On April 10, 2019, the Department of Justice (“DOJ”) released a white paper titled Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act. This white paper is the first official DOJ statement about the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) and reflects the DOJ’s current perspective on its scope and implications. Below we summarize the CLOUD Act and discuss the DOJ’s key observations.
The CLOUD Act
The CLOUD Act, which was enacted on March 23, 2018, has two main parts.[1] First, it established that the Stored Communications Act’s (“SCA”) provisions concerning the production of electronic communications extend to those held abroad. Prior to the Act’s passage, the SCA did not explicitly address whether and under what circumstances the government could require the production of electronic communications stored outside the United States. The Act resolved that question, mooting a case that had been pending with the Supreme Court in which the Microsoft company refused to produce content stored in Ireland that was sought pursuant to an SCA warrant. It also simultaneously created a framework for communication service providers (“CSP”) to challenge enforcement of SCA warrants that require disclosure of data regarding non-U.S. persons located outside the United States.
The Act further authorized the United States to enter into executive agreements regarding cross-border data requests with foreign governments that meet certain requirements related to protections for privacy and civil liberties, and adhere to international human rights obligations. Such an executive agreement may allow reciprocal data sharing, provided that the foreign government does not intentionally target U.S. persons or persons located in the United States.
The DOJ’s White Paper
United States’ Extraterritorial, Investigative & Jurisdictional Authority Remains the Same
In this white paper, the DOJ emphasized that the Act’s extraterritoriality provision is not novel. Rather, it “makes explicit in U.S. law the long-established U.S. and international principle that a company subject to a country’s jurisdiction can be required to produce data the company controls, regardless of where it is stored at any point in time.” In published remarks coinciding with the release of the white paper, Deputy Assistant Attorney General Richard Downing noted that many European countries impose the same obligation on domestic CSPs.
Similarly, the paper emphasized that the Act did not grant any new legal authority to acquire data. In particular, the Act did not change the existing standards under which the U.S. government may obtain a warrant for electronic communications. Nor did it extend the reach of personal jurisdiction by the United States over foreign CSPs or impact the analysis of personal jurisdiction under U.S. law.
Bilateral Agreements Governing Cross-Border Data Requests Addresses Potential Conflicts of Law Faced by CSPs Receiving Data Requests from Foreign Authorities
The DOJ also highlighted the United States’ new authority to enter into executive agreements with foreign governments as lifting legal barriers to gathering electronic evidence from global CSPs based in the United States. According to the white paper, many global CSPs previously refused to produce electronic data directly to foreign investigating authorities due to concerns about running afoul of restrictions in U.S. law on disclosure of electronic data and resultant liability. Executive agreements entered under the CLOUD Act, however, would lift restrictions under U.S. law for CSPs disclosing electronic data directly to foreign authorities pursuant to qualifying orders in certain types of criminal investigations.
The paper also stressed the limitations of executive agreements under the Act. For example, the DOJ emphasized that an executive agreement would not impose any new obligation on U.S.-based or foreign CSPs to comply with an order issued by a foreign authority or the U.S. government respectively, or by itself establish that authority’s jurisdiction over the CSP. Nor does the Act impose any requirement on either government to compel companies to comply with orders issued by the other.
Conclusion
The DOJ’s white paper argues that the CLOUD Act clarifies CSPs’ disclosure obligations without expanding the U.S. government’s jurisdiction over foreign companies. It further frames the Act’s executive agreements as a model for international cooperation that will alleviate the risk of legal exposure from conflicting data protection regimes currently faced by global CSPs. Since no executive agreements have been announced to date, however, CSPs faced with requests for disclosure of electronic data may still face circumstances where compliance could violate foreign law, such as the European Union’s General Data Protection Regulation. Thus, for the time being, the ultimate impact of the Act remains unclear.
[1] For further analysis of the CLOUD Act, see CLOUD Act Establishes Framework To Access Overseas Stored Electronic Communications, Cleary Gottlieb Alert Memorandum (Apr. 4, 2018), https://www.clearygottlieb.com/-/media/files/alert-memos-2018/cloud-act-establishes-framework-to-access-overseas-stored-electronic-communications.pdf.