In April 2019, the US Department of Justice released a white paper and FAQ on the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which was enacted in March 2018 and creates a new framework for government access to data held by technology companies worldwide. The paper, titled “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act”, addresses the scope and purpose of the CLOUD Act and responds to 29 frequently asked questions about the Act.
Part I of the CLOUD Act provides that orders issued pursuant to the Electronic Communications Privacy Act (ECPA) to certain technology providers can reach data within those providers’ possession, custody, or control, regardless of where that data is stored. Part II of the CLOUD Act creates a framework for new bilateral agreements with foreign governments for cross-border data requests. The DOJ White Paper and FAQ focus in large part on the framework for new agreements created under Part II of the CLOUD Act. Where entered, these new bilateral agreements can be used to remove restrictions under each country’s laws so that technology companies may comply with qualifying, lawful orders issued by the other country.
In the new white paper, DOJ describes the CLOUD Act as “represent[ing] a new paradigm: an efficient, privacy and civil liberties-protective approach to ensure effective access to electronic data that lies beyond a requesting country’s reach due to the revolution in electronic communications, recent innovations in the way global technology companies configure their systems, and the legacy of 20th century legal frameworks.”
As the DOJ paper explains, technology companies often store data worldwide, and the data can accordingly be subject to multiple conflicting laws. For example, conflicting legal obligations may arise when a technology company receives an order from one government requiring the disclosure of data, but another government restricts disclosure of the same data. The DOJ white paper recognizes that “[i]f national laws conflict, [technology companies] may be forced to choose which country’s laws to follow, knowing that they may face consequences for violating another country’s laws.” Those conflicts, the DOJ white paper states, also “pose serious problems for governments seeking data and can frustrate important investigations.”
The DOJ white paper explains how new bilateral agreements negotiated under the CLOUD Act’s framework can reduce such conflicts of laws. Any such agreements would “lift any restrictions under U.S. law on companies disclosing electronic data directly to foreign authorities for covered orders in investigations of serious crime.” In doing so, the agreements “would permit U.S.-based global [technology companies] to respond directly to foreign legal process in many circumstances.” The DOJ paper also makes clear that CLOUD Act agreements are to supplement, rather than replace, existing Mutual Legal Assistance Treaties (or “MLATs”). However, by creating a streamlined mechanism for authorities to request evidence in another country, they may have the effect of reducing the number of demands made under MLATs.
The FAQs accompanying the DOJ white paper also address a number of common questions about the CLOUD Act, including about the extraterritorial reach of US warrants codified in Part I of the CLOUD Act. For example, the FAQ responses note that the CLOUD Act did not give US courts expanded jurisdiction over companies. Rather, DOJ explains that Part I of the CLOUD Act requires companies already subject to jurisdiction in the US to provide data in response to US legal process, regardless of where the data is stored. In addition, the DOJ white paper notes that if a US order conflicts with foreign law, “U.S. courts can be expected to apply long-standing U.S. and international principles regarding conflicts of law to ensure appropriate respect for international comity by applying a multi-factor balancing test, taking into account the interests of both the United States and the foreign country.”