My colleague Anna Gressel and I have written an article, published in the current ABA Litigation Journal, which attempts to make sense out of the CLOUD Act adopted by the US Congress last year. You will find it here. (For French-speakers, a copy in that language is here).
The Act addresses an intriguing and difficult issue: how should national criminal and privacy laws deal with so-called “deterritorialized” data? Traditionally, laws protecting privacy have been local: there is an intuitive connection between the place where I am or store things and the laws that protect me and my information. So to arrest me, or get access to my home or papers, the local police must turn to local procedures that restrain their conduct. But today, the physical location of data is often meaningless: sensitive, important information that I easily access and handle in my home or office may be stored in a distant country, or may have no identifiable location at all — some service providers automatically divide even simple emails into “shards” that are constantly redistributed among servers in different countries to achieve efficiency. So if my most precious personal and financial information is stored someplace “in the cloud,” what country’s laws protect it?
The Supreme Court was faced with this question in March 2018 in a case where Microsoft was ordered to turn over emails to which it could easily gain access in the US, but which were physically stored on a server in Ireland because the account holder was from there. The core question was whether Ireland had an interest in regulating police access to data stored on its territory, or whether US investigative authorities could simply go ahead and get an order for their production in the US without even informing Ireland. On this the parties and scores of amici curiae were starkly divided. Before the question could be decided, however, Congress passed the CLOUD Act, which mooted the pending case. The Act’s core provision is that if a service provider in the United States is appropriately ordered to turn over information to which it has access, it must do so no matter where the information is stored – unless it can show that the data involved is stored in a friendly country whose privacy laws would thereby be violated. The CLOUD Act‘s substitution of access location for storage location, coupled with international coordination, is certainly an innovative, and probably a positive, step forward. The key may be whether other countries ultimately pursue the invitation to work with US lawmakers and investigators, or come up with an alternative, so that an appropriate and internationally acceptable balance can be found.
I would be especially interested in thoughts any of you may have about whether this approach is likely to gain support in your own communities.
Fred Davis is Of Counsel in the New York and Paris offices of Debevoise & Plimpton LLP, and a member of the New York and Paris Bars. He is also a Lecturer in Law at Columbia Law School where he teaches courses on comparative criminal procedures and cross-border criminal investigations. His book American Criminal Justice: An Introduction will be published soon by the Cambridge University Press.