On Wednesday, the U.S. Department of Justice released a white paper and FAQ on the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which was enacted in March 2018 and creates a new framework for government access to data held by technology companies worldwide.  The paper, titled “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act,” addresses the scope and purpose of the CLOUD Act and responds to 29 frequently asked questions about the Act.

The CLOUD Act has two parts (as described in our prior blog post).  Part I provides that orders issued pursuant to the Electronic Communications Privacy Act (“ECPA”) to certain technology providers can reach data within those providers’ possession, custody, or control, regardless of where that data is stored.  Part II creates a framework for new bilateral agreements with foreign governments for cross-border data requests.  The DOJ White Paper and FAQ focus in large part on the framework for new agreements created under Part II of the CLOUD Act. Where entered, these new bilateral agreements can be used to remove restrictions under each country’s laws so that technology companies may comply with qualifying, lawful orders issued by the other country.

In the new white paper, DOJ describes the CLOUD Act as “represent[ing] a new paradigm: an efficient, privacy and civil liberties-protective approach to ensure effective access to electronic data that lies beyond a requesting country’s reach due to the revolution in electronic communications, recent innovations in the way global technology companies configure their systems, and the legacy of 20th century legal frameworks.”

As the DOJ paper explains, technology companies often store data worldwide, and the data can accordingly be subject to multiple conflicting laws.  For example, conflicting legal obligations may arise when a technology company receives an order from one government requiring the disclosure of data, but another government restricts disclosure of the same data.  The DOJ white paper recognizes that “[i]f national laws conflict, [technology companies] may be forced to choose which country’s laws to follow, knowing that they may face consequences for violating another country’s laws.”  Those conflicts, the DOJ white paper states, also “pose serious problems for governments seeking data and can frustrate important investigations.”

The DOJ white paper explains how new bilateral agreements negotiated under the CLOUD Act’s framework can reduce such conflicts of laws.  Any such agreements would “lift any restrictions under U.S. law on companies disclosing electronic data directly to foreign authorities for covered orders in investigations of serious crime.”  In doing so, the agreements “would permit U.S.-based global [technology companies] to respond directly to foreign legal process in many circumstances.”  The DOJ paper also makes clear that CLOUD Act agreements are to supplement, rather than replace,  existing Mutual Legal Assistance Treaties (or “MLATs”).  However, by creating a streamlined mechanism for authorities to request evidence in another country, they may have the effect of reducing the number of demands made under MLATs.

The FAQs accompanying the DOJ white paper also address a number of common questions about the CLOUD Act, including about the extraterritorial reach of U.S. warrants codified in Part I of the CLOUD Act.  For example, the FAQ responses note that the CLOUD Act did not give U.S. courts expanded jurisdiction over companies.  Rather, DOJ explains that Part I of the CLOUD Act requires companies already subject to jurisdiction in the U.S. to provide data in response to U.S. legal process, regardless of where the data is stored.  In addition, the DOJ white paper notes that if a U.S. order conflicts with foreign law, “U.S. courts can be expected to apply long-standing U.S. and international principles regarding conflicts of law to ensure appropriate respect for international comity by applying a multi-factor balancing test, taking into account the interests of both the United States and the foreign country.”

The FAQ responses also recognize that the CLOUD Act does not change U.S. law or practice on obtaining enterprise customer data.  In December 2017, the Department of Justice issued recommended practices advising prosecutors to determine whether data of an enterprise customer should be sought from the enterprise directly or from the enterprise’s technology provider.  According to the recommended practices, prosecutors should seek data directly from an enterprise customer when doing so “will not compromise the investigation.”

The publication of the white paper follows an April 5 speech on the CLOUD Act by Deputy Assistant Attorney General Richard W. Downing.  In his remarks, made in London at a conference on European law, Downing said he hoped to “dispel some of the misconceptions” about the CLOUD Act and described the Act as a “model for international cooperation.”  Downing emphasized that the CLOUD Act responded to concerns from foreign governments about their inability to access information stored with service providers in the United States.  According to Downing, the “greatest gains in lawful access to cross-border data stand to come from the lowering of barriers . . . between nations with shared values, principles, and needs.”

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jim Garland Jim Garland

Jim Garland’s practice focuses on government investigations and enforcement matters, litigation, and cybersecurity. Recognized by Chambers USA as a leading practitioner in both the white collar and cybersecurity categories, Jim draws upon his experience as a former senior Justice Department official to advise…

Jim Garland’s practice focuses on government investigations and enforcement matters, litigation, and cybersecurity. Recognized by Chambers USA as a leading practitioner in both the white collar and cybersecurity categories, Jim draws upon his experience as a former senior Justice Department official to advise clients on sensitive, multidimensional disputes and investigations, often with national security implications. He previously served as co-chair of Covington’s “Band 1”-ranked White Collar and Investigations Practice Group and currently is a member of the firm’s Management and Executive Committees.

Jim regularly represents corporate and individual clients in government investigations and enforcement actions. He has successfully handled matters involving allegations of economic espionage, theft of trade secrets, terrorism-financing, sanctions and export control violations, money laundering, foreign bribery, public corruption, fraud, and obstruction of justice. He has particular expertise advising clients in connection with investigations and disputes involving electronic surveillance and law enforcement access to digital evidence.

Jim has substantial experience litigating high-stakes, multidimensional disputes for clients across a range of industries, including companies in the high-tech, financial services, defense, transportation, media and entertainment, and life sciences sectors. Many of his civil representations have substantial cross-border dimensions or involve parallel government enforcement proceedings in multiple forums.

In conjunction with his investigations and litigation practice, Jim regularly assists clients with cybersecurity preparedness and incident-response matters. He helps clients in assessing security controls and in developing policies and procedures for the protection of sensitive corporate data. He also regularly assists companies in responding to significant cybersecurity incidents, including in connection with criminal and state-sponsored attacks targeting customer and employee data, financial information, and trade secrets.

From 2009 to 2010, Jim served as Deputy Chief of Staff and Counselor to Attorney General Eric Holder at the U.S. Department of Justice. In that role, he advised the Attorney General on a range of enforcement issues, with an emphasis on criminal, cybersecurity, and surveillance matters.

Photo of Alexander Berengaut Alexander Berengaut

Alex Berengaut is a nationally recognized litigator and co-chair of Covington’s Government Litigation practice group. He has served as lead counsel in a range of commercial disputes and government enforcement proceedings, and currently represents several leading technology companies in litigation and compliance matters…

Alex Berengaut is a nationally recognized litigator and co-chair of Covington’s Government Litigation practice group. He has served as lead counsel in a range of commercial disputes and government enforcement proceedings, and currently represents several leading technology companies in litigation and compliance matters relating to data privacy, platform liability, artificial intelligence, and cybersecurity.

In recent years, Alex obtained a series of landmark victories against the federal government in bet-the-company disputes for technology clients. Alex represented TikTok in challenging the Trump Administration’s efforts to ban the app, delivering the winning argument that led the court to enjoin the ban hours before it was set to take effect. He also represented Xiaomi Corporation in challenging the Department of Defense designation that would have blacklisted the company from U.S. financial markets, delivering the winning argument that led the court to enjoin the designation, restoring $10 billion to Xiaomi’s market capitalization.

At the state level, Alex has successfully challenged unconstitutional state legislation and defended against state consumer protection actions. He obtained an injunction blocking Montana’s law banning the TikTok platform, and he secured the outright dismissal of multiple State AG consumer protection lawsuits relating to data privacy and security—a string of victories which resulted in Alex being recognized as Litigator of the Week

Alex has served as counsel to Microsoft Corporation in precedent-setting cases involving government surveillance issues, including Microsoft’s landmark challenge to the government’s attempt to compel disclosure of customer emails stored in Ireland using a search warrant; Microsoft’s First Amendment challenge in the Foreign Intelligence Surveillance Court to restrictions on disclosures about government surveillance; and Microsoft’s constitutional challenge to the statute that allows courts to impose gag orders on technology companies, resulting in nationwide reform of the government’s practices under the statute. 

 Alex maintains an active pro bono practice, focusing on trial-level indigent criminal defense and youth immigration matters. From 2017 to 2020, Alex represented the University of California in challenging the Trump Administration’s rescission of the Deferred Action for Childhood Arrivals (DACA) program, ultimately resulting in a 5-4 victory in the U.S. Supreme Court. See Department of Homeland Security, et al. v. Regents of the University of California et al., 140 S. Ct. 1891 (2020).