This article originally appeared in Global Data Review on March 29, 2019
Last year, the US passed legislation expanding the geographic reach of certain legal process, including search warrants, issued to technology providers seeking customer data. Under the Clarifying Lawful Overseas Use of Data (CLOUD) Act, warrants issued by US courts can force certain types of providers to disclose customer data stored anywhere in the world.
Notably, the CLOUD Act does not affect only US technology providers. The legislation covers all providers of defined technology services, so long as they are subject to US jurisdiction and in possession, custody or control of the data sought. This article describes the CLOUD Act, addresses scenarios in which technology providers based outside the US may be subject to the legislation, and identifies mechanisms for challenging legal process issued under the Act.
Two parts of the CLOUD Act
The CLOUD Act has two distinct parts: the first extends the reach of US legal process issued for data stored by technology providers that are subject to US jurisdiction; the second creates a new framework for bilateral agreements on cross-border data requests.
Under the first part of the CLOUD Act, legal process issued to certain types of technology providers can reach customer data and related records in the provider’s possession, custody, or control “regardless” of whether the data is located within or outside the US. The act applies to “electronic communication services” (including email and messaging services) and “remote computing services” (including cloud storage services).
The second part of the CLOUD Act addresses broader issues, by creating a new framework for bilateral agreements on government access to data held by technology providers. No such agreements have yet been adopted, although public reports indicate the US and UK are negotiating such an agreement. These broader frameworks are aimed at reducing conflicts of laws, such as by requiring each country to provide “reciprocal rights of data access” including “removing restrictions on communications service providers” to “allow them to respond to valid legal process sought by a governmental entity … if foreign law would otherwise prohibit communications service providers from disclosing the data.”
Application to technology companies based outside the US
Legal process issued under the CLOUD Act can be enforced against any covered technology providers subject to US jurisdiction, regardless of whether the provider is based in the US.
Under longstanding principles, US courts assert two types of jurisdiction over companies: general jurisdiction, which typically exists when companies are headquartered or incorporated in the US, and requires them to face lawsuits of any nature; and specific jurisdiction, which requires a fact-specific analysis of whether companies have sufficient “minimum contacts” with the US, and applies only to lawsuits that arise out of such contacts.
Under these principles, technology providers located outside the US may nonetheless be subject to its jurisdiction in several ways.
First, if an EU technology provider has a subsidiary in the US, that subsidiary would be subject to general jurisdiction. Subsidiaries can accordingly be served with CLOUD Act legal process for any customer data in their possession, custody, or control, regardless of whether that customer data is inside or outside the United States. This can include data held by a foreign parent or other foreign affiliate, if that data is within the subsidiary’s possession, custody, or control.
Second, even if an EU technology provider does not have a US subsidiary, it can nonetheless be subject to specific jurisdiction based on its contacts with the US. Companies are subject to specific jurisdiction if they have sufficient “minimum contacts” with the US to demonstrate they “purposefully availed” themselves of the privilege of conducting activities in the US. These contacts can be truly minimal in number. Indeed, the US Supreme Court explained in Burger King Corp v Rudzewicz that “even a single act can support jurisdiction” so long as it “creates a substantial connection with the forum.” When specific jurisdiction exists, companies are subject to lawsuits that arise out of their contacts with the US.
As one example of a sufficient “minimum contact,” the US Court of Appeals for the Third Circuit held in O’Connor v Sandy Lane Hotel that a Barbados hotel was subject to US jurisdiction where it “deliberately reached into” a state to target only “two of its citizens.” In that case, posting a brochure and exchanging phone calls with two citizens was enough to establish jurisdiction. Similarly, the First Circuit ruled in Plixer v Scrutinizer that a German cloud provider was subject to US jurisdiction because it has a “regular course of sales” in the US. While the record did not reflect what percentage of the company’s business was from the US, the court found the company should have “reasonably anticipated” being hauled into a US court because it used its website to obtain contracts with US customers.
Possession, custody, or control
Even when technology providers are subject to US jurisdiction, the CLOUD Act can only require them to disclose information in their possession, custody, or control. The test for determining if companies are in possession, custody, or control of information is fact-specific and varies across US courts, but can be met when companies have the legal right to access the information, or the practical ability to do so.
This limitation can be particularly relevant when legal process is issued to one corporate entity for data held by a corporate affiliate. For example, if a warrant is issued to a US subsidiary for data held by an Irish parent company, the subsidiary could be forced to produce the data if it has the legal right or practical ability to access data held by the parent. As a general matter, courts have frequently found that parent companies have the legal right or practical ability to compel subsidiaries to provide information. Conversely, it is less common for courts to find that subsidiaries have the legal right or practical ability to obtain data from parents. Still, this inquiry is fact-specific, and depends on the relationship between parents and subsidiaries, including whether the entity served with legal process has access to information sought by that legal process in the ordinary course of business.
Challenging CLOUD Act warrants
Technology providers caught by the legislation can challenge legal process, if complying would create a potential conflict of laws. The CLOUD Act expressly preserves the ability of providers to challenge a legal process in US court on the basis of international comity. It also creates a new mechanism for doing so when compliance with a CLOUD Act warrant creates a potential conflict with the law of a country that has entered into a CLOUD Act agreement.
The Act recognises providers’ existing common law ability to challenge US legal process if it creates a potential conflict with foreign law. Such challenges are evaluated under a series of factors, including the importance to the investigation or litigation of the documents or information requested; the degree of specificity of the request; whether the information originated in the US; the availability of alternative means of securing the information; the extent to which noncompliance with the request would undermine important interests of the US; and the extent to which compliance with the request would undermine important interests of the state where the information is located. Historically, such challenges have been uncommon and rarely successful, though they may become more frequent as the US issues a greater number of extraterritorial warrants, particularly when those warrants seek data from non-US technology providers.
A new statutory mechanism governs challenges when warrants create potential conflict with the law of a country that has entered into a CLOUD Act agreement. No such agreements have been entered; but in the future, if an agreement has been signed, the Act lets providers initiate statutory challenges if they reasonably believe that customers or subscribers are not US persons and do not reside in the US, and that the required disclosure would create a material risk of violating the laws of the foreign government that is a CLOUD Act agreement signatory. US courts can modify or quash the legal process if they find that a required disclosure would violate the foreign government’s law, the interests of justice dictate that the legal process should be modified or quashed; and that the customer or subscriber is not a US person and does not reside in the US. In assessing the interests of justice, courts must consider comity factors set out in the statute.
Countries that have entered into CLOUD Act agreements also receive an additional protection: the legislation allows providers to disclose to those governments the existence of legal process seeking the contents of a communication of a customer or subscriber who is a national or resident of that country. Such a disclosure may, for example, enable foreign governments to raise concerns they may have directly with the US government, including potentially by intervening directly in court proceedings.