In the flurry of deal-making that resulted in a 2,232-page funding bill released Wednesday, lawmakers negotiated the inclusion of “The Clarifying Lawful Overseas Use of Data Act” (often referred to as the “CLOUD Act”) (see page 2,201 of the bill text). The CLOUD Act provides a procedural structure for law enforcement to pursue the preservation or production of data and other information residing on servers located overseas that is within the possession, custody or control of the provider.
In this age of cloud computing, data can rest overseas or in multiple locations. As we’ve previously discussed, it is increasingly common to see extraterritorial legal disputes arise when parties attempt to apply laws passed before the digital age to our current landscape.
In some cases, a provider that is storing the data of a foreign subject on servers overseas may be under conflicting legal obligations (e.g., the U.S. Government or a foreign law enforcement agency may request disclosure of electronic communications or emails stored in the cloud, but disclosure of such electronic data without certain due process may be prohibited by foreign law). While international agreements, such as mutual legal assistance treaties (MLATs) may provide a mechanism for the U.S. to obtain information overseas with certain nations, law enforcement agencies have bemoaned that such procedures can be burdensome in a time-sensitive investigation. In balancing the interests of law enforcement with those of the providers, the CLOUD Act offers a mechanism for providers to bring a motion to quash requests for disclosure of a foreign individual’s communications, requiring a court to conduct a comity analysis to determine if based on the totality of the circumstances, the request would place the technology provider in violation of foreign law and the interests of justice dictates that the legal request for data should be modified or quashed. The language of the bill also provides a framework for negotiating reciprocal treaties to request foreign-stored digital data.
If the CLOUD Act is passed, as appears to be imminent, one immediate question will be the impact (if any) on a case currently before the Supreme Court that concerns whether a U.S. provider of email services must comply with a probable cause-based warrant issued under the Stored Communications Act by disclosing electronic communications within its control, even if the data at issue was stored abroad. During oral argument, at least one justice noted that perhaps the most ideal solution to this thorny issue is a bipartisan legislative solution.
While the CLOUD Act has its supporters and detractors, it appears Congress attempted to create a solution that tries to balance the needs of law enforcement and the legal interests of technology providers (and the privacy interests of their users). Moreover, as U.S. cloud computing providers operate around the world, the bill also assuages their concerns that a lack of legal protections over disclosure of user data to law enforcement might alienate foreign customers.