The Justice Department has announced the public release of a white paper on the Clarifying Lawful Overseas Use of Data Act, known as the CLOUD Act. The CLOUD Act was enacted in March 2018 and updates the legal framework for how law enforcement authorities may request electronic evidence needed to protect public safety from service providers while respecting privacy interests and foreign sovereignty.
The CLOUD Act addresses a situation that has become unsustainable. In the Internet age, data location is often not a good basis upon which to ground requests to produce electronic data. In fact, some of the largest global companies now operate networks of storage centers in multiple countries, with the data in near-constant transit, moving between servers and across borders automatically.
In this technological environment, it can be impossible for investigating governments to submit multiple Mutual Legal Assistance Treaties or MLATs requests to multiple foreign governments to obtain electronic data scattered in multiple countries, especially when the governments do not know where the data is stored and when the data may well have been moved to another location by the time the requests are reviewed.
Speaking on April 5, Deputy Assistant Attorney General Richard W. Downing gave an example of why the CLOUD Act was enacted:
“Consider, for example, a case where a homicide is committed in London. U.K. officers begin an investigation. They collect evidence at the scene of the crime. They interview witnesses. They identify a suspect. Maybe they even search his house and seize his phone. But if they want to get the communications between his social media account and those of the victim, and if those communications are held by a provider in the United States—as is often the case—U.K. investigators will have to issue a formal mutual legal assistance request to the U.S. government, and may then wait months, or even longer, for a response, while the request makes its way through the American legal system. “
Addressing the Academy of European Law Conference, Downing said the CLOUD Act should be embraced as a model for international cooperation.
“Often, the global technology companies that hold key evidence are subject to more than one country’s laws. One country may order them to disclose data vital to an investigation, but another country’s laws may restrict disclosure of that same data. These potential legal conflicts present significant challenges to governments’ ability to acquire electronic evidence that may be vital to criminal investigations in a timely, efficient manner. Sometimes, it is U.S. law that frustrates our international partners.”
Downing alluded to criticisms of the CLOUD Act, particularly statements being made in some circles that the Act is a U.S.-centric law designed solely to serve U.S. interests.
“The truth is that the impetus for the CLOUD Act came from our foreign law enforcement partners, who expressed a need for increased speed in obtaining evidence held by U.S. providers,” said the Deputy Assistant Attorney General.
The Justice Department’s white paper was released just after the U.K. government published its own white paper on online harms, pledging to hold social media companies and tech forms legally responsible if they fail to protect their users.
The Justice Department’s white paper says the current situation undermines foreign partners’ efforts to protect the safety of their citizens, just as it undermines U.S. efforts to protect Americans. It calls on nations to ensure that law enforcement officials have reasonable legal authorities to compel production of electronic data that a communications service provider controls but that may be located in other countries. At the same time, nations also have legitimate interests in protecting data from other governments that do not adhere to appropriate legal standards or abuse their authority for illicit purposes. The challenge is to ensure that government powers to compel production of electronic data are exercised and overseen in a way that respects the rule of law, protects privacy and human rights, and appropriately reduces conflicts between the laws of the countries concerned. Failing to address this situation would increase incentives for data localization across the world, which would harm both global commerce and public safety.
“Our collective safety and security depends on our ability to maintain lawful and efficient access to electronic evidence, and the CLOUD Act offers a sorely-needed solution to that challenge,” said Deputy Attorney General Rod Rosenstein. “As today’s white paper makes clear, the Department will be proactive in working, both in the United States and abroad, to promote greater understanding and appreciation of what the CLOUD Act accomplishes. We look forward to working with our trusted foreign law enforcement partners on CLOUD agreements that will make all our citizens safer.”
The CLOUD Act has two distinct parts. First, the Act authorizes the United States to enter into bilateral agreements to facilitate the ability of trusted foreign partners to get the electronic evidence they need to combat serious crimes. In order to qualify under the Act, a partner country must adhere to baseline rule-of-law, privacy, and civil liberties protections. Through bilateral agreements, each country would agree to lower the legal barriers that prevent their communication service providers from complying with qualifying lawful orders for electronic data issued by the other country. By dropping legal barriers, each country could serve its legal process – like search warrants – directly on the providers of the other country, dramatically increasing speed and efficiency compared with existing methods of transferring electronic evidence.
Second, the CLOUD Act makes explicit in U.S. law the established principle – longstanding in both the United States and in many foreign countries – that a company subject to our jurisdiction can be required to produce data within its custody and control, regardless of where it chooses to store that data at any point in time. This provision simply codified what had been the law and practice prior to the 2016 Microsoft decision by a court of appeals, and ensured that the United States continued to be in compliance with its obligations under the Budapest Cybercrime Convention, which requires all member states to have the power to compel providers in their territory to disclose electronic data in their control, no matter where stored. The CLOUD Act provision did not alter whether or not a provider is subject to U.S. jurisdiction, nor did it give U.S. law enforcement any new authority to acquire data.
The white paper released on April 10, Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act, was compiled with the input of components across the Justice Department, including attorneys from the Criminal Division and the National Security Division. The white paper describes the interests and concerns that prompted the enactment of the CLOUD Act and provides a concise point-by-point distillation of the effect, scope, and implications of the Act, as well as answers to frequently asked questions.