The CLOUD Act: Where International Data Privacy and Law Enforcement Collide

January 27, 2020

By: Kristin Warner

The Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), a United States federal law, will be celebrating its two-year anniversary on March 23, 2020. It was effectively, and primarily, an amendment to the Stored Communications Act (SCA) of 1986. This amendment allows US federal law enforcement to compel US-based technology companies to provide requested data following receipt of a valid subpoena or warrant, regardless of whether the requested data is stored on servers located within the United States or on foreign soil. This Act also allows certain foreign governments to enter into new bilateral agreements with the US that will prequalify them to make foreign law-enforcement requests directly to US service providers rather than via the US government under a mutual legal assistance treaty (MLAT). 

The CLOUD ACT was proposed after Microsoft refused to provide emails that a US citizen had stored on one of its remote servers in Ireland, after being issued a warrant under the SCA by the Federal Bureau of Investigation. This refusal led to a legal challenge that made its way to the United States Supreme Court, with Microsoft arguing that the SCA did not cover data outside of the United States and that the FBI could request a MLAT to aid in such data discovery. Microsoft, at the time, was correct in that the SCA was enacted long before cloud-based storage would become a viable technology and MLATs were the norm for cross-border data discovery. While the case was pending at the Supreme Court, the CLOUD Act was passed which rendered the case moot and vacated a lower appellate court’s (2nd Circuit) decision, which had held in favor of Microsoft. 

More recently, the United States and the United Kingdom entered into the world’s first ever CLOUD Act Agreement, entitled the US-UK Bilateral Data Access Agreement. This Agreement will allow law enforcement agencies of both countries to demand electronic data directly from tech companies based in the other respective country. Proper authorization is required but this will, in the words of Attorney General William Barr, “enhance the ability of the United States and the United Kingdom to fight serious crime – including terrorism, transnational organized crime, and child exploitation – by allowing more efficient and effective access to data needed for quick-moving investigations.” It is anticipated that this agreement will dramatically accelerate investigations by allowing quicker access to data than the procedures currently in place, which can take months and sometimes even years for access to be granted.

So, doesn’t the CLOUD Act undermine the GDPR? This question, as of today, remains unanswered though there are proponents on both sides of the argument. Initially, neither the CLOUD Act nor the GDPR changes the fundamental legal considerations for cross-border data transfers when the recipient is a US Law enforcement authority. However, the language of the GDPR itself may pose a problem. Article 48 of the GDPR addresses disclosures required by non-EU jurisdictions. This Article references treaties, such as MLATs, as the optimal vehicle for law enforcement requests for data involving EU data controllers or processors. Some critics of the CLOUD Act cite to this Article as being absolute in that treaties are the only acceptable vehicle, and that complying with requests under the CLOUD Act could place a company in violation of the GDPR. Others contend that Article 48’s affinity for treaties is merely a preference and that its language that the use of treaties is “without prejudice to other grounds for transfer” - combined with Article 49(e)’s definition of “other grounds” as transfers “necessary for important reasons of public interest” as well as transfers “necessary for the establishment, exercise or defence of legal claims” - leaves open the possibility that a warrant issued under the CLOUD Act would not necessarily, and certainly would not automatically or presumptively, be a violation of the GDPR. As these issues have yet to be challenged, only time will tell whether the CLOUD Act and the GDPR can cohabitate harmoniously. 

If you have any questions regarding this memo, or any other related matter, please contact Kristin Warner, or any one of our attorneys in the Cybersecurity and Data Privacy Practice Group.