The CLOUD Act has been passed by Congress and signed into law by President Trump. The measure streamlines US law enforcement access to data stored overseas and creates a mechanism for cloud computing providers to share data with foreign governments in some situations.
The CLOUD Act amends the 1986 Stored Communications Act (SCA) to resolve a long-standing impasse between cloud providers and law enforcement. Previously, the SCA did not specify whether the government can use warrants to access data that US companies have stored abroad, an ambiguity which the courts have ruled prevents extraterritorial application. This cut US law enforcement off from overseas data unless they go through a cumbersome Mutual Legal Assistance Treaty process.
Now, US law enforcement will be able to seek a warrant to access information stored abroad, when disclosing this information would not put a cloud provider in conflict with a foreign law. This change obviates the central dispute in the Microsoft v. US (the “Microsoft Ireland” case), just argued before the Supreme Court in February.
The CLOUD Act also creates a new mechanism for cloud providers to disclose data to foreign governments under certain conditions. Much to the frustration of foreign law enforcement and cloud providers who want to comply, the Stored Communications Act barred US companies from disclosing data directly to foreign governments.
Now, foreign governments with certain procedural and substantive civil liberties protections will be eligible for an “executive agreement” with the Department of Justice. With an executive agreement in place, cloud providers will be able to disclose information concerning “serious crimes” directly to foreign governments when presented with a legal, specific, reasonably justified, and independently reviewable order.
The measure moved swiftly to passage attached to an omnibus spending bill, barely a month after its introduction in Congress. Proposed amendments to the Stored Communications Act have been discussed for years, however, as has a proposed bilateral data access framework between US and the United Kingdom law enforcement that the CLOUD Act appears inspired by. Major cloud providers strongly supported the CLOUD Act not only to resolve their impasse with US law enforcement, but as a release valve to data localisation pressures internationally stemming from law enforcement access concerns.
While the UK agreement provided the template for this framework, other countries will likely line up to negotiate their own executive agreement, especially in Europe as well as other countries with legal systems based on similar principles, such as India.
