Congress Approves Data Access Outside of the United States (CLOUD Act) – But the EU May Not Like It
The Italian Machiavelli once famously stated: “I am not interested in preserving the status quo, I want to overthrow it.” It is no secret that many U.S. government officials and even many data service providers have long been unhappy with the existing system of international Mutual Legal Assistance Treaties (MLATs), arguing that they are not up-to-date and not up-to-the-task to fight international crimes swiftly and efficiently. So why not throw them overboard and replace them with something new? This is what happened when the U.S. Congress adopted the CLOUD Act (Clarifying Lawful Overseas Use of Data Act).
On March 23, 2018, President Trump signed a very extensive budget bill into law, giving the CLOUD Act (H.R. 4943, S. 2383) a piggyback ride by enacting it into law. Whoever ventures all the way to page 2201 of the new budget act will find the CLOUD Act with its new rules on how foreign government agencies may access data stored in the United States for law enforcement purposes.
More important from the European perspective is a provision in the CLOUD Act that makes it clear that the Stored Communications Act (SCA) from 1986 expressly applies to data stored in other countries. It also determines how service providers can challenge an SCA search warrant that involves data stored outside of the U.S. This is essentially what the U.S. Supreme Court case Microsoft v. United States is all about. European governments (and industry) have argued in front of the justices that it violates their “data sovereignty” if Microsoft can be forced by a U.S. court to produce personal data that is stored on one of its servers in Ireland and makes the data available to law enforcement in the U.S. outside of the procedures of the applicable MLAT.
The case has a political dimension that should not be underestimated. If U.S. law enforcement is allowed to demand the data from other parts of the world, can the Kremlin contact Microsoft in Russia and demand access to Microsoft’s cloud data stored in the U.S.? Where does the reach of U.S. law enforcement end in times of cloud computing and data storage around the globe?
Prominently, the CLOUD Act contains an amendment to the SCA creating a new section, 18 USC § 2713, entitled “required retention and disclosure of information and records.” This new section stipulates that it doesn’t matter where the relevant data sets are located: “A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”
Appeals Procedure Before the U.S. Judge
When such a provider that is subject to the jurisdiction of the United States is served with an SCA search warrant, targeting personal data that is stored abroad, the CLOUD Act newly provides for a review by a U.S. judge to safeguard the rights of the foreign governments where the data are located—assuming that the foreign government is a “qualifying foreign government” as that term is defined in the amended SCA. There will be two steps:
Step 1: The provider may submit a formal complaint (motion to modify or quash) to the competent U.S. court within 14 days after delivery of the warrant or subpoena and the provider will need to establish that:
“(i) that the [provider’s] customer or subscriber is not a U.S. person and does not reside in the United States; and
(ii) that the required disclosure [of the data] would create a material risk that the provider would violate the laws of a qualifying foreign government.”
Step 2: After hearing the government’s arguments in favor of approving the subpoena for the records stored overseas, the court then is to perform a balancing test using a number of criteria (a so-called Comity analysis). Of course, the court must also determine that the possible disclosure involves a government duly certified by the U.S. Attorney General as a “qualifying foreign government” under the strict terms of the amended SCA.
In performing the balancing test, the amended SCA requires the Court to consider several statutorily imposed criteria, among which are:
“B) the interests of the qualifying foreign government in preventing any prohibited disclosure” and
“C) the likelihood, extent, and nature of penalties to the provider or any employees of the provider as a result of inconsistent legal requirements imposed on the provider” and
“G) the likelihood of timely and effective access to the information required to be disclosed through means that would cause less serious negative consequences.”
Based on this analysis, the U.S. judge can approve, annul, or modify the warrant as he deems fit. During the review period, the provider must not delete the information. The provider is not obliged to provide the information to the U.S. law enforcement during this period, unless the court orders the template in urgent cases.
Storm Clouds for the Providers Coming?
(1) The Europeans are very much into data protection these days with their new General Data Protection Regulation (GDPR). They will likely not like the CLOUD Act. Sen. Hatch and Rep. Collins, the sponsors, have likely stoked the flames that are already burning high after Facebook’s data mishandling and the Cambridge Analytica data scandal. It is a safe bet that almost no one has read the final version of the CLOUD Act in the final hours of the budget talks. It is likely, but not certain, that the CLOUD Act has settled the legal issues before the U.S. Supreme Court in the Microsoft case. Wherever this case may be going, thanks to the CLOUD Act, a U.S. cloud provider cannot raise the argument anymore that it is prohibited from producing overseas data by the GDPR, assuming the provider has “possession, custody or control” of the data—which is often the case.
(2) Comity is the diplomatic term to be polite to other nations. The mentioned comity analysis in the CLOUD Act is not “polite.” It does not mention the existing assistance treaties (MLATs) that the U.S. has negotiated with other nations. The judge doesn’t even need to ask the parties about them. It is not necessary that U.S. law enforcement must initiate a judicial assistance procedure with the foreign state through an MLAT before a warrant can be served. The United States has apparently abandoned the existing (bureaucratic and time-consuming) MLAT process and has created a new unilaterally-imposed U.S. domestic court alternative process
(3) Law enforcement may applaud this, but what comes next? And here is where it really becomes legally and politically delicate. Only a “qualifying foreign government” benefits from the comity analysis. This is a government that has an executive agreement for legal cooperation with the U.S. and has laws “which provide to electronic communication service providers and remote computing service providers substantive and procedural opportunities similar to those provided under paragraphs (2) and (5).” This provision is meant to give the U.S. government political leverage: it should move other countries to enter each into an executive agreement with the United States that the U.S. Attorney General then certifies as compliant. This process should be expected to be very time consuming and onerous. The EU (and its member states) doesn’t have an executive agreement with the U.S. and does not provide for a judicial review process similar to the CLOUD Act. Only a “qualifying foreign government” can gain access to data that are located in the United States; only such government can even play a role in the comity analysis. Thus, the EU gains nothing from the CLOUD Act. If there is no such “qualifying foreign government,” the U.S. judge’s role seemingly would be to affirm the search warrant or subpoena sought by U.S. governmental authorities and order compliance therewith.
(4) With this approach, the United States is likely on a collision course with Article 48 GDPR which reads: “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State…” This new Article 48 which will enter into full force on May 26 is straightforward: U.S. law enforcement need to go through an MLAT before it can access EU-based data. A mere “executive agreement” under the amended SCA as a legal basis is not sufficient. An executive agreement can be almost everything—a mere letter exchange, a mutual understanding in a document that can be revoked at any time, etc. Another sticking point is: The CLOUD Act uses the term “U.S. persons,” the GDPR uses the term “data subject”—the latter with no relevance whatsoever of the nationality or the place of residence. In short, the CLOUD Act and the GDPR don’t match. The consequence: providers that comply with a U.S. warrant under the SCA could be subject to a huge fine under the GDPR—even if the U.S. judge ordered compliance under the authority of the amended SCA. During the mentioned appeal process, the U.S. judge would likely not even hear any arguments based on the GDPR as long as the relevant EU member state where the data are located is not a qualified foreign government.
Not many experts in Brussels had an idea that the CLOUD Act would piggyback on the budget law without further debate and thought. The pending case at the U.S. Supreme Court has been in their focus, but this court proceeding may now be moot. Whether the existing MLATs can now be buried in favor of executive agreements and what the CLOUD Act means for the EU-U.S. Privacy Shield remain everyone’s guess.