Welcome to the first of our three part series looking at the changes introduced by the new Clarifying Lawful Overseas Use of Data (CLOUD) Act and its impacts in the fields of privacy, data and the extraterritoriality of law.

Our posts will discuss the Act in the following parts:

1. Part one: What is the CLOUD Act and why was it created;
2. Part two: Key features of the CLOUD Act; and
3. Part three: Reactions to the CLOUD Act and concluding thoughts.

What is the CLOUD Act?

Legislators worldwide are playing catch-up to address legislative obsolescence brought about by relentless change in the technological landscape, particularly over the last few years as contracting out services to the “cloud” has become almost ubiquitous.

In Washington D.C a bipartisan band of Senators and Representatives has sought to address issues for law enforcement agencies arising out of technology change by steering the Clarifying Lawful Overseas Use of Data (CLOUD) Act into law. The Act was signed by President Trump on 24 March 2018.

Let’s take a look at how we got here.

Context of the Act

Two catalytic and related developments paved the way for the CLOUD Bill to be introduced into the US House and Senate on 5 February.[1]

These were: problems with the outdated Stored Communications Act (SCA);[2] and the Microsoft Ireland cases. Both of these matters (one a spark, the other an accelerant) necessitated change on the legislative landscape.

The Spark: The Outdated SCA

The SCA is a legislative framework for the voluntary or compulsory disclosure of ‘stored wire and electronic communications and transactional records’. It has been a useful instrument for American law enforcement agencies (most notably the Department of Justice) for the issuing of warrants in connection with the prosecution of alleged criminals since it was enacted on 21 October 1986. However the framers of the SCA did not (and let’s be realistic, could not) foresee technological advancements such as the internet and more recently, cloud computing technology.

It was drafted with ‘electronic communication and transaction records’ in mind, in a form easily traceable to a tangible source, such as a CD-ROM or computer hard drive located on a suspect’s premises (or some other easily identifiable physical location controlled by or associated with the suspect).

Prior to changes introduced by the Act, the SCA had become outdated in the contemporary context of cloud computing because of the growing tendency for data (such as emails) to be stored not on a server controlled by the originator, but on a server controlled or owned by a third party “cloud” service provider which could be in any geographic location.

As a result, the SCA had increasingly been found wanting as it didn’t specify whether:

(a) the US Government could compel US-based service providers[1] to produce content (for example as part of a serious crime investigation) stored on severs located abroad;
(b) US providers would be infringing local laws of the place where their servers are located if they complied with US Government requests to provide content held on servers in that place; or
(c) American technology companies would be non-compliant with foreign government requests if they refused to release user content held in the US.

The accelerant: The Microsoft Ireland cases

On 27 February 2018, oral arguments commenced in the US Supreme Court in the battle of the juggernauts: United States v. Microsoft and Microsoft v. Ireland (on appeal) (Microsoft Ireland). Arguments considered, among other things, the extraterritorial reach of the SCA.

The litigation concerned a warrant issued by the US Department of Justice requiring Microsoft to divulge certain information, including the contents of an email account associated with an alleged drug trafficker.

Microsoft provided relevant data held by it in the US but refused to provide data held on a server located in Ireland. Microsoft argued that the SCA did not have extraterritorial reach and furthermore, that if it complied with the Department’s warrant, it would be in breach of local Irish laws.

In Microsoft’s view the SCA, therefore, did not require it to hand over data held on its Irish servers as part of a criminal investigation.

In her concurring judgment in the proceeding, Circuit Judge Carney said:

“We [the Court] recognise… that in many ways the SCA has been left behind by technology…[and] we can expect that a statute designed afresh to address today’s data realities would take an approach different from the SCA’s, and would be cognisant of the mobility of data and the varying privacy regimes of concerned sovereigns, as well as the potentially conflicting obligations placed on global service providers like Microsoft”.