CLOUD Act – clever acronym or real certainty for Cloud Service providers?

The US government has just passed a new Act, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) intended to allow mutual access to data held on overseas servers by national law enforcement authorities. Is this a step forward for Cloud providers to provide certainty to their customers over who can access their data where, or another battleground for privacy campaigners?

Why is the Act needed?

Many readers will be familiar with the long-running United States v Microsoft Corp case currently before the US Supreme Court. It is likely that a result to this case may be due in early summer. Essentially, Microsoft challenged the right of US authorities to access data on US citizens held on Irish servers for Microsoft Cloud services.  The case has been an extremely important one to attempt to clarify “long arm” legislation the rights of access for US law enforcement authorities to data held on servers outside the USA. Access to data by law enforcement authorities has been a long-running battle with privacy campaigners, and in the case of Brexit, one of the features that could affect a decision by the European Union to allow US data protection laws to be treated as equivalent for the purposes of GDPR. The current rights of access to law enforcement authorities to personal data in the UK’s Investigatory Powers Act is one possible stumbling block to this finding of adequacy.

There is a complex legal picture surrounding data protection at present. The right to privacy protected by data protection law, is a fundamental human right and is therefore protected in international treaty law. Privacy campaigners have fought significant battles recently over the rights of access for law enforcement authorities to personal data, and this has led to some major challenges, firstly in the Schrems Judgment (which brought down Safe Harbor data transfer solution), forcing the US to adopt the Privacy Shield in its place. There continue to be cases in relation to the legitimacy of model clauses, the EU’s international data transfer solution. 

One other ground of challenge has been the Microsoft case. In this case, longstanding US legislation relating to communications providers, the Stored Communications Act, was used as the pretext for US law enforcement to seek to access data held extraterritorially on Microsoft controlled servers in Ireland. The case has come to the US Supreme Court. The arguments in the case have been extremely technical, largely based around due process in relation to the form of law enforcement request, and whether the legislation, which predated the internet by several years could extend to the digital age. The case has raised important questions about access to data, and the options for resolving this are either to let the courts run their course, or for the legislators to intervene. 

What is the CLOUD Act?

The CLOUD Act is a direct response by the US Senate based on a bipartisan bill to seek to address the rights by statute instead of judicial precedent. The case and the Act have raised important questions as to whether it is more appropriate for international rights of access to be granted by lawmakers, under acts of parliament or government, or whether international treaties are instead a preferable way of proceeding. In the meantime, Cloud providers do not have major certainty over the rights that enforcement authorities may take and where they may be stuck between conflicts of law.

On this basis, while no solution may be perfect perhaps the approach taken by US legislators, if fully backed by a reciprocal EU and UK action could result in a workable solution that could be adopted by other territories. 

What does the Act do? 

In simple terms, the Act seems to legislate for the scenario in which US law enforcement authorities may seek access to data from communication service providers for the purposes of combating serious crime. The recitals to the Act draw attention to the possible conflict of law situations that both US law enforcement and overseas law enforcement may find, recording that international agreements provide mechanisms for resolving these obligations where the US and relevant foreign governments “share a common commitment to the rule of law on the protection of privacy and civil liberties”. The Act itself amends the Stored Communications Act to provide for reciprocity between nation states. In effect the Act authorises the US government to enter into agreements which would enable laws to be made by the executive branch of the government, rather than by international treaty, which would enable “qualifying foreign governments” (being governments with which the US has an executive agreement and laws similar to the CLOUD Act) to make equivalent requests of US based providers of electronic communications services. In this case, the provider would have to reasonably believe:

• that the customer or subscriber is not a United States person and does not reside in the United States, and
• that the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government. 

There are tight procedural rules for making the claim alongside protections. In essence, the Act specifically extends the authority of the Stored Communications Act irrespective of the location of the data to which the law enforcement authority seeks access subject to appropriate qualifications:

• Qualified foreign governments may quash the warrant if the foreigner resides outside the United States and the requirement to produce the data generates a conflict of laws.
• Legislation creates reciprocity by enabling foreign governments to seek data on their own citizens and residents.

If the person investigated and in respect of whom the data is requested, is a US citizen the foreign government must make a request for the data via diplomatic channels and obtain an appropriate US warrant. 

The legislation provides for significant protections in this case including anti-avoidance provisions where foreign governments may not target non-United States persons if the purpose is indirectly to obtain information about United States citizens. There are significant controls in relation to the purpose of the collection (prevention, detection, investigation or prosecution of serious crime including terrorism) specific identification of persons, accounts, addresses or devices, a requirement for consistency with local law, reasonable justification and appropriate court oversight in order to protect privacy rights. 

Cloud providers need to review the law in order to ensure that their own procedures will comply not only with GDPR but also this important emerging area of regulation.
Privacy activists see the Act as a significant erosion of freedom and as “privacy upending” according to Bitcoin proponent Andreas Antonopoulos.

The debate continues.

This article was written by Mark Bailey. For more information please contact Mark on or at mark.bailey@crsblaw.com.