Last month, Congress passed the CLOUD (“Clarifying Lawful Overseas Use of Data”) Act, legislation designed to address the complex conflict of laws and data localization issues raised by disclosure of data stored in the cloud to U.S. and foreign law enforcement authorities. These issues were first made apparent by the United States v. Microsoft case currently pending before the Supreme Court, but they have long been simmering in the context of international criminal investigations.
As users’ information has moved to the cloud over the last decade, the laws governing its access by U.S. and foreign law enforcement largely remained static. U.S. and foreign law enforcement agencies regularly seek data held by U.S.-based Internet and tech companies for use in investigations and run into a variety of technical and legal obstacles.
At times, U.S. law enforcement has been stymied by likely jurisdictional limitations on the extraterritorial reach of U.S. laws and warrants, as in the Microsoft case. U.S. and foreign law enforcement have long had to use the cumbersome Mutual Legal Assistance Treaty (MLAT) process rather than submit requests directly to some companies because of bars on content disclosure found in U.S. and foreign law.
Both the potential assertion of extraterritorial reach by U.S. law enforcement and foreign law enforcement frustration with the MLAT system have incentivized other countries to consider various types of problematic forced data localization, either to avoid U.S. law enforcement access to data or to facilitate access by their own law enforcement authorities.
The CLOUD Act is the outcome of an iterative legislative process to address both sides of this conflict. First, the Act attempts to set out rules through which U.S. law enforcement can access user information pursuant to lawful process. The second part of the Act incorporates the ideas of a draft legislative framework for bilateral agreements to enable foreign law enforcement requests proposed by DOJ in 2016. Both of these components require some modifications to the Stored Communications Act to permit disclosures of stored cloud data by U.S. providers to U.S. and foreign law enforcement pursuant to appropriate process.