On April 17, 2018, at the request of both sides of United States v. Microsoft Corp., the U.S. Supreme Court remanded and dismissed one of the most closely watched privacy cases of the last several years just a few weeks after oral argument. What engendered this highly unusual action? Last month, President Trump signed into law the Consolidated Appropriations Act, 2018, which contained a little-debated section entitled the Clarifying Lawful Overseas Use of Data (CLOUD) Act. The CLOUD Act significantly revamps the rules underlying law enforcement requests for access to communications information and moots the issues under discussion in Microsoft. The resulting changes to U.S. surveillance law may have far-reaching implications for domestic telecommunications companies and online service providers.
The CLOUD Act amends the Electronic Communications Privacy Act (ECPA). ECPA establishes various limits on government access to information about customers held by internet service providers (ISPs), email services, cloud storage services, and similar service providers. ECPA also provides for civil and criminal penalties for service providers that disclose customer information, unless that information is disclosed for one of a few reasons enumerated in the statute—for example, compliance with legitimate law enforcement requests.
The CLOUD Act makes two significant changes to ECPA. First, the act requires service providers to respond to law enforcement requests to preserve or produce customer information that meet ECPA's requirements, even if a provider stores that information overseas. Second, the act allows foreign governments that qualify under new rules to directly submit requests for information held by U.S.-based service providers. The scope of both parts of the law will depend heavily on foreign countries' willingness to enter into new "executive agreements" with the U.S. regarding access to such data.
U.S. Government Requests for Information Stored Overseas
In Microsoft, the U.S. government requested information on customers that was stored in Microsoft data centers in Ireland. Microsoft resisted the request, arguing that ECPA did not apply to data stored extraterritorially. The Irish government added that the U.S. demand for information stored in Ireland violated EU and Irish privacy laws. The CLOUD Act addresses Microsoft's objection directly, making clear that ECPA applies to information stored overseas. However, given that foreign laws may prohibit disclosure of such information, service providers will face difficult questions when served with process requiring the disclosure of information stored abroad.
The CLOUD Act offers some relief in this situation by permitting a provider to file a motion to quash or modify an order seeking information stored overseas within 14 days of receipt if the provider reasonably believes that: (a) the subject of the order is not a U.S. person or resident; and (b) the order may violate the law of a "qualifying foreign jurisdiction"—i.e., one that has entered into an executive agreement with the U.S. and that also offers certain additional safeguards specified in the act. A court may grant the motion if: (a) the disclosure would violate the law in a qualifying foreign jurisdiction; (b) based on the totality of circumstances, justice requires that the disclosure should be quashed or modified; and (c) the subscribers at issue are not U.S. persons or U.S. residents. The act establishes several criteria for the court to use in evaluating the "totality of circumstances" component of the test, including considerations of international comity.
Foreign governments and individual foreign users may begin to press service providers to actively use these motion-to-quash tools. Service providers that expect to need to make such motions should ensure that they are retaining end-user account data that can support a reasonable assumption about the location and nationality of that end-user. Service providers will also need to familiarize themselves with the laws applicable to any foreign data storage facility—not just for purposes of a future motion to quash, but also to ensure they understand the consequences of disclosing information stored in that facility in response to U.S. government requests.
Service providers receiving a significant volume of CLOUD Act requests may also face searching questions from international privacy regulators, who have in some cases indicated an interest in making an example of those providers who in complying with U.S. law end up breaching foreign laws.
Foreign Government Requests for Information Stored by U.S. Providers
The second key change in the CLOUD Act permits foreign governments that have entered into executive agreements to make lawful access requests for information stored in the U.S. Ratification of one of these new executive agreements requires countries to confirm to the satisfaction of the U.S. government that when issuing surveillance orders, they will maintain certain protections enumerated in the act intended to protect surveillance targets' privacy and civil liberties.
This is a shift away from past practice. Historically, foreign requests for access to information outside a country's borders have been governed by international agreements called mutual legal assistance treaties (MLATs). MLATs address issues of law enforcement cooperation on cross-border investigations, and in that context often permit one country to leverage another country's court system to assist in accessing information. Proponents of the CLOUD Act argued that this use of diplomatic channels has proven to be cumbersome for international surveillance purposes. While the CLOUD Act still permits requests for information to be made pursuant to MLATs, for those nations that can satisfy the executive agreement requirements, the new process is likely to be substantially more attractive.
Providers that receive lawful access requests from a foreign government for U.S. stored data must now verify the status of any executive agreement between the two countries. Providers receiving requests from foreign governments with executive agreements will no longer have grounds under U.S. law for rejecting such requests. Requests made under the new executive agreement regime may start to appear shortly, as the first such executive agreement appears likely to be certified in the near term: the U.S. and United Kingdom had entered into negotiations on a similar executive agreement even before the CLOUD Act was proposed. At the same time, other nations may not be satisfied with the act's U.S.-moderated regime for international surveillance requests: reports indicate that the EU is hard at work on a CLOUD Act equivalent of its own that would provide EU law enforcement with access to U.S.-stored data regardless of potential conflicts with ECPA.
For more information about the CLOUD Act, please contact Joshua Gruenspecht, or any member of the national security or privacy and cybersecurity practices at Wilson Sonsini.
