On March 23, 2018, Congress passed legislation tacked on to a $1.3 trillion dollar budget that never worked its way through the normal committee process. No open hearing(s), no markup or other congressional process designed to properly vet the bill prior to passage. Nothing. Nada. Zilch. Instead, this piece of legislation found itself surreptitiously pinned by congressional leaders onto the back end of a ridiculously large federal spending bill. Called the Clarifying Lawful Overseas Use of Data Act, or “Cloud Act,” this new law purports to solve a data access problem for U.S. law enforcement In reality, however, the Cloud Act is more cloudy than clarifying, potentially causing unintended collateral consequences and muddying an already murky process.
The impetus for this legislation stems from a dispute between Microsoft and the United States regarding a search warrant for emails and other pertinent information as part of a criminal investigation into drug trafficking in 2013, the emails of which were actually housed in Ireland. Microsoft agreed to turn over some of the information sought, but ultimately refused to hand over emails stored overseas on the server located in Ireland. Although a lower New York court approved the warrant to seize the data, the Second Circuit Court of Appeals overturned that decision, holding that domestic search warrants obtained under the 1986 Stored Communications Act (SCA) could not reach the emails held in Ireland. This issue was taken up by the Supreme Court, which heard oral arguments on the case in February 2018; however, it has yet to rule on the matter.
In writing about this issue previously, I was sympathetic to the DOJ’s position, but not enough to advocate curtailing individual Fourth Amendment protections as a result. A specific mechanism has been in place by treaty (known as the Mutual Legal Assistance Treaty, or MLAT) between the United States and Ireland (as well as other countries) to facilitate cooperation in criminal matters; however, the DOJ chose to avoid this process with Microsoft (arguably to avoid involving Irish authorities or endure additional delay). There is no question that the MLAT process can take longer; Microsoft maintained control over the servers and any warrant compliance was only a matter of copying the data from the server in Ireland. That said, how remote retrieval of such data housed outside the United States can be deemed a “reasonable search” continues to escape me.
Transform Legal Reasoning Into Business-Ready Results With General AI
Protégé™ General AI is fundamentally changing how legal professionals use AI in their everyday practice.
Enter the Cloud Act, courtesy of Set Orrin Hatch of Utah — an attempt to balance the government’s need to access data housed abroad by electronic communications service providers with the individual Fourth Amendment right against unreasonable search and seizure. It does so, however, by amending the SCA record preservation requirement to apply to data housed abroad, and providing a mechanism for such providers to move to quash warrants seeking such information (among other provisions). Under the law, U.S. investigators are also permitted to disclose such information to a foreign government that is under an executive agreement with the U.S., provided that such foreign government meets certain purportedly stringent requirements, such as “robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement.” How all of this will actually work in practice remains to be seen.
Unfortunately, the Cloud Act seems to place a great deal of onus on technology companies to determine whether they wish to move to quash or modify the warrant. Specifically, electronic communications service providers may “file a motion to modify or quash the legal process where the provider reasonably believes (i) that the customer or subscriber is not a United States person and does not reside in the United States; and (ii) that the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government (emphasis added).” Notice how this allows U.S. investigators to obtain data stored abroad, and limits the scope of quashing or modifying such warrants only when there is a question of citizenship and material risk to violating foreign law. Worse, there is equal access being provided to foreign governments to obtain such data of U.S. citizens stored abroad without regard to their Fourth Amendment rights. For example, it is completely foreseeable that a foreign government could collect data of a U.S. citizen stored abroad without telling the U.S. citizen it is doing so. Foreign governments would also be able to intercept electronic communications in real-time without complying with the Wiretap Act (like, for example, a little requirement like probable cause). The list goes on, and it isn’t reassuring.
I am not the only one raising questions about the Cloud Act — the Electronic Frontier Foundation, ACLU, and The Center for Democracy and Technology are just a few of the organizations that have voiced concern over the Cloud Act provisions. Oddly, companies like Google, Apple — even Microsoft — consider the legislation “progress” under the guise of incentivizing bilateral agreements between the U.S. and foreign governments to protect customers. The problem is that such agreements are within the purview of the executive branch and with little (or no) congressional oversight, let alone judicial review. Combined with the back-door dealing that attached this legislation to the federal omnibus budget bill, questions are rightly being raised.
Sadly, the Cloud Act may have mooted any decision by the Supreme Court on the matter. While I applaud efforts to address the problems created by foreign-stored data, tacking unvetted legislation to a federal omnibus budget bill is not the right way to do it, and is worthy of added skepticism and intense scrutiny. Rather than clear-up the problem, the Cloud Act has definitely created some unpredictable weather, and regarding foreign-stored data of U.S. citizens, something tells me there will be more stormy weather on the horizon as a result.
How Legisway Helps In-House Teams Manage All Legal Matters In One Trusted Place
Operate with AI driven insights, legal intake, unified content and modular scalability to transform efficiency and clarity.
Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at [email protected].