOUD Act is a good thing and allay concerns the public, CSPs, or foreign governments may have about the Act. Thus, much of the White Paper, and accompanying FAQs, focuses more on what the CLOUD Act does not do than what it does.

In terms of the Act’s benefits, the White Paper presents the CLOUD Act as a more efficient way to handle the computing realities of the twenty-first century without the encumbrances of the MLAT process while still protecting civil liberties. The White Paper also repeats the government’s position that the Act was necessary to make the United States compliant with the International Convention on Cybercrime, also known as the Budapest Convention.⁷

One might suggest that the White Paper promises more in the way of assurances than it can actually provide. For example, while the White Paper touts the advantages of executive agreements with QFGs,⁸ the actual advantages will depend on the terms and conditions of the executive agreements themselves, none of which yet exist. And although the White Paper says that the Act is “encryption neutral” (meaning it does not force CSPs to decrypt customer data), the Act itself is silent on encryption. Thus, whether the Act is truly encryption neutral may depend on how it is interpreted by the courts and/or the terms of the specific executive agreements with QFGs, which is hardly a recipe for uniform global data standards.

In terms of the Act’s effects, the White Paper does not say much about how the Act will be implemented other than what the statute itself provides. But it does clarify three important limitations. First, the White Paper explains that the Act did not change the pre-existing jurisdictional requirements,⁹ meaning that while the Act clarifies what data the government may seek, it does not expand who the government can seek it from. Thus, for example, a Canadian CSP serving only non-U.S. clients with data stored in Brazil remains beyond the reach of U.S. law enforcement absent a separate treaty agreement. Second, the White Paper clarifies that the Act imposes no requirements on CSPs to share data with foreign governments, even QFGs, but merely removes a potential conflict of law if they choose to do so or are required to do so by foreign law.¹⁰ Though, again, it remains to be seen whether the executive agreements might impose additional requirements on U.S. CSPs.

Third, the White Paper takes the view that conflicts with even non-QFG foreign law can pre-empt U.S. legal process. While the CLOUD Act allows QFGs to challenge legal process that conflicts with their laws, it leaves unresolved whether a conflicts/comity analysis would be permitted where the U.S. request conflicts with the laws of a non-QFG. The White Paper takes the position that even absent such an agreement, courts are empowered to conduct a common law comity and conflicts analysis and potentially limit or modify the U.S. request.¹¹ But nothing in the Act requires courts to do so, and as discussed above it is an open question whether courts will read such a test to be implicit in the Act—especially given that the Act provides a mechanism for challenging subpoenas that conflict with the laws of QFGs only.

Mixed Responses from European Countries

As referenced above, a major question around the CLOUD Act is how many foreign governments will choose (or be able) to seek QFG status. Because the CLOUD Act requires QFGs to meet human rights and civil liberties standards, many of the most likely potential QFGs are in Europe. Actual reactions from European countries, however, have been decidedly mixed. So far, no country has been recognized as a QFG and only the UK is known to be taking steps to do so.

Since 2015, even before the CLOUD Act was enacted, representatives from the U.S. and the UK have been engaged in negotiations towards a cooperation agreement that would grant reciprocal rights to request electronic data from CSPs.¹² The CLOUD Act put in place the required legislation in the United States to give effect to such an agreement.¹³ The UK recently passed an analogous law, the Crime Overseas Productions Orders Act (“COPO Act”), which brings the UK into alignment with the cloud data regime in the United States. Like the CLOUD Act, the COPO Act will allow the UK authorities to obtain electronic data from CSPs in foreign countries, if there is a Designated International Cooperation Agreement (“DICA”) in place and could allow those foreign countries to access data stored in the United Kingdom.¹⁴

The prospects for a UK-U.S. agreement are also impacted by EU law because the EU’s General Data Protection Regulation (“GDPR”) prohibits data sharing with foreign governments. The EU Commission is also currently seeking a mandate to negotiate an electronic-evidence treaty with the United States,¹⁵ which makes it unlikely that other individual member states will try to do the same on their own. Even if Brexit happens, the UK government has set out its intention to pass a Data Protection Bill which mirror GDPR post-Brexit.¹⁶ This raises further questions about the possibility of a DICA with the United States, even if the UK leaves the EU.

No CLOUD Act negotiations with countries other than the UK have been reported, though it is possible such negotiations are being conducted in confidence because the U.S. Government is not required to disclose them.

A vastly different view of the U.S. CLOUD Act is seen in a report authored principally by French National Assembly member Raphaël Gauvain for Prime Minister Edouard Philippe.¹⁷ Running over one hundred pages and filled with historic and recent complaints regarding the extraterritorial application of U.S. law and judicial protectionism and concerns about the vulnerability of French companies and their data under the CLOUD Act to U.S. law enforcement, the Gauvain Report proposes massive increases in corporate and personal fines for violations of the so-called French Blocking Statute, creation of legal privilege to protect in-house legal communications from disclosure in foreign proceedings, and extending the privacy protections of GDPR to data created by legal entities. While the Gauvain Report does not necessarily reflect the views of the French government, it does underscore the deep wariness and suspicion regarding the CLOUD Act in civil law countries and the uncertainty that they will seek QFG status.

In sum, it remains unclear which, if any, countries will become QFGs in the near future.

Conclusion and Issues to Watch in 2019 and Beyond

As this Update makes clear, there is no shortage of questions with respect to the actual impact of the CLOUD Act. As such, we will be monitoring and reporting (as appropriate) on the following issues:

• Will U.S. courts allow comity challenges to subpoenas where compliance would conflict with the laws of another country not certified as a QFG?
• Will we see significant trends in law enforcement requests using the CLOUD Act or increased challenges by CSPs to those requests?
• Will any other governments be interested in becoming QFGs?
• Will the French government adopt and pursue any of the legislative proposals set forth in the Gauvain Report?
• Will a U.S.-UK agreement under the CLOUD Act materialize? And, more broadly, what will Brexit and GDPR mean for US-UK data sharing?

Footnotes

1) The full text of the Act can be found here. A detailed analysis of the CLOUD Act’s history and mechanics can be found here.

2) We are aware of only two judicial opinions citing the CLOUD Act. First, soon after the Act was passed, the Supreme Court dismissed the Microsoft Corp. v. United States case, which tested whether the Government could subpoena CSPs for data stored abroad, finding that the CLOUD Act rendered the case moot. View here. The second, a federal district court case from the District of Columbia, discussed the Act briefly in passing to analyze Congress’s use of the words “warrant” and “subpoena” in a different statute. Memorandum Opinion, In re Application of Leopold, No. 13-mc-00712 (D.D.C. Feb. 26, 2018).

3) U.S. Dep’t of Justice, Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act (2019) [hereinafter “DOJ White Paper”], available here.

4) This was the issue presented in Microsoft v. United States. The DOJ served a criminal warrant on Microsoft for account information and e-mails of one of its customers. Microsoft provided the user’s account information stored on servers in the United States but refused to turn over the e-mails themselves because they were stored on a server in the Republic of Ireland. Microsoft argued that the SCA only applied to data stored within the United States, while the government argued that the SCA applied to all data held by U.S. CSPs regardless of where the data was actually held. The CLOUD Act became law before the U.S. Supreme Court issued a ruling in the Microsoft case. After the Act was passed the case was dismissed as moot. View here.

5) The SCA prohibits CSPs from sharing customer data with third parties, including foreign governments. Before the CLOUD Act, to obtain data under the control of U.S. providers, a foreign government would need to use an MLAT. This remains the status quo for foreign governments that are not QFGs.

6) Current provisions in the DOJ Manual regarding agency guidance documents make clear that they create no legal rights or obligations and have no legally binding effect on the Department. See DOJ Manual § 1-19.000 Limitation of Issuance of Guidance Documents. None of the clarifying language prescribed in Section 1-19.000 is included in the CLOUD Act White Paper.

7) DOJ White Paper at 2. The government made the same argument in the Microsoft case. See Brief for the United States, Microsoft v. United States, No. 17-2.

8) See DOJ White Paper at 5.

9) Id. at 8.

10) Id. at 5.

11) Id. at 15-16.

12) House of Lords Library Briefing: Crime (Overseas Production Orders) Bill [HL], July 5, 2018.

13) House of Commons Briefing Paper: Crime (Overseas Production Orders) Bill [HL], Nov. 30, 2018.

14) The Long Arm of The Law Gets Longer – UK Introduces Overseas Production Orders, Dechert OnPoint, March 7, 2019.

15) See European Commission, Questions and Answers: Mandate for the EU-U.S. cooperation on electronic evidence (Feb 5, 2019), available here.

16) Department for Exiting the European Union: The exchange and protection of personal data – a future partnership paper, Aug. 24, 2017, available here.

17) Raphaël Gauvain, Claire D’Urso, Alain Damais, and Samira Jemal, Restoring France’s and Europe’s sovereignty and protecting our companies from laws and measures with extraterritorial reach, Report at the request of Mr Edouard Philippe (Prime Minister), June 26, 2019, National Assembly, France. The full Report can be found here.