CLOUD Act

The Clarifying Lawful Overseas Use of Data Act or CLOUD Act () is a United States federal law enacted in 2018 by the passing of the Consolidated Appropriations Act, 2018, PL 115-141, Division V.

The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.

Background

The CLOUD Act was introduced following difficulties that the Federal Bureau of Investigation (FBI) had with obtaining remote data through service providers through SCA warrants, as the SCA was written before cloud computing was a viable technology. The situation was highlighted from a 2013 drug trafficking investigation, during which the FBI issued an SCA warrant for emails that a U.S. citizen had stored on one of Microsoft's remote servers in Ireland, which Microsoft refused to provide.

This legal challenge led to the Supreme Court in '' Microsoft Corp. v. United States''. The FBI contended that Microsoft had full control of the data and should be compelled to turn it over in response to the warrant, but Microsoft argued that the SCA did not cover data stored outside the United States. The challenge recognized that while the FBI could request a mutual legal assistance treaty (MLAT) to aid in data discovery during cross-border law enforcement, the process to acquire a new MLAT if one is not in place, or to process a request through an existing MLAT, can be slow and impede law enforcement efforts.

Congress, primarily led by Senator Orrin Hatch, had attempted to create legislation prior to the CLOUD Act to amend the SCA with the concerns of Microsoft and other technology companies with respect to foreign privacy rights. The Law Enforcement Access to Data Stored Abroad Act (LEADS Act) in 2015 and the International Communications Privacy Act (ICPA) in 2017 were both previous bills intended to amend the SCA but which failed to gain passage.

Provisions

The CLOUD Act asserts that U.S. data and communication companies must provide stored data for a customer or subscriber on any server they own and operate when requested by warrant, but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in.

It also provides an alternative and expedited route to MLATs through "executive agreements"; the executive branch is given the ability to enter into bi-lateral agreements with foreign countries to provide requested data related to its citizens in a streamlined manner, as long as the Attorney General, with concurrence of the Secretary of State, agree that the foreign country has sufficient protections in place to restrict access to data related to United States citizens. The first such agreement was with the United Kingdom. There is a FAQ appended to the white paper published by the U.S. Department of Justice.

Support and opposition

The CLOUD Act received support from Department of Justice and of major technology companies like Microsoft, AWS, Apple, and Google. The bill was criticized by several civil rights groups, including the Electronic Frontier Foundation, the American Civil Liberties Union, Amnesty International, and Human Rights Watch. These groups argued that the bill stripped away Fourth Amendment rights against unreasonable searches and seizures, since the government could enter into data rights sharing agreements with foreign countries and bypass U.S. courts, and affected users would not have to be notified when such warrants were issued. Some of these groups feared the government would not fully review requests from foreign countries for their citizens' stored on servers in the U.S., potentially allowing such data to be used in bad faith in those countries.

Passage and aftermath

After being introduced in the 115th United States Congress as H.R.4943, the act was included as a section of the Consolidated Appropriations Act, 2018 (), an omnibus spending bill, which passed both houses of Congress and was signed into law, P.L. 115-141, on March 23, 2018.

On April 17, 2018, the Supreme Court, based on concurring briefs submitted by the Department of Justice, vacated the '' United States v. Microsoft Corp.'' and remanded it back to lower court to do the same, as the Department of Justice was able to secure a new warrant under the CLOUD Act and was no longer pursuing the initial warrant, rendering the case moot.

International reactions

The European Data Protection Supervisor (EDPS) viewed the CLOUD Act as a law in possible conflict with the GDPR. The German Commissioner for Data Protection has warned against the use of US based Amazon Web Services for storing sensitive data for the Federal Police.

The law has been viewed as a parallel to China's National Intelligence Law.

References

Further reading

*{{cite journal, first1=Justin, last1=Hemmings, first2=Sreenidhi, last2=Srinivasan, first3=Peter, last3=Swire, title=Defining the Scope of 'Possession, Custody, or Control' for Privacy Issues and the Cloud Act, url=https://papers.ssrn.com/abstract=3469808, date=2019-10-07, ssrn=3469808

External links

18 U.S. Code § 2713
( Stored Communications Act)

Acts of the 115th United States Congress
United States federal computing legislation
Privacy of telecommunications
Privacy law in the United States