Get updates by email

Select Specific Blog Updates

Paul Zimmerman

Photo of M&R Blog

Ivan Trifonenko © 123RF

Forecast for Overseas Data: Partly Cloudy

The CLOUD Act was passed as part of the omnibus budget bill signed into law on March 23, 2018, in an attempt to resolve an impediment to law enforcement’s ability to enforce warrants against tech companies based in the U.S. but storing data overseas.

This was the problem before the U.S. Supreme Court in the so-called Microsoft Warrant Case (Microsoft Corp. v. U.S.), in which Microsoft challenged a warrant by the federal government to turn over email of a target account that was stored in Ireland. In that case (which is still pending, but may now be moot), Microsoft argued that a warrant issued under Section 2703 of the Stored Communications Act could not compel American companies to produce data stored in servers located abroad. Previous to the Supreme Court’s involvement, the Second Circuit Court of Appeals in 2016 had held that the government’s reach was limited to only data stored in the U.S.

With the CLOUD Act now in effect, the process by which law enforcement worldwide may gather digital evidence and investigate crimes has, in theory, been reformed. At the very least, the law helps to resolve a procedural hurdle that resulted from technology outpacing legislation. Still, critics of the CLOUD ACT are sounding alarm bells.

Under the new law, U.S. companies (read: data and communication concerns) are required to provide stored data for U.S. citizens on any server they own and operate around the globe when requested by warrant. Still, these warrants can be challenged by companies or courts if they believe the requests violate an individual’s privacy rights in the foreign country where the data is stored. That being said, the CLOUD Act also provides an alternative and expedited route for our government to obtain mutual legal assistance treaties (MTLAs, which are, essentially, government intelligence-sharing agreements) through "executive agreement."

More specifically, the executive branch may enter into bilateral agreements with foreign countries to provide requested data related to its citizens in a streamlined manner, as long as the Attorney General, with concurrence of the Secretary of State, agree that the foreign country has sufficient protections in place to restrict access to data related to U.S. citizens. But these MTLAs could prove to be problematic because, to some, they can potentially be agreements among foxes to protect the rights and freedoms of their respective chickens.

Of course, given that the CLOUD Act is just weeks old, it remains to be seen how this all plays out. Yet, looking into a crystal ball, one potential consequence is that tech companies concerned about security and privacy protections could relocate their cloud storage to the most restrictive foreign nations, thereby reducing the potential for MLTAs and improving the odds of obtaining judicial review. As always, stay tuned.

This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.