In April 2019, the US Department of Justice ("DoJ") published a white paper entitled "Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act" (the "White Paper"). The White Paper is the DoJ's first official statement about the Clarifying Lawful Overseas Use of Data Act ("CLOUD Act" or the "Act"). The CLOUD Act, enacted in March 2018, seeks to address the conflict-of-laws problems that arises when one country orders the disclosure of electronic data held by a global service provider, but where another country's laws may restrict disclosure. In the year since its enactment, the CLOUD Act has inspired debate about balancing law enforcement's need for potential evidence with privacy interests and foreign sovereignty—and confusion about whether and how the Act changed US law in the first place.
We have previously addressed the CLOUD Act (see here). Briefly, the Act has two main provisions. First, the CLOUD Act amends the Stored Communications Act ("SCA") to clarify that US law enforcement agencies are authorised to issue subpoenas to or request search warrants from US-based global service providers for data stored outside the United States. In other words, if the service provider is subject to US jurisdiction, it cannot avoid a request for data that it controls based on the data's location outside of the US.
Second, the Act allows the US government to enter into executive agreements with certain non-US governments to remove conflict-of-laws concerns and to expedite law enforcement requests for cross-border data in investigations of serious crimes. Prior to the CLOUD Act, law enforcement agencies used a system of Mutual Legal Assistance Treaties ("MLATs") to seek assistance of foreign counterparts to obtain data controlled overseas. However, the MLAT system involves many steps and, depending on the country and the complexity of the data request, the process could take months to complete. The CLOUD Act's executive agreements enable countries to eliminate conflict-of-laws issues for qualifying orders for electronic data and provide an alternate mechanism to the MLAT system. Each foreign partner country must meet requirements related to protections for privacy, civil liberties, and human rights before it is eligible to enter into an executive agreement.
The DoJ's White Paper is intended to clarify common misconceptions and answer common inquiries regarding the CLOUD Act—in particular, CLOUD Act executive agreements. Topics addressed include:
- US Jurisdiction Over Foreign Companies: The White Paper emphasizes that nothing in the CLOUD Act extends US jurisdiction to any new foreign companies; the Act does not change the requirement that a US court must have personal jurisdiction over a company in order to require the disclosure of data or information that the company controls.
- Impact of CLOUD Act Executive Agreements on US Companies: The White Paper states that CLOUD Act executive agreements are meant only to allow US-based global service providers to respond directly to foreign legal process and do not impose any new obligation on US companies to comply with a foreign government order.
- The MLAT System: The White Paper explains that the MLAT system remains available and argues that CLOUD Act executive agreements will reduce the burden on the MLAT system and thereby provide a new, more expeditious mechanism for obtaining data, while allowing the United States to respond to other types of MLAT requests more expeditiously.
- Encryption Challenge: The White Paper acknowledges that the CLOUD Act does not solve the special challenge to law enforcement posed by encryption. It clarifies that CLOUD Act executive agreements are required to be "encryption neutral" and therefore neither require decryption nor foreclose governments from ordering decryption to the extent authorised by their laws.
- Scope of CLOUD Act Executive Agreements: The White Paper explains that the CLOUD Act executive agreements are only used to obtain information relating to the prevention, detection, investigation, or prosecution of serious crime, and cannot be used in civil, administrative, or commercial inquiries.
Per DoJ, the CLOUD Act was intended to implement a "new paradigm" of obtaining and protecting cross-border data that is efficient and privacy and civil liberties-protective, and that responds to the revolution in electronic communications and innovations in how global service providers configure their data systems. The White Paper argues that the CLOUD Act does not expand the US government's jurisdiction over foreign companies and respects important safeguards to privacy codified in US law. The White Paper is especially helpful in explaining the purpose and scope of CLOUD Act executive agreements; however, the actual operation of CLOUD Act executive agreements—and the ultimate impact of the Act itself—remain unclear.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.