Five Cloud Act limits on order types to be accepted.
The Clarifying Lawful Overseas Use of Data ("CLOUD") Act of 2018 was enacted to enable U.S. law-enforcement agencies to obtain data located in other countries. It was written after the U.S. government was unable to get access to records kept in Microsoft's cloud located in Ireland. Small business owners and IT executives need to understand the implications of this law so that this legislation is taken into advisement as they make decisions as to where to store data.
The CLOUD Act, which was enacted into law on March 23, 2018, establishes processes and procedures for law enforcement requests under the U.S. federal government's Stored Communications Act (SCA) on how certain data located in other countries may be accessed.
The Act was written because Microsoft challenged a warrant by the federal government to hand over the email of a target account that was stored in Ireland. Microsoft argued that a warrant issued under Section 2703 of the Stored Communications Act could not compel American companies to produce data stored in servers outside the United States. The CLOUD Act is designed to close that loophole.
However, the Act imposes limits and restrictions on requests in order to protect individuals' privacy and civil liberty concerns, and it formalizes the process for challenging law enforcement requests. Additionally, the Act also allows foreign governments to enter into new bilateral agreements with the United States so that they can make law enforcement requests directly to U.S. cloud service providers (CSPs), rather than going through the lengthy process of asking the U.S. government under a mutual legal assistance treaty.
Implications for a CSP
The SCA, and hence the CLOUD Act, applies only to providers of "electronic communications services" and "remote computing services." Hence, any CSP offering cloud computing or storage services, email, or messaging services is impacted – i.e., in other words, virtually every CSP.
Note that the two acts regulate access to the content of electronic communications, cloud-stored documents, and related non-content data such as transmission records and user-account information. Other types of personal or business data are not covered under these laws.
The CLOUD Act, however, has its limitations. If a customer or subscriber of the CSP is not a U.S. person and does not reside in the U.S., the request for access would likely be denied. This would especially be true if the provider could claim disclosure would create a material risk that the CSP would be violating the laws of a foreign government (for example, the EU's GDPR regulations).
From a privacy standpoint the Act makes clear that companies subject to a surveillance order cannot be mandated to decrypt data stored on its systems.
The Act limits the type of orders that will be accepted to these five:
- Are for the purpose of obtaining information related to serious crime, including terrorism
- Specifically identify a specific person, account, address, or personal device
- Is not open ended but limited in time and scope.
- Is justified by "articulable and credible facts."
- Is "subject to review or oversight by a court" or "other independent authority," among other requirements.
Conversely, foreign government orders cannot target U.S. citizen and resident data. Those types of requests must still go through the mutual legal assistance treaty process, which requires consultation with U.S. authorities.
Moreover, requests for data not located in a country with which the U.S. does not have an executive agreement can be challenged by the CSP under "common-law comity analysis." In those cases the courts will examine the various factors such as alternative means of accessing the data, degree of specificity, importance of information, origination of the data, and government interests to see if access should be given.
It should be noted that the cloud provider is not required to inform its customer company or individual that the data has been requested. In fact it may be prohibited, as an investigation may require that the person not be tipped off that he is being investigated.
Data belonging to non-U.S. citizens, companies, nationals are not included in this Act and are protected. For companies outside of the U.S. that use U.S.-based CSPs and have their data stored in the U.S., the U.S. authorities can only try to get access to your U.S. users’ or clients’ data.
However, if your Latin American company has a U.S. office, data related to its US-based staff is also accessible. The U.S. government does not get access to data that belongs to non-U.S. citizens/naturals or companies even though the data is stored stateside. However, if the government suspects the firm is involved in illegal activities, it will attempt to gain access through use of other regulations.
While the CLOUD Act makes it easier for the U.S. governmental agencies to gain access to data, its reach is still limited. Small business owners and IT executives need to understand the scope of the U.S.' reach and determine how and if it impacts their business and act accordingly. For some it will be a clear tradeoff between the risk of data access by a foreign government and the potential performance impacts caused by selecting a data storage site that is housed outside of the U.S.
About the author
Mr. Braunstein serves as Chairman/CEO and Executive Director of Research at the Robert Frances Group (RFG). In addition to his corporate role, he helps his clients wrestle with a range of business, management, regulatory, and technology issues.
He has deep and broad experience in business strategy management, business process management, enterprise systems architecture, financing, mission-critical systems, project and portfolio management, procurement, risk management, sustainability, and vendor management. Cal also chaired a Business Operational Risk Council whose membership consisted of a number of top global financial institutions.