Congress’ 2,000-page Omnibus Spending Bill slipped in a trap for the unwary: a radical expansion of the reach of the Stored Communications Act, 18 USC §§ 2701-2712. The “Clarifying Overseas Use of Data Act,” aptly shorthanded as the CLOUD Act, successfully mooted the issue presented in the United States v. Microsoft Corp. case recently dismissed by the United States Supreme Court by instituting a new framework for cross-border discovery in criminal actions. Under the previous version of the Stored Communications Act (SCA), it was necessary to have a Mutual Legal Assistance Treaty (MLAT), essentially a treaty negotiated by a foreign nation and ratified by the Senate. The CLOUD Act, passed on March 23, 2018, allows authorities to bypass MLATs and gives law enforcement the ability to directly compel production of materials by a party storing its data abroad, as well as allowing foreign governments to access data stored in the U.S.
There are four key changes. First, newly enacted 27 U.S.C. § 2713 eliminates any question as to whether the common law standard of possession, custody, or control applies:
A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
This change mooted Microsoft. Indeed, in a per curiam opinion on April 17, 2018, the Supreme Court vacated and remanded the Second Circuit’s judgment in favor of Microsoft with directions to dismiss as moot.
Second, under new 27 U.S.C. § 2703(h)(2) the ability to reach data stored abroad can now be challenged by a motion to quash based on comity, or reciprocal recognition of the foreign country’s law. A motion to quash must be made within fourteen (14) days of the subpoena. Such a motion is possible only where a (i) customer or subscriber does not reside in the U.S. and (ii) there is a material risk that disclosure will cause a violation of the foreign jurisdiction’s [data privacy] laws. The grant or denial of the motion is discretionary (meaning it is difficult to appeal), and it requires specific fact findings. Among the mandatory fact findings are comity findings that require the U.S. court reviewing the request to interpret the foreign law whose violation is allegedly threatened.
Third, the CLOUD Act immunizes service providers from any and all legal actions arising from activities undertaken in accord with the amended SCA.
Finally, the CLOUD Act makes changes to 18 USC §§ 2511(2), 2520(d), 2523, 2702, and 2707(e) that define the ability of foreign governments to seek data that is stored in the U.S., allowing such access through “Executive Agreements” with foreign governments and drafted by Attorney General and Secretary of State. Executive Agreements require that a foreign government’s justice system be essentially similar in its protections to that of the U.S., but they do not require Senate approval. The implications of the CLOUD Act are vast, particularly for multinationals operating within the United States.
- Where U.S. courts are called upon to interpret foreign law, such as the European Union’s General Data Protection Regulation (GPDR) and country-specific data residency laws, there is a significant potential for conflict and liability on the part of data owners. For example, GPDR contains an exception for legal proceedings; however, it refers to legal proceedings in the European Union. There have already been instances in federal courts where judges have determined that U.S. legal proceedings create an exception. This puts data owners in a bind: disobeying the criminal law in the U.S. or risking significant fines in a foreign jurisdiction (the EU, for example, provides fines of 20 million euro or 4 percent of global revenue).
- Foreign governments now have increased access to U.S.-based data without the oversight required by MLATs.
- Customers may now lack a remedy against service providers who fail to obey their own terms of service when providing information to the government.
If you have data stored worldwide, or store data in the U.S. and are subject to the reach of foreign governments, the CLOUD Act—along with recent changes in data privacy law in the EU, Canada, Australia, and some states—presents a strong incentive to examine your data generation, transfer, storage, and retention practices. For more information on the CLOUD Act and how to protect your enterprise from its potential effects, please contact Dante Stella at email@example.com, Cinthia Motley at firstname.lastname@example.org, or your Dykema relationship attorney.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.