The CLOUD Act – Implications for Data Privacy in the United States and AbroadCan U.S. federal law enforcement force a U.S. internet service provider to turn over emails that its foreign subsidiary holds on servers located abroad? More precisely, can law enforcement use a “warrant” under the Stored Communications Act to get at the foreign emails, even if foreign privacy law protects those emails? That was the core question at issue in the United States v. Microsoft case recently argued before the U.S. Supreme Court. And it is the question seemingly answered by the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), recently passed as part of the $1.3 trillion spending bill agreed by Congress and the President.
By way of reminder: Under the Stored Communications Act, U.S. law enforcement can seek a person’s emails using a “warrant.” In one fundamental respect, these “warrants” look and feel like traditional warrants: they authorize law enforcement to get evidence. On the other hand, they don’t authorize a search, or at least, not a paradigmatic search. When law enforcement issues an SCA warrant, they don’t descend on a target’s home or business wearing acronym-emblazoned windbreakers and armed with empty cardboard boxes (or actual weapons). They send the warrant to an internet service provider, like Microsoft, which is required to collect the requested emails itself and then turn them over. In that respect, these “warrants” look and feel a lot more like subpoenas.
The difference matters because warrants are traditionally territorial in the sense that they authorize the search for evidence within U.S. borders. Subpoenas, by contrast, compel a recipient to turn over any evidence over which they have control, even if the evidence is abroad. So the question of whether SCA “warrants” are really warrants or instead some sort of subpoenas drove the dispute in United States v. Microsoft: can U.S. law enforcement use an SCA warrant to force a U.S. service provider to turn over evidence that it holds abroad?
The CLOUD Act purports to answer the question. (So much so that the U.S. government has sought to dismiss its appeal in the Microsoft case.) The Act amends the Stored Communications Act to make clear that “warrant” recipients in the U.S. are obligated to turn over evidence wherever located, so long as the recipient has control over the evidence. Or more precisely, so long as the recipient has “possession, custody, or control”—the phrase used in both civil and criminal law to define a party’s obligation to turn over evidence pursuant to a subpoena or similar compulsion.
Does this mean that U.S. companies are necessarily required to violate foreign privacy laws? That was the elephant in the room in the Microsoft case. Microsoft contends, with good reason, that disclosing emails stored in Ireland might put it in violation of European data privacy laws. The question becomes more acute with the entry into force of the EU General Data Protection Regulation (GDPR), which imposes extraordinary fines for various breaches of personal privacy, including the transfer of personal data across Europe’s external borders. Other countries, like Russia, may even cart privacy violators off to jail. In short, does the new Stored Communications Act put U.S. companies and individuals in a dilemma—risk breaking the law at home or risk breaking the law abroad?
Sometimes yes, sometimes no. The recipient of an SCA warrant is now expressly permitted to ask a court to quash or modify the warrant if (a) the target—the person whose emails are sought—is not a U.S. person; (b) compliance would conflict with the law of the country where the data is stored; and (c) the court conducts a “comity” analysis and concludes that, on balance, disclosure isn’t warranted. Note the “and” here—the test requires that all three conditions be satisfied. This procedure purports to be the sole remedy available for a warrant recipient who believes that the warrant may put it into violation of foreign law.
Although this procedure certainly reduces the risk of conflict with foreign law, the procedure doesn’t eliminate the risk entirely. Case No. 1: Sometimes, foreign data privacy laws may cover U.S. persons—the new EU GDPR, for example, arguably covers even U.S. persons under certain circumstances. But where the target of an SCA subpoena is a U.S. person, the motion to quash is per-se unavailable. (Remember the “and.”) Case No. 2: Even where the target is squarely a foreign national, and notwithstanding a conflict with foreign law, a court can still conclude that enforcing the warrant is justified. And this is not merely a hypothetical possibility. In a number of cases, U.S. courts have prioritized and thus upheld disclosure obligations created under U.S. law, over challenges based on the privacy or blocking statutes of other countries.
Some companies may be disappointed and view the CLOUD Act as a cop-out. It doesn’t really solve the problem that they face, since U.S. persons may still be caught in the middle of a fight between U.S. law enforcement and foreign privacy regulators. Those conflicts will remain. But it does, at least, improve the way that these conflicts are resolved. In cases like United States v. Microsoft, these disputes were necessarily framed as abstract, formalistic questions of statutory interpretation. Are SCA “warrants” really “warrants” or are they subpoenas? Do they apply extraterritorially? What does it meamn to apply “extraterritorially” in this context? All the while, the elephant in the room loomed over proceedings: would the warrant force the recipient to violate foreign privacy laws, and if so, was that a valid reason to forego disclosure? Going forward, these questions will be front and center.
*The authors would like to thank Weronika Bukowski and Karolina Ebel for their contribution to this briefing.