Mar 132018

Potential Congressional Action on Cross Border Data? A Primer on the CLOUD Act

Edward R. McNicholas, Cameron F. Kerry and Christopher Fonzone
, , ,

In recent years, the rise of cloud computing has led to more and more data being stored somewhere other than the jurisdiction in which it was created.  This trend increasingly has led U.S. law enforcement officials to demand access to information held abroad, just as foreign officials increasingly want access to data held inside the United States.  But satisfying these growing desires for cross-border access has proven complicated.  The Mutual Legal Assistance Treaty (MLAT) process has not kept pace with the Internet-fueled increase in data requests, nor has a workable alternative to that process emerged.  And questions remain as to whether relevant U.S. statutes authorize extraterritorial legal process.  Even if law enforcement officials do have tools that allow them to seek data held elsewhere, the holders of such data may face a conflict between their obligations to respond to one country’s lawful process and the obligations to comply with another country’s privacy protections or blocking statutes.

Against this backdrop, bipartisan groups of Senators and Representatives have recently introduced the Clarifying Lawful Overseas Use of Data, or “CLOUD” Act, which seeks to support the needs of law enforcement while advancing international comity on privacy rights.  In so doing, it would attempt to address open questions concerning both U.S. law enforcement access to data held extraterritorially and foreign law enforcement access to data held within the United States.

U.S. Access to Data Held Extraterritorially.  First, the CLOUD Act would resolve an open question about whether the United States could use a probable cause warrant issued under the Stored Communications Act (SCA), a part of the Electronic Communications Privacy Act (ECPA) concerning the disclosure of certain communications and records such as emails and records stored by cloud services, to compel companies to produce emails stored overseas.  In particular, the CLOUD Act would add the following provision to the SCA:

A provider of electronic communication service or remote computing service shall comply with the obligations [of the SCA] to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.

As scholars have pointed out, this provision essentially “codifies the so-called ‘Bank of Nova Scotia standard’ – the standard, developed in United States v. Bank of Nova Scotia and a related line of cases, that allows for subpoenas to compel a bank to bring foreign-held records into the U.S. as long as those records are in the ‘possession, custody, or control’ of the bank.”  Of course, the Bank of Nova Scotia doctrine has heretofore been primarily applied in the context of subpoenas compelling companies to produce their own business records in the U.S. regardless of where in the world they are stored – but not necessarily in cases under the SCA.

In passing legislation to codify the Bank of Nova Scotia standard, the CLOUD Act also attempts to address the international comity issues cross-border data requests can raise.  The bill does this by allowing recipients of legal process under the SCA to file a motion to modify or quash the process with 14 days if they believe: (1) the customer or subscriber whose records are being sought “is not a United States person and does not reside in the United States,” and (2) “that the required disclosure would create a material risk” of violating the laws of a “qualifying foreign government,” defined as a government that either has entered into an executive agreement with the United States on cross-border data issues (see below) or otherwise grants technology companies certain substantive and procedural protections.

If such a motion is filed, the bill provides the Government with an opportunity to respond and states that a court may only modify or quash the legal process if three findings are can be made: (1) ‘‘the required disclosure would cause the provider to violate the laws of a qualifying foreign government”; (2) “based on the totality of the circumstances, the interests of justice dictate that the legal process should be modified or quashed”; and (3) “the customer or subscriber is not a United States person and does not reside in the United States.”  Providers are required to preserve relevant records during the pendency of a motion to modify or quash.

Foreign Government Access to Data Held in the United States.  Second, in addition to addressing the issue of U.S. law enforcement access to data held abroad, the CLOUD Act also addresses the converse issue in the debate about cross-border government access:  foreign government access to information held in the United States.  Currently, multiple statutory provisions prohibit U.S.-based companies from complying with foreign law enforcement requests for certain data, even when those requests have been issued using the appropriate process in the other country and concern investigations into violations of the foreign government’s domestic law by its own citizens.  The only way for the foreign government to get access to such information today is through the cumbersome and lengthy MLAT process, leading to frustration for both companies (who can find themselves caught in a conflict of laws if they receive foreign process) and foreign governments (who can’t get access to the data they need in a timely fashion).

The CLOUD Act would attempt to address these issues by authorizing the Executive Branch to enter into international agreements that would allow for certain foreign nations to request content directly from U.S. companies or engage in the real-time interception of the communications of U.S. companies’ users (i.e., wiretaps).  A foreign government would be able to take advantage of these sorts of agreements if “the Attorney General, with the concurrence of the Secretary of State,” submits to Congress a written determination that:

  • “the domestic law of the foreign government, including the implementation of that law, affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement,” if the determination takes into account “credible information and expert input” and also considers a long list of factors, such as the country’s cybercrime laws;
  • “the foreign government has adopted appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons subject to the agreement”; and
  • the agreement contains a long list of requirements, including that: (1) the foreign government “may not intentionally target a United States person or a person located in the United States, and shall adopt targeting procedures designed to meet this requirement” ; (2) the foreign government may not target a non-United States person located outside the United States if the purpose is to obtain information concerning a United States person or a person located in the United States”; (3) the foreign government “may not issue an order at the request of or to obtain information to provide to the United States Government or a third-party government, nor shall the foreign government be required to share any information produced with the United States Government or a third-party government”; (4) an order issued by the foreign government must, among other things, seek information about a serious crime, including terrorism, must be based on “requirements for a reasonable justification based on articulable and credible facts, particularity, legality and severity regarding the conduct under investigation,” and shall be “subject to review or oversight by a court judge, magistrate, or other independent authority”; (5) the foreign government must store collected material security; and (6) the foreign government must, “to the maximum extent possible, meet the definition of minimization procedures” in the Foreign Intelligence Surveillance Act.

As commentators have noted, if the CLOUD Act is enacted into law, this provision would likely allow the United States and United Kingdom to finalize and implement an agreement negotiated two years ago.  It will also likely lead other countries to seek similar agreements with the United States, with the bill’s requirements potentially both causing diplomatic tensions (with countries who think they qualify, but don’t) and incentivizing aspiring partners to put in place additional privacy protections (so that the Attorney General and Secretary of State can determine that they do qualify).

* * * * *

The CLOUD Act has generated a great deal of commentary in the short time since its introduction.  Of particular note, the Trump Administration has gotten behind the bill, with the U.S. Homeland Security Advisor writing a joint op-ed with the United Kingdom’s Deputy National Security Adviser to express the view that the bill is a “priority” for both governments.  A number of large technology companies, including Microsoft, Apple, Google, and Facebook, also support the bill, and many surveillance law experts also think its enactment would be a welcome move.  Certain civil liberties groups have expressed opposition, however, on the grounds that they Act’s privacy and civil liberties protections are insufficient and would allow foreign countries to access information without the judicial and probable cause protections currently available under U.S. law.  The bill’s advocates respond that the alternative to the CLOUD Act (or a legislative enactment like it) is not foreign governments complying with existing U.S. privacy laws, but rather those governments requiring data current stored in the United States to be stored locally.

Regardless of how the congressional debate shapes out in the context of the CLOUD Act, the immediate response to the introduction of the Act underscores the importance of the issues it addresses.  The challenges presented by the “globalization of criminal evidence” are real and not going away, and it seems only a matter of time before the Congress addresses them.

Edward R. McNicholas

emcnicholas@sidley.com

Cameron F. Kerry

ckerry@sidley.com

Christopher Fonzone

cfonzone@sidley.com

You might also like
U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.