A few months ago, I was on yet another panel with yet another foreign academic who described the Clarifying Lawful Overseas Use of Data Act (Cloud Act) as an aggressive overreach by the US – what he called “expansive sovereignty”.
I hadn’t heard that particular term before. But I have heard the same basic epithet from numerous foreign governmental officials, many of whom worry that US will use the Cloud Act to scoop up foreigners’ data.
The world, understandably, has questions about the Cloud Act. The problem is, the rhetoric does not match the reality.
In contrast to the oft-heard assertions, the Cloud Act is a narrowly tailored act of limited application. It specifies that the US law enforcement officials can, in connection with a criminal investigation and according to detailed and specific standards and procedures, request emails and other data held by those companies subject to US jurisdiction.
The obligation to produce the sought-after data applies regardless of where the underlying 0s and 1s are stored.
Importantly, the Cloud Act is not an intelligence gathering tool. It is not an economic espionage tool. Law enforcement officials can only demand access to the data if it supports a criminal investigation over which the US has jurisdiction to prosecute.
In order to get access to the data, law enforcement must meet specified standards and follow specified procedures. These standards and procedures apply across the board, whether the US is seeking the data of an American citizen, resident or foreigner.
For content, law enforcement needs a warrant issued by an independent judge based on a finding of probable cause. This is a relatively high bar for law enforcement to meet. In fact it is a more robust and more privacy protective standard than applies in just about any other country in the world.
Moreover, the reach is limited. US law enforcement cannot issue demands for emails and other communications content, from foreign companies that operate wholly outside the US.
That would be an extraterritorial assertion of authority and US law does not provide any mechanism for issuing warrants extraterritorially.
Contrast that with the draft EU E-evidence Directive, which requires any company that offers any services to the EU residents to install an EU-based representative, thereby ensuring EU jurisdiction over otherwise extraterritorially-located companies.
There is no equivalent requirement in US law.
Contrary to the rhetoric, the Cloud Act also adopts new provisions specifically designed to take into account foreign sovereign interests. It explicitly provides for a new statutory motion to quash a conflict with foreign law and if certain conditions are met.
It also expressly preserves the right of service providers to raise court challenges based on conflicting foreign law, even in situations where the statutory motion to quash is not available. This helps ensure that foreign government interests are taken into account.
We have not seen any such challenges litigated to date, in part because the conflicts have, at least until now, been more theoretical than real.
Consider the run-of-the mill US investigation of an American citizen with respect to a local murder or fraud investigation. Imagine that the US law enforcement officials served a warrant on Google or Facebook for relevant data, but, for whatever reason, the data is stored outside the US. Few, if any, foreign governments would claim a sovereignty invasion if the companies turned over that data.
Notably, despite the claims of some, Ireland never asserted a sovereignty violation in the long-standing litigation over whether US law enforcement officials could compel Microsoft to disclose emails held on a server in Dublin.
In court filings, Ireland emphasised that it would, in response to a diplomatic request, work with US government officials to access the data. But it never claimed that the US was required to make such a request. Or that the alternative approach taken violated its sovereignty.
That said, there are times when a conflict would arise – if, say, the US is compelling the production of foreigners’ data protected by foreign law. Here, there is a legitimate foreign government interest at stake, that of protecting one’s own citizens and residents.
If and when such a conflict arises, providers can and should bring a motion to quash, as the Cloud Act clearly allows. (US officials also should take steps to avoid such conflicts.)
This kind of approach makes sense. What matters is the protection of one’s citizens and residents, not the location of bits and bytes that happen to flow through one’s borders.
Meanwhile, the second part of the Cloud Act was, as many seem to forget, enacted at the behest of foreign governments, particularly the UK. Specifically, it was adopted in response to foreign governments’ frustrations about the difficulties in accessing their own nationals’ and residents’ communication content from US-based providers.
It puts in place a mechanism by which foreign governments can, subject to numerous safeguards and pre-conditions, request certain communications content from US-based service providers. This enables foreign governments to access certain data more expeditiously, without having to go through the laborious mutual legal assistance process to do so.
Of particular concern, the Cloud Act scapegoat is being pointed to by countries around the world to set limits on the transfer of data outside one’s borders. The ironic result – the US, through the Cloud Act, has taken steps to reduce restrictions on data transfers at the same time that other countries are pointing to the same act in support of their own data localisation mandates.
The Cloud Act is not perfect, but it is not the evil or expansive assertion of US snooping power that some claim it to be. To the contrary, it is a modest criminal law provision that largely codifies the status quo and adopts new provisions explicitly designed to accommodate foreign interest in US-held data.
Jennifer Daskal is a professor at the American University Washington College of Law