Hostname: page-component-cd9895bd7-fscjk Total loading time: 0 Render date: 2024-12-19T10:53:39.302Z Has data issue: false hasContentIssue false

Congress Enacts the Clarifying Lawful Overseas Use of Data (CLOUD) Act, Reshaping U.S. Law Governing Cross-Border Access to Data

Published online by Cambridge University Press:  29 August 2018

Extract

On March 22, 2018, Congress passed a $1.3 trillion omnibus spending bill that President Trump signed into law the following day, thus narrowly avoiding a government shutdown. Included within the voluminous bill is the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which enhances both the United States’ and foreign nations’ access to cross-border electronic data for law enforcement purposes.

Type
General International and U.S. Foreign Relations Law
Copyright
Copyright © 2018 by The American Society of International Law 

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 Consolidated Appropriations Act of 2018, Pub. L. No. 115-141, 132 Stat. 348 (2018) [hereinafter 2018 Appropriations Act]; see also Julie Hirschfield Davis & Michael D. Shear, Trump Signs Spending Bill, Reversing Veto Threat and Avoiding Government Shutdown, N.Y. Times (Mar. 23, 2018), at https://www.nytimes.com/2018/03/23/us/politics/trump-veto-spending-bill.html.

2 2018 Appropriations Act, supra note 1, div. 5; see also Robyn Greene, Somewhat Improved, the CLOUD Act Still Poses a Threat to Privacy and Human Rights, Just Security (Mar. 23, 2018), at https://www.justsecurity.org/54242/improved-cloud-act-poses-threat-privacy-human-rights (observing that, as a “quintessential must-pass bill,” the “2,232 page omnibus bill to fund the government” was used “as a vehicle to quietly pass through the controversial CLOUD Act”).

3 Data Stored Abroad: Ensuring Lawful Access and Privacy Protection in the Digital Era: Hearing Before the H. Comm. on the Judiciary, 115th Cong. 15 (2017) (statement of Richard W. Downing, Acting Deputy Assistant Attorney General, Dep't of Justice) [hereinafter Downing Testimony].

4 Id. at 7.

5 Kerr, Orin S., A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72 Geo. Wash. L. Rev. 1208, 1208 (2004)Google Scholar.

6 Downing Testimony, supra note 3, at 11.

7 Electronic Communications Privacy Act of 1986, Pub. L. 99-508, 100 Stat. 1848, 1860 (1986); see also Kerr, supra note 5, at 1208 n.2 (noting the various names used for the SCA over time).

8 Downing Testimony, supra note 3, at 13.

9 Id. at 2.

10 Letter from Peter J. Kadzik, Assistant Attorney General, Dep't of Justice, to Hon. Joseph R. Biden, President, U.S. Senate 3–4 (July 15, 2016), available at https://www.documentcloud.org/documents/2994379-2016-7-15-US-UK-Biden-With-Enclosures.html#document/p1 [https://perma.cc/7WGW-5D6G] [hereinafter Kadzik Letter]; see also David Kris, U.S. Government Presents Draft Legislation for Cross-Border Data Requests, Lawfare (July 16, 2016), at https://www.lawfareblog.com/us-government-presents-draft-legislation-cross-border-data-requests.

11 829 F.3d 197 (2d Cir. 2016).

12 United States v. Microsoft Corp., 138 S. Ct. 356 (2017) (cert. granted).

13 Kadzik Letter, supra note 10, at 2–3; see also Downing Testimony, supra note 3, at 2 (including within the proposal to Congress “legislation to fix the problems created by the Microsoft decision”).

14 See Nina Totenberg, A Needle in a Legal Haystack Could Sink a Major Supreme Court Privacy Case, NPR (Mar. 28, 2018), at https://www.npr.org/2018/03/28/597444394/a-needle-in-a-legal-haystack-could-sink-a-major-supreme-court-privacy-case (noting that “a Congress famous for gridlock passed legislation to modernize” the SCA “just three weeks after the Supreme Court argument”).

15 Following the passage of the CLOUD Act, the U.S. Department of Justice obtained a new warrant for the Microsoft data stored abroad. See Motion to Vacate the Judgment of the Court of Appeals and Remand the Case with Directions to Dismiss as Moot, 2, United States v. Microsoft Corp., No. 17-2 (Mar. 30, 2018). The Solicitor General then petitioned the Court to vacate the judgment of the court of appeals and remand the case with directions to dismiss as moot because “Microsoft's sole objection—that the prior warrant was impermissibly extraterritorial—no longer applies.” Id. at 1–2. Microsoft did not oppose the government's request, “provided that the Court similarly vacates the opinion of the magistrate judge (as adopted by the District Court) that the Second Circuit reversed… .” Response to the United States’ Motion to Vacate and Remand with Directions to Dismiss as Moot, 2, United States v. Microsoft Corp., No. 17-2 (Apr. 3, 2018).

On April 17, the Court issued a per curiam opinion agreeing “[n]o live dispute remains between the parties” and “[t]his case, therefore, has become moot.” United States v. Microsoft Corp., 138 S. Ct. 1186, 1188 (2018) (per curiam). As such, the Court ruled “the judgment on review is accordingly vacated, and the case is remanded” to the court of appeals “with instructions first to vacate the District Court's contempt finding and its denial of Microsoft's motion to quash, then to direct the District Court to dismiss the case as moot.” Id.

16 2018 Appropriations Act, supra note 1, div. 5, § 103(a)(1) (to be codified at 18 U.S.C. § 2713) (emphasis added). Downing's testimony indicates that the Department of Justice views this language as applicable to “providers subject to the jurisdiction of the United States.” See Downing Testimony, supra note 3, at 11.

17 2018 Appropriations Act, supra note 1, at div. 5, § 102(5). Downing testified that as of 2016 “[the Department of Justice] is not aware of any instance in which a provider has informed the Department or a court that production pursuant to the SCA of data stored outside the United States would place the provider in conflict with local law.” Downing Testimony, supra note 3, at 11.

18 2018 Appropriations Act, supra note 1, at div. 5, § 103(b) (to be codified at 18 U.S.C. § 2703(h)).

19 See infra notes 29–48 and accompanying text.

20 2018 Appropriations Act, supra note 1, at div. 5, § 103(b) (to be codified at 18 U.S.C. § 2703(h)).

21 Id.

22 Id. The mechanism to challenge extraterritorial warrants was a late addition to the CLOUD Act—the draft legislation introduced by both the Obama and Trump administrations did not include the provisions establishing it. See Kadzik Letter, supra note 10, at 4 (failing to include such provisions in draft legislation); see also Downing Testimony, supra note 3, at 24 (same).

23 2018 Appropriations Act, supra note 1, at div. 5, § 103(c).

24 See Daskal, Jennifer, Ireland, Microsoft, the CLOUD Act, and International Lawmaking 2.0, 71 Stan. L. Rev. Online 9, 1113 (2018)Google Scholar (noting potential tensions between this EU regulation and warrants that may be issued pursuant to the CLOUD Act).

25 Kadzik Letter, supra note 10, at 1.

26 Downing testified that the MLAT process is “not devised to handle the growing demands for digital evidence. Already, the Department faces significant challenges in responding to the enormous volume of foreign demands with the requisite speed.” Downing Testimony, supra note 3, at 7. For further discussion on how MLATs operate and the need for reform, see generally Swire, Peter & Hemmings, Justin D., Mutual Legal Assistance in an Era of Globalized Communications: The Analogy to the Visa Waiver Program, 71 N.Y.U. Ann. Surv. Am. L. 687 (2016)Google Scholar; Swire, Peter, Hemmings, Justin & Vergnolle, Suzanne, A Mutual Legal Assistance Case Study: The United States and France, 34 Wis. Int'l L.J. 323 (2017)Google Scholar.

27 Kadzik Letter, supra note 10, at 1; see also Swire & Hemmings, supra note 26, at 700 (noting that on average the MLAT process takes approximately ten months to execute valid electronic evidence requests).

28 See Downing Testimony, supra note 3, at 13. The CLOUD Act does not require disclosure as a matter of U.S. law, but where applicable it means that U.S. law will no longer operate as a bar to disclosure. See id.

29 2018 Appropriations Act, supra note 1, at div. 5, § 104 (to be codified in various sections of 28 U.S.C.); see also Stephen P. Mulligan, Congressional Research Service Report on Cross-Border Data Sharing Under the CLOUD Act 15–16 (Apr. 23, 2018), available at https://fas.org/sgp/crs/misc/R45173.pdf (concluding that the CLOUD Act “authorizes” such executive agreements and thus serves as a “source of authority” for the executive branch to enter into them). MLATs remain the vehicle for processing cross-border data requests for those nations that do not enter into the bilateral data-sharing agreements described in the CLOUD Act. See Downing Testimony, supra note 3, at 9.

30 2018 Appropriations Act, supra note 1, at div. 5, § 105 (to be codified at 18 U.S.C. § 2523). While the attorney general's determination “shall not be subject to judicial or administrative review,” the CLOUD Act creates expedited legislative procedures that Congress could use in passing a joint resolution of disapproval blocking the agreement within 180 days of the certification's submission to Congress. See id.

31 Id.

32 Id.

33 Id.

34 Id.

35 Id.

36 Id.

37 Id.

38 Id.

39 Downing Testimony, supra note 3, at 13–14.

40 Jennifer Daskal & Peter Swire, Why the CLOUD Act is Good for Privacy and Human Rights, Lawfare (Mar. 14, 2018), at https://lawfareblog.com/why-cloud-act-good-privacy-and-human-rights. Criticism was also levied at the process of the CLOUD Act's enactment: “It was never … marked up by any committee in either the House or the Senate… . It was robbed of a stand-alone floor vote because Congressional leadership decided, behind closed doors, to attach this unvetted, unrelated data bill to the $1.3 trillion government spending bill.” David Ruiz, Responsibility Deflected, the CLOUD Act Passes, Electronic Frontier Found. (Mar. 22, 2018), at https://www.eff.org/deeplinks/2018/03/responsibility-deflected-cloud-act-passes.

41 CLOUD ACT Coalition Letter from ACLU et al. to U.S. Members of Congress 1 (Mar. 12, 2018), available at https://www.aclu.org/sites/default/files/field_document/cloud_act_coalition_letter_3-8_clean.pdf.

42 Letter from Apple, Facebook, Google, Microsoft & Oath, to Doug Collins, Darrell Issa, Tom Marino, Hakeem Jeffries, Suzan DelBene & John Rutherford, Representatives, U.S. Congress (Feb. 6, 2018), available at https://blogs.microsoft.com/datalaw/wp-content/uploads/sites/149/2018/02/Tech-Companies-Letter-of-Support-for-House-CLOUD-Act-020618.pdf.

43 Daskal & Swire, supra note 40.

44 Ellen Nakashima & Andrea Peterson, The British Want to Come to America—with Wiretap Orders and Search Warrants, Wash. Post (Feb. 4, 2016), at https://www.washingtonpost.com/world/national-security/the-british-want-to-come-to-america--with-wiretap-orders-and-search-warrants/2016/02/04/b351ce9e-ca86-11e5-a7b2-5a2f824b02c9_story.html?noredirect=on&utm_term=.4649759d38ea; see also Andrew Keane Woods, The US-UK Data Deal, Lawfare (Feb. 10, 2016), at https://lawfareblog.com/us-uk-data-deal (arguing that “an agreement, with the right safeguards, can be seen as critical for the preserving [of] the internet as we know it, and over the long term a significant victory for privacy”).

45 Downing Testimony, supra note 3, at 13–14; see also Kadzik Letter, supra note 10, at 1 (“The legislative proposal is necessary to implement a potential bilateral agreement between the United Kingdom and United States.”).

46 Office of Sen. Orrin Hatch Press Release, Hatch Previews CLOUD Act: Legislation to Solve the Problem of Cross-Border Data Requests (Feb. 5, 2018), at https://www.hatch.senate.gov/public/index.cfm/2018/2/hatch-previews-cloud-act-legislation-to-solve-the-problem-of-cross-border-data-requests [https://perma.cc/CEK2-PKBN].

47 British Prime Minister's Off. Press Release, PM Call with President Trump: 6 February 2018 (Feb. 6, 2018), at https://www.gov.uk/government/news/pm-call-with-president-trump-6-february-2018 [https://perma.cc/R83W-HUFR].

48 See Data Stored Abroad: Ensuring Lawful Access and Privacy Protection in the Digital Era: Hearing Before the H. Comm. on the Judiciary, 115th Cong. 15 (June 15, 2017) (statement of Paddy McGuinness, U.K. Deputy National Security Advisor); Law Enforcement Access to Data Stored Across Borders: Facilitating Cooperation and Protecting Rights Before S. Comm. on the Judiciary, 115th Cong. (May 24, 2017, rescheduled from May 10, 2017) (statement of Paddy McGuiness, U.K. Deputy National Security Advisor).