On April 10, 2019 the U.S. Department of Justice announced the public release of a white paper on the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). Enacted in March 2018, the Act updates the legal framework for how law enforcement authorities may request electronic evidence required to protect public safety from service providers while respecting privacy and foreign sovereignty.
Deputy Attorney General Rod Rosenstein promises the DOJ will be proactive in working, both in the U.S. and abroad, to promote greater understanding and appreciation of what the CLOUD Act does.
The CLOUD Act has two distinct parts. First, the Act authorizes the U.S. to enter into bilateral agreements to facilitate the ability of trusted foreign partners to obtain the electronic evidence they required to fight serious crime. To qualify under the Act, a partner country must adhere to baseline rule-of-law, privacy, and civil liberties protections. Through bilateral agreements, each country would agree to lower the legal barriers that prevent their communication service providers from complying with qualifying lawful orders for electronic data issued by the other country. By lowering legal barriers, each country could serve its legal process, such as search warrants, directly on the providers of the other country, significantly increasing the speed and efficiency compared with existing methods of transferring electronic evidence.
Second, the CLOUD Act sets forth in U.S. law the principle – longstanding in both the U.S. and in many foreign countries, that a company subject to U.S. jurisdiction can be required to produce data within its custody and control, regardless of where it chooses to store that data at any point in time. This was a key issue in United States v. Microsoft Corporation, No. 17-2, a case argued before the Supreme Court on February 27, 2018 This provision simply codified what had been the law and practice prior to the 2016 Microsoft decision by a court of appeals, and ensured that the U.S. continued to be in compliance with its obligations under the Budapest Cybercrime Convention, which requires all member states to have the power to compel providers in their territory to disclose electronic data in their control, no matter where stored. The CLOUD Act provision did not change whether or not a provider is subject to U.S> jurisdiction, nor did it provide U.S. law enforcement any new authority to acquire data.
The Act formalizes the process for companies to challenge a law enforcement request. The Act imposes certain limits and restrictions on law enforcement requests to address privacy and civil liberty concerns.
The DOJ compiled the white paper with the input of components cross the DOJ, including attorneys from the Criminal Division and the National Security Division. The white paper discusses the interests and concerns that prompted the enactment of the CLOUD Act and provides a distillation of the effect, scope, and implications of the Act, as well as answers to frequently asked questions.
On April 5, 2019, Deputy Assistant Attorney General Richard W. Downing delivered remarks at the Academy of European Law Conference on “Prospects for Transatlantic Cooperation on the Transfer of Electronic Evidence to Promote Public Safety” in London, United Kingdom He said at the start of his remarks that, since it was enacted last March 2018, the CLOUD Act has, unfortunately, been the subject of many misconceptions, and is viewed by some with suspicion. That may not be surprising, given the complexity and technicality of some of the issues involved. Downing continued that “one particularly inaccurate statement about the Act being made in some circles is that it is a U.S.-centric law designed solely to serve U.S. interests and U.S. needs. “ Downing said that in fact the impetus for the CLOUD Act came from our foreign law enforcement partners, who expressed a need for increased speed in obtaining evidence held by U.S. providers – evidence which is normally obtained through the Mutual Legal Assistance Treaty – or “MLA” – process.
The current issue of the IELR will have additional discussion of the white paper on the CLOUD Act and its implications.