Readers brave enough to get to page 2201 the United States’ latest omnibus spending bill will find the newly enacted Clarifying Lawful Overseas Use of Data Act. This blog post first explains how the CLOUD Act resolves the Supreme Court case between Microsoft and the U.S. Department of Justice regarding U.S. access to emails stored abroad. It then provides a brief explanation of the origins of the new system of executive agreements included in the Act, before describing how these executive agreements would work in practice. Each of these agreements is subject to a substantial list of privacy and human rights requirements, as explained below.
Mooting the Microsoft-Ireland case
Importantly, the law moots the now-pending Microsoft Ireland case in the U.S. Supreme Court. Dating back to December 2013, the case involves a dispute between Microsoft and the United States government regarding the reach of the Stored Communications Act. The United States has long argued that its warrant authority requires US-based service providers to turn over responsive data, regardless of where the underlying ones and zeroes happen to be held. Microsoft, by contrast, argued that this authority only extended to data located within the territorial boundaries of the United States. If — as was the case in the particular dispute before the Supreme Court — the data is stored in a foreign country, Microsoft’s view was that the United States could not compel production via a US-issued warrant. Rather, it would be required to make a Mutual Legal Assistance Treaty request for the data and rely on the foreign government to access the data and turn it over back to the United States.
Microsoft won in the Second Circuit. But even Microsoft’s chief counsel, Brad Smith, has acknowledged that this was not a particularly ideal state of affairs and urged Congress to update the statute so as to better reflect the key equities at stake and respond to the realities of a modern digital age.
The CLOUD Act provides the kind of update that has long been urged. Supported by the government and tech companies alike, it provides that the SCA’s warrant authority presumptively requires the government to disclose data in its custody and control, regardless of its location. The Act also includes two provisions governing “comity” – the legal test that a court uses when considering the interests of more than one country. It creates a new statutory basis for providers to move to quash based on comity grounds. This new statutory provision applies in limited situations, where the United States seeks the data of a foreigner located outside the United States and the request generates a conflict with the law of a “qualifying” foreign governments. (Qualifying foreign governments are those with an executive agreement with the United States as discussed below.) The law also explicitly preserves the availability of common law comity claims in those situations where the new statutory-based comity claims are not available. One important area to watch is how courts carry out these comity reviews, if and when they arise.
The origins of the executive agreement approach
Section 105 of the CLOUD Act creates a new legal regime based on “executive agreements” between the United States and qualifying foreign nations. To explain the new system, we provide context for the goals of the leading stakeholders, including law enforcement, service providers, and advocates for privacy and civil rights.
As we have written elsewhere, law enforcement faces the globalization of criminal data. In the course of a lawful investigation, they often seek content of communications, increasingly kept in the cloud, often in a different country. In the old days, for a murder or other serious crime in Paris, the police could find the evidence in Paris. Today, by contrast, web mails, social network posts, and other content are often held across international borders, in the majority of cases in the hands of U.S.-based service providers. But provisions of the Electronic Communications Privacy Act prohibit US-based companies from turning over communications content to foreign governments, even when those foreign governments are seeking data on their own citizens in connection with local crime. This means that the only way French law enforcement can get this evidence is to make a diplomatic request for the data to the United States, employing the time-consuming MLAT process.
Governments and online service providers have long sought reforms and workarounds to address this system. Foreign governments have been increasingly frustrated by the difficulties that they have faced in accessing evidence that used to be domestically located. Service providers increasingly also found themselves caught between two irreconcilable legal obligations — being required to produce content under the laws of foreign governments while being prohibited from producing it under U.S. law. Over time, foreign governments have increasingly threatened to put company employees in jail, or exact other stiff penalties, when U.S.-based companies did not produce the requested content, which could not be lawfully produced under U.S. law.
Many supporters of privacy and human rights have, conversely, resisted changes to the existing MLAT system. When governments are forced to make a diplomatic request to the United States for communications content, those content requests from governments are judged in the U.S. under the relatively strict standard of probable cause of a crime, approved by an independent magistrate. As we have written previously, however, there is serious doubt that continued insistence on the MLAT process as the exclusive means for foreign governments to access U.S.-held data would continue to have that effect. Faced by an exponentially rising number of investigations seeking content of communications, other nations have been incentivized to expand data localization. Once data localization mandates are in place, the relatively strict U.S. legal protections no longer apply; rather, foreign governments can access evidence under their local law, and the United States has no say as to the standards or procedures applied.
Faced with this complex challenge, there have been extensive discussions in recent years about creating a new structure for cross-border access to data. For a number of reasons, including the difficulty of achieving broad-based international consensus as to the rules that would apply, a broad-based international treaty was not a viable approach. One of us (Swire) proposed in early 2015 a different approach, pursuant to which a U.S. statute could create a system for other countries to qualify for access to content, if strict privacy criteria were met. Later that year, we co-chaired a series of stakeholder meetings on these issues, along with Jim Dempsey, Greg Nojeim, and Andrew Woods. Based on those meetings, Professor Woods and one of us (Daskal) posted a reform proposal in November, 2015 that adopted an analogous approach. The stakeholder meetings, comprised of civil society, academics, and companies, with frequent discussions as well with government officials, continued well into the next year, and much of the legislative language ultimately in the CLOUD Act reflects approaches and language similar to that discussed in those meetings. International meetings on the topic were also convened by the French Internet and Jurisdiction Project.
At the same time, the United States and United Kingdom governments were simultaneously working out a mechanism by which U.K. officials might be able to compel production of U.S.-held data in the investigation of serious crime involving investigative targets located outside the United States. In 2016, the press reported that such an agreement between the U.S. and United Kingdom had been reached. The agreement, however, could not be implemented absent a statutory change to the blocking provision of ECPA.
Meanwhile, as the Microsoft Ireland case continued, both the Department of Justice and the service providers, including Microsoft, had a time-limited incentive to reach a legislative solution before the Supreme Court announced its decision.
The CLOUD Act, introduced on a bipartisan basis, and supported by the U.S. government and a coalition of online service providers, provided the statutory change that authorizes the UK agreement – and other future analogous agreements – to be implemented, pursuant to the numerous privacy protections included in the Act. It also answers the question posed by the Mircosoft Ireland case, taking the issue out of the courts, as many commentators and multiple Justices themselves had urged.
After the CLOUD Act was announced, a coalition of privacy and civil society groups announced their opposition to the proposal. This March, the two of us wrote two articles in Lawfare, explaining the reasons that we believe overall that the law is good for privacy and civil liberties, as we explain further below. As passage neared for the omnibus spending bill, rumors swirled about whether the CLOUD Act would be included. Eventually, after a number of pro-privacy amendments in the final hours, the new executive agreement structure in Section 105 was passed into law.
The new system of executive agreements
Section 105 of the CLOUD Act provides a mechanism for the United States to enter an executive agreement with a foreign government that meets each of a list of privacy and human rights requirements. First, foreign governments are only eligible if the Attorney General, in conjunction with the Secretary of State, certifies in writing, and with an accompanying explanation, that the foreign government “affords robust substantive and procedural protections for privacy and civil liberties” with respect to relevant data collection activities. Partner foreign governments are required to have adopted appropriate minimization procedures with respect to the acquisition, retention, and dissemination of U.S. person data. The statute also includes the safeguard that the agreements may not be relied upon to create a decryption mandate. Any such executive agreements entered into pursuant to this provision are subject to review and disapproval by Congress.
Each request made under the agreement must also satisfy a long list of requirements, including the following:
- Prohibition on the targeting of U.S. citizen and resident data. For such data, foreign governments would still need to go through the MLAT system and obtain a warrant based on probable cause. This important provision reflects the common-sense notion that U.S. standards should continue to protect U.S. citizens and residents, whereas the U.S. has much less justification to insist on U.S. standards when a foreign government is seeking the data of its own nationals, simply because the data is stored in the U.S. or is held by a U.S.-based provider.
- Prohibition on the indirect targeting of U.S. citizen data and prohibition on the foreign government from sharing that data back with the United States unless it relates to significant harm or the threat of such harm to the United States or United States persons.
- Requirement that requests be particularized – targeting a specific person, account, address, personal device or other identifier.
- Requirement that requests be based on “articulable and credible facts” — a standard that is similar to the probable cause standard, albeit stated in terms more readily understandable to non-U.S. law enforcement.
- Requirement that requests be subject to review or oversight by a court, judge, or magistrate or other independent authority.
- Requirement that any live intercept orders meet criteria — for a “fixed, limited duration” and “not last any longer than is reasonably necessary to accomplish the approved purposes” and be issued “only if the same information could not reasonably be obtained by another less intrusive measures.” These limitations track, although are not identical to, key protections in the Wiretap Act.
- Prohibition on the use of data to infringe on freedom of speech, as well as requiring countries to meet human rights standard, such as a prohibition on torture.
- Requirement that the foreign government agree to compliance reviews – a remarkable and novel development that, for the first time, would enable the United States to track how data obtained by foreign governments is used and thereby protect against abuse.
Conclusion
The CLOUD Act adjusts a complex and important area of law – what rules should apply when one government seeks criminal evidence, but privacy and sovereignty interests of another country are also involved.
The most immediate effect of the Act is to moot the Microsoft Ireland case that has been argued in the Supreme Court. Going forward, the new provisions concerning executive agreements will become increasingly important. Likely, the already-negotiated agreement with the United Kingdom will be first up. On deck may be discussions with the European Union and its member states. With appropriate safeguards, there may also be ways to protect privacy while entering into agreements that authorize specialized offices in countries such as India and Brazil.
As these executive agreements move forward, all interested parties will have the opportunity to examine the proposed agreements, and offer their views about whether the Act’s privacy and human rights requirements are satisfied by that agreement. The executive agreements also provide a new mechanism for the United States to assess a foreign government’s demands for data and to ensure that the privacy protections demanded by the Act are in fact being complied with. Passage of the CLOUD Act, therefore, sets the stage for ongoing public debates about privacy and human rights standards for government access to data. It provides an opportunity to promote improvements in privacy and human rights practices with partner nations around the globe.