On Wednesday, the U.S. Department of Justice released a white paper and FAQ on the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which was enacted in March 2018 and creates a new framework for government access to data held by technology companies worldwide. The paper, titled “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act,” addresses the scope and purpose of the CLOUD Act and responds to 29 frequently asked questions about the Act.
The CLOUD Act has two parts (as described in our prior blog post). Part I provides that orders issued pursuant to the Electronic Communications Privacy Act (“ECPA”) to certain technology providers can reach data within those providers’ possession, custody, or control, regardless of where that data is stored. Part II creates a framework for new bilateral agreements with foreign governments for cross-border data requests. The DOJ White Paper and FAQ focus in large part on the framework for new agreements created under Part II of the CLOUD Act. Where entered, these new bilateral agreements can be used to remove restrictions under each country’s laws so that technology companies may comply with qualifying, lawful orders issued by the other country.
In the new white paper, DOJ describes the CLOUD Act as “represent[ing] a new paradigm: an efficient, privacy and civil liberties-protective approach to ensure effective access to electronic data that lies beyond a requesting country’s reach due to the revolution in electronic communications, recent innovations in the way global technology companies configure their systems, and the legacy of 20th century legal frameworks.”
As the DOJ paper explains, technology companies often store data worldwide, and the data can accordingly be subject to multiple conflicting laws. For example, conflicting legal obligations may arise when a technology company receives an order from one government requiring the disclosure of data, but another government restricts disclosure of the same data. The DOJ white paper recognizes that “[i]f national laws conflict, [technology companies] may be forced to choose which country’s laws to follow, knowing that they may face consequences for violating another country’s laws.” Those conflicts, the DOJ white paper states, also “pose serious problems for governments seeking data and can frustrate important investigations.”
The DOJ white paper explains how new bilateral agreements negotiated under the CLOUD Act’s framework can reduce such conflicts of laws. Any such agreements would “lift any restrictions under U.S. law on companies disclosing electronic data directly to foreign authorities for covered orders in investigations of serious crime.” In doing so, the agreements “would permit U.S.-based global [technology companies] to respond directly to foreign legal process in many circumstances.” The DOJ paper also makes clear that CLOUD Act agreements are to supplement, rather than replace, existing Mutual Legal Assistance Treaties (or “MLATs”). However, by creating a streamlined mechanism for authorities to request evidence in another country, they may have the effect of reducing the number of demands made under MLATs.
The FAQs accompanying the DOJ white paper also address a number of common questions about the CLOUD Act, including about the extraterritorial reach of U.S. warrants codified in Part I of the CLOUD Act. For example, the FAQ responses note that the CLOUD Act did not give U.S. courts expanded jurisdiction over companies. Rather, DOJ explains that Part I of the CLOUD Act requires companies already subject to jurisdiction in the U.S. to provide data in response to U.S. legal process, regardless of where the data is stored. In addition, the DOJ white paper notes that if a U.S. order conflicts with foreign law, “U.S. courts can be expected to apply long-standing U.S. and international principles regarding conflicts of law to ensure appropriate respect for international comity by applying a multi-factor balancing test, taking into account the interests of both the United States and the foreign country.”
The FAQ responses also recognize that the CLOUD Act does not change U.S. law or practice on obtaining enterprise customer data. In December 2017, the Department of Justice issued recommended practices advising prosecutors to determine whether data of an enterprise customer should be sought from the enterprise directly or from the enterprise’s technology provider. According to the recommended practices, prosecutors should seek data directly from an enterprise customer when doing so “will not compromise the investigation.”
The publication of the white paper follows an April 5 speech on the CLOUD Act by Deputy Assistant Attorney General Richard W. Downing. In his remarks, made in London at a conference on European law, Downing said he hoped to “dispel some of the misconceptions” about the CLOUD Act and described the Act as a “model for international cooperation.” Downing emphasized that the CLOUD Act responded to concerns from foreign governments about their inability to access information stored with service providers in the United States. According to Downing, the “greatest gains in lawful access to cross-border data stand to come from the lowering of barriers . . . between nations with shared values, principles, and needs.”