Bipartisan Cloud Act introduced in the Senate: What does this potentially mean for data stored overseas?

The debate surrounding overseas storage of data continues.  Last week, Senator Orrin Hatch (R-Utah), co-sponsored by Senators Christopher Coons (D-Del.), Lindsey Graham (R-S.C.) and Sheldon Whitehouse (D-R.I.), introduced the Clarifying Lawful Overseas Use of Data Act, or “Cloud Act”, to create a framework for law enforcement to access data that is stored overseas.  You may recall that a case regarding access to data abroad, under the Stored Communications Act (“SCA”), 18 U.S.C. Chapter 121 §§ 2701–2712, is currently pending in front of the Supreme Court.  [We outlined some of the salient issues discussed at the Appellate Court level in an earlier blog post, “Where is Your Data Located?”].

The Supreme Court is scheduled to hear arguments on February 27th in the appeal of the Second Circuit’s Matter of Warrant to Search a Certain EMail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197 (2d Cir. 2016) opinion.  The question presented to the Supreme Court is

Whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C. 2703 by making disclosure in the United States of electronic communications within that provider’s control, even if the provider has decided to store that material abroad.

See Petition for Writ of Certiorari, at (I).

This case has drawn national and international attention, especially as it relates to data privacy.  With the forthcoming General Data Protection Regulation in Europe, the European Commission has weighed in on-behalf of the European Union in an amicus brief noting that it “has significant interests in this case” because it “concerns personal data stored in a datacenter in the European Union that is operated by an EU-based subsidiary of Microsoft.”  See EU Amicus Brief, at 3.  The United Kingdom, New Zealand, and the United Nations have also added their voice to this debate.  Additionally, a number of associations, business groups, and other interested organizations have also filed amicus briefs.

Against this backdrop, Congress is now dipping its toes into the proverbial data pool with the proposed Cloud Act.  The Cloud Act would fill a current gap in federal law, answering whether U.S. companies can be required to give the government data stored abroad.

Today, it is actually a challenge to not store your data globally:  you have to take active measures to maintain your data in a specific region.  But, as is typical in today’s world, the law is not keeping up with technological innovation.  With the explosion of online communication and data creation, it is no longer simple to determine the jurisdictional location of that data.  Before, the communications and documents that would be sought pursuant to a subpoena or warrant would be physically located somewhere — making this analysis simple:  the document is located in the US, then US law applies.  Now, documents may be created in the United States, accessed from China, and stored in the European Union — so who has jurisdiction now?

The Cloud Act would clarify that U.S. warrants apply across the globe, while providing technology companies with the ability to notify foreign governments of requests to access data stored within their jurisdiction.  Further, the Cloud Act provides for the creation of agreements between the US and foreign countries to handle cross-border data request from law enforcement.  On February 6, 2018, Apple, Facebook, Google, Microsoft, and Oath submitted a letter of support for the Cloud Act, calling it a “logical solution for governing cross-border access to data.”

The Cloud Act would directly impact the Microsoft case at the Supreme Court — making the pending case moot.   The Act includes the following section, amending the SCA:

A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.

See Section 3(a)(1).  In essence, regardless of where the actual data is stored, the “provider of electronic communication service or remote computer service” (i.e., the Microsofts and Googles of the world) would need to comply with their obligations under the SCA, which would include warrants and subpoenas.   There are safeguards put in place that would allow a motion to quash if the customer is not a US citizen or a motion to modify the legal process if the service provider believes that disclosure would create a “material risk” that the provider would violate another country’s law.

An update to the SCA is long overdue, but it remains to be seen if these proposed revisions under the Cloud Act strike the right balance between access to information and data privacy regulations.

The Cloud Act is Congress’ way of attempting to provide some guidance on this evolving issue.  However, there is an inherent tension between technology, which for a variety of reasons is moving data storage to overseas locations, privacy concerns for the individuals “attached” to that data, and legitimate needs of the government and/or law enforcement to access that data.  It is unclear if the Cloud Act strikes the right balance of allowing legitimate access to documents while respecting privacy rights — especially privacy rights that are given much higher priority in other jurisdictions.

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.