On March 23, 2018, U.S. Congress enacted the Clarifying Lawful Overseas Use of Data Act, which had the immediate effect of mooting the ongoing U.S. v. Microsoft litigation, where a central issue of the case was whether a web-based or cloud-based telecommunications or data service provider, subject to U.S. jurisdiction, could avoid being required to provide stored electronic communications for which a search-and-seizure warrant had been served, when such stored electronic communications were stored on servers outside of the U.S. The U.S. CLOUD Act amended the Stored Communications Act of 1986, which was enacted to create Fourth Amendment–like privacy protection for email and other digital communication stored or held by internet service providers. Such providers are those that provide services including email, instant messaging, video conferencing, wireless telephone, remote or backup data storage, and cloud hosting or processing.
The U.S. CLOUD Act provides that the obligation to comply with search warrant requirements under the SCA apply regardless of whether a communication, record or other information is located within or outside of the United States:
"A [service provider] shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."
A warrant or subpoena under the U.S. CLOUD Act gives the U.S. government, such as a U.S. law enforcement agency, the ability to compel a recipient to hand over data regardless of where such data is stored in the event that all three of the following requirements are met:
- A U.S. court has jurisdiction over the entity whose data is being sought.
- The entity is an electronic communication service or remote computing service provider intended to be in scope of the U.S. CLOUD Act.
- The entity has possession, custody or control over the data being sought.
The U.S. CLOUD Act applies only to the contents of electronic communications, documents stored in the cloud, and to certain types of transmission and account information. The U.S. CLOUD Act allows U.S. law enforcement agencies to issue warrants to gain access to data held by organizations under U.S. jurisdiction, even if such data is held outside the U.S. and such data involves individuals other than U.S. citizens.
An entity on whom a warrant or subpoena is served pursuant to the U.S. CLOUD Act may challenge the warrant by arguing that any one of the above three requirements is not met.
Repercussions of U.S. CLOUD Act on the GDPR
Given its relatively recent enactment date, the U.S. CLOUD Act's compatibility with the EU General Data Protection Regulation is still an open question. With regard to data transfer to third countries for which such transfer is subject to the GDPR, Articles 44 to 50 of the GDPR apply. In particular, Article 48 of the GDPR comes into play when EU data is being requested by a U.S. law enforcement agency.
Article 48
From the EU perspective, there is significant concern that U.S. authorities might undermine the GDPR requirements set out in Article 48 by utilizing the U.S. CLOUD Act to compel U.S. organizations providing electronic communication services and remote computing services to allow access to certain types of data stored outside the U.S. U.S. law enforcement agencies can serve a search warrant for a U.S. organization's data and, unless one of the three above-referenced requirements is not met, that organization must comply, even if the data is stored in a foreign jurisdiction.
Implications for corporations located in the US with data storage in the EU
What happens if a U.S. electronic communication services or remote computing services corporation receives a warrant or subpoena from a U.S. law enforcement agency for data being stored in an EU-based subsidiary of that U.S. corporation? Must that data be disclosed, even though it may contain data corresponding to EU individuals? The answer will partly depend on the organizational setup of the U.S. corporation including, specifically, the parent’s relationship to its offshore affiliates. If the U.S. corporation has possession, custody or control over the data being sought, that data would be subject to production under the CLOUD Act.
Use case 1: Data storage in EU affiliate and no data access from the non-EU corporate parents
The data held at the EU affiliate would not likely be accessible to U.S. authorities under the CLOUD Act if the following facts apply:
- The EU subsidiary has all its offices in the related EU country, conducts no business in the U.S., and operates independently of its corporate parents.
- The computer network established in the EU subsidiary is fully segmented from the networks of its corporate parent.
- As a technical matter, it is not possible for personnel of the corporate parent to reach remotely into the telecommunication infrastructure of the EU affiliate to obtain data.
Use case 2: Vendor services 24/7 around the globe, or disaster recovery systems with limited access to data of US corporate parents
IT support service providers whose services "follow the sun" — meaning that the jurisdiction from which the services are provided shifts over the course of a day, and disaster recovery systems, where data is stored outside the U.S. in the ordinary course but backup retrieval systems in the U.S. may be activated in certain circumstances — raise the question of whether they open the door to requests for data under the CLOUD Act.
However, as in the case of 24/7 service providers, if the entity in the U.S. gets access to the data at a certain point every day (from a technical or technological perspective), such that if the government showed up and demanded access and the U.S. entity only needed to wait a specified period of time before it had access to the data, presumably there is a greater risk that that data could be accessible under the act.
General recommendations
Corporations that operate in multiple jurisdictions, when considering entering into service agreements with global electronic communication services or remote computing service providers, would be well advised to conduct due diligence about the organizational setup of those service providers.
A principal line of inquiry should be whether the U.S.-based parent or affiliate may have “possession, custody or control” of such data held by the non-U.S. affiliates. For such scenarios, the service recipient might seek to modify the service provider agreements to limit U.S. access to the data held in non-U.S. jurisdictions, including in the European Union. As part of such a risk mitigation, agreements with U.S. service providers should be evaluated to determine whether data held outside of the U.S. by non-U.S. entities is accessible via keyboards in the U.S. Language should be added to such service provider agreements to make clear that non-U.S. data is “siloed” (physically and logically segregated) at non-U.S. data storage locations and cannot be accessed from the U.S. Further, unless such notification is prohibited by law, prospective service recipients that envisage entering into service agreements with these types of service providers should seek to use contractual language committing the U.S. service provider to notify them, as service recipients, of having received a legally binding request under the CLOUD Act.
In instances when critical data, including proprietary, confidential information or personal data of individuals, is stored in the cloud, state-of-the-art security, including encryption at rest and encryption in transit, should be utilized. By all means, encryption key management must be under the full control of the service recipient (the controller of such data being stored in the cloud) and must not be accessible by the U.S. cloud service provider without permission of the controller of such data.