On March 23, 2018, Congress passed, and President Trump signed into law, the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which creates a new framework for government access to data held by technology companies worldwide.

The CLOUD Act, enacted as part of the Consolidated Appropriations Act, has two components.

Part I:  Extraterritorial Reach of U.S. Orders and Comity Rights for Providers

The first part of the CLOUD Act provides that orders issued pursuant to the Electronic Communications Privacy Act (“ECPA”) can reach data regardless of where that data is stored.  This portion of the law addresses the question at the heart of United States v. Microsoft, the Supreme Court case that was argued on February 27.*

Part I of the Act also creates a new statutory mechanism by which technology companies can challenge warrants based on the material risk of a conflict with the laws of qualified foreign countries—specifically, those countries that enter into bilateral agreements of the type contemplated in Part II of the Act and that afford reciprocal comity rights to the United States (referred to as a “qualifying foreign governments”).  The CLOUD Act also preserves the common law rights of providers to bring comity challenges based on conflicts of laws with other countries (i.e., those that are not “qualifying foreign governments” under the Act).

Under this new statutory comity framework, a provider may file a motion to modify or quash U.S. legal process if it reasonably believes: (1) the customer or subscriber is not a U.S. person and does not reside in the United States, and (2) the required disclosure would create a material risk of violating the laws of a qualifying foreign government.

In any such challenge, a court may modify or quash the legal process upon finding that: (1) the required disclosure would violate the qualifying foreign government’s law, and (2) the interests of justice dictate that the legal process should be modified or quashed.  In conducting this second inquiry, courts are to consider a series of comity factors set out in the statute.  During the pendency of such a challenge, the provider may notify the qualifying foreign government of the existence of the legal process and thereby allow the foreign government to raise any concerns directly with the U.S. Government.

Part II:  Framework for Bilateral Agreements on Cross-Border Data Requests

The second part of the CLOUD Act creates a framework for new bilateral agreements with foreign governments for cross-border data requests.  Under these bilateral agreements, the United States and participating foreign governments would remove legal restrictions that otherwise prohibit technology providers from complying with the other country’s legal requests.

Previously, governments had to invoke mutual legal assistance treaties (“MLATs”) to obtain evidence stored in another country.  Under the MLAT process, a foreign government seeking information from a U.S. provider would ask the U.S. Department of Justice to obtain a U.S. court order for that information.  Part II of the CLOUD Act creates a new framework that instead allows foreign governments to serve legal process directly on U.S. providers, without the necessity of first making an MLAT request to the U.S. Department of Justice.

Because the CLOUD Act has no effect on a foreign government’s jurisdiction over U.S. companies, any obligation by a provider to comply with a foreign order issued pursuant to such an agreement must arise under the foreign law.  In other words, the CLOUD Act removes barriers that might otherwise prohibit a U.S. provider from complying with a foreign government’s order, but the CLOUD Act does not compel a U.S. provider to comply with any foreign order.

Not all governments can enter into bilateral agreements under the CLOUD Act.  Before a country may do so, the Attorney General must submit certain written certifications to Congress regarding the foreign country.  Those certifications must find that the country meets specific criteria establishing that its domestic law affords robust substantive and procedural protections for privacy and civil liberties.  Additionally, the foreign government must adopt procedures to minimize the acquisition and retention of information about U.S. persons and cannot impose a decryption obligation on providers through the agreement.

Bilateral agreements must also contain a number of limits on the types of orders that may be submitted by the foreign government directly to a U.S. provider, including:

  • Orders must be for the purpose of obtaining information relating to a serious crime, including terrorism.
  • Orders must identify a specific person, account, address, device, or other identifier.
  • Orders must comply with the foreign government’s domestic law.
  • Orders must be based on requirements for a reasonable justification based on articulable and credible facts.
  • Orders must be subject to judicial review prior to, or in enforcement proceedings regarding, enforcement of the order.
  • Orders for interceptions must be for a fixed and limited time, may not last longer than reasonably necessary to accomplish the order’s purposes, and may only be issued if the same information could not be obtained by a less obtrusive method.
  • Orders may not be used to infringe freedom of speech.

Foreign governments that enter such bilateral agreements must also agree to periodic compliance reviews by the U.S. Government.

Finally, the CLOUD Act contains specific provisions addressing how these bilateral agreements will be entered into and renewed.  Under those provisions, once the Attorney General certifies a new agreement, it is to be considered by Congress.  The agreement will enter into force unless Congress enacts a joint resolution of disapproval within 180 days.  Every five years, the Attorney General is to review his or her determination that a foreign country meets the requirements for entering into a bilateral agreement.  If he renews that determination, he is to submit a report to Congress containing the reasons for the renewal, any substantive changes to the agreement or to foreign law, and how the agreement has been implemented and what problems or controversies, if any, have arisen.

* Covington represents Microsoft Corporation in United States v. Microsoft, No. 17-2.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jim Garland Jim Garland

Jim Garland’s practice focuses on government investigations and enforcement matters, litigation, and cybersecurity. Recognized by Chambers USA as a leading practitioner in both the white collar and cybersecurity categories, Jim draws upon his experience as a former senior Justice Department official to advise…

Jim Garland’s practice focuses on government investigations and enforcement matters, litigation, and cybersecurity. Recognized by Chambers USA as a leading practitioner in both the white collar and cybersecurity categories, Jim draws upon his experience as a former senior Justice Department official to advise clients on sensitive, multidimensional disputes and investigations, often with national security implications. He previously served as co-chair of Covington’s “Band 1”-ranked White Collar and Investigations Practice Group and currently is a member of the firm’s Management and Executive Committees.

Jim regularly represents corporate and individual clients in government investigations and enforcement actions. He has successfully handled matters involving allegations of economic espionage, theft of trade secrets, terrorism-financing, sanctions and export control violations, money laundering, foreign bribery, public corruption, fraud, and obstruction of justice. He has particular expertise advising clients in connection with investigations and disputes involving electronic surveillance and law enforcement access to digital evidence.

Jim has substantial experience litigating high-stakes, multidimensional disputes for clients across a range of industries, including companies in the high-tech, financial services, defense, transportation, media and entertainment, and life sciences sectors. Many of his civil representations have substantial cross-border dimensions or involve parallel government enforcement proceedings in multiple forums.

In conjunction with his investigations and litigation practice, Jim regularly assists clients with cybersecurity preparedness and incident-response matters. He helps clients in assessing security controls and in developing policies and procedures for the protection of sensitive corporate data. He also regularly assists companies in responding to significant cybersecurity incidents, including in connection with criminal and state-sponsored attacks targeting customer and employee data, financial information, and trade secrets.

From 2009 to 2010, Jim served as Deputy Chief of Staff and Counselor to Attorney General Eric Holder at the U.S. Department of Justice. In that role, he advised the Attorney General on a range of enforcement issues, with an emphasis on criminal, cybersecurity, and surveillance matters.

Photo of Alexander Berengaut Alexander Berengaut

Alex Berengaut is a nationally recognized litigator and co-chair of Covington’s Government Litigation practice group. He has served as lead counsel in a range of commercial disputes and government enforcement proceedings, and currently represents several leading technology companies in litigation and compliance matters…

Alex Berengaut is a nationally recognized litigator and co-chair of Covington’s Government Litigation practice group. He has served as lead counsel in a range of commercial disputes and government enforcement proceedings, and currently represents several leading technology companies in litigation and compliance matters relating to data privacy, platform liability, artificial intelligence, and cybersecurity.

In recent years, Alex obtained a series of landmark victories against the federal government in bet-the-company disputes for technology clients. Alex represented TikTok in challenging the Trump Administration’s efforts to ban the app, delivering the winning argument that led the court to enjoin the ban hours before it was set to take effect. He also represented Xiaomi Corporation in challenging the Department of Defense designation that would have blacklisted the company from U.S. financial markets, delivering the winning argument that led the court to enjoin the designation, restoring $10 billion to Xiaomi’s market capitalization.

At the state level, Alex has successfully challenged unconstitutional state legislation and defended against state consumer protection actions. He obtained an injunction blocking Montana’s law banning the TikTok platform, and he secured the outright dismissal of multiple State AG consumer protection lawsuits relating to data privacy and security—a string of victories which resulted in Alex being recognized as Litigator of the Week

Alex has served as counsel to Microsoft Corporation in precedent-setting cases involving government surveillance issues, including Microsoft’s landmark challenge to the government’s attempt to compel disclosure of customer emails stored in Ireland using a search warrant; Microsoft’s First Amendment challenge in the Foreign Intelligence Surveillance Court to restrictions on disclosures about government surveillance; and Microsoft’s constitutional challenge to the statute that allows courts to impose gag orders on technology companies, resulting in nationwide reform of the government’s practices under the statute. 

 Alex maintains an active pro bono practice, focusing on trial-level indigent criminal defense and youth immigration matters. From 2017 to 2020, Alex represented the University of California in challenging the Trump Administration’s rescission of the Deferred Action for Childhood Arrivals (DACA) program, ultimately resulting in a 5-4 victory in the U.S. Supreme Court. See Department of Homeland Security, et al. v. Regents of the University of California et al., 140 S. Ct. 1891 (2020).