As the world awaits the implementation of GDPR, this article takes a look at the US position on extra-jurisdiction data access by the US government.

Analysts

On 23 March 2018, the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) amended the Stored Communications Act (“SCA”) and was signed into law by President Trump as a part of the 2018 omnibus spending bill. Most significantly, the Cloud Act permits the United States to force technology/communications companies located within its borders to provide information to investigators that is stored on servers outside of its borders.

The enactment of the CLOUD Act clarifies previous uncertainties over the extraterritorial reach of the SCA. The CLOUD Act specifically provides that “A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” “Electronic communication service” means any service which provides the ability to send or receive, wire or electronic communications to its users, and “remote computing service” means the provision of computer storage or processing services to the public by means of an electronic communications system.

The Act anticipates that there may be instances where compliance will lead to the contravention of data protection laws and regulations of other countries. For example, under Article 48 of the EU General Data Protection Regulation (GDPR), which will be implemented on 25 May 2018, court orders or administrative decisions of a foreign country requiring data disclosure will only be recognized as enforceable if they are based on an international agreement, such as a mutual legal assistance treaty. Therefore, a warrant issued by the US authorities based solely on the CLOUD Act may be subject to challenge and not recognized.

Importantly, the CLOUD Act addresses the possibility of restrictions on the enforcement of data collection through two provisions which form a streamlined framework through which conflicts of law may be resolved. The first is by reaching executive agreements with qualifying foreign governments. A qualifying foreign government is one with laws in force with privacy protection standards like those found in the CLOUD Act.

The second is that a service provider may file a motion to modify or quash the legal process issued against it where the provider believes that (i) the customer or subscriber is not a US person and does not reside in the US; and (ii) the required disclosure would create a material risk of violating the laws of that other country.

Importantly, those subject to the reach of the Cloud Act may file a motion to quash the enforcement of a warrant or subpoena. The court will modify or quash only if it is satisfied that (i) the disclosure would cause the provider to violate the laws of a qualifying foreign government; (ii) based on the totality of the circumstances, the interests of justice dictate that the legal process should be modified or quashed; and (iii) the customer or subscriber is not a US person and does not reside in the US. The court is also required to perform a limited comity review where the interests of all parties are reviewed before a determination is made.

US government agencies and law enforcement authorities can now obtain customer data from electronic communication service and remote computing service providers in the US, whether the data is stored outside or inside the US. This poses challenges to data holders with a presence in the US and elsewhere as they navigate the new law especially as additional data protection and privacy laws are instituted in other countries.