After a Year on the Books, DOJ Releases White Paper on CLOUD Act
In its first official statement about the CLOUD Act – the Clarifying Lawful Overseas Use of Data Act – the U.S. Department of Justice has published a white paper, “Promoting Public Safety, Privacy and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act,” discussing its view on the law enacted in March 2018. The CLOUD Act, established revised procedures for government requests for data held by technology companies outside of the U.S.
The CLOUD Act mooted a case pending last year before the U.S. Supreme Court in which Microsoft Corp. refused to produce email traffic stored on servers in Ireland. The federal government had sought the emails under the Stored Communications Act (SCA). Before the CLOUD Act was passed, the SCA did not explicitly cover whether the government could require cross-border production of electronic communications stored beyond U.S. borders.
Among its provisions, the CLOUD Act has two main features. First, it allows the U.S. government to enter into executive agreements with foreign nations that meet certain requirements to obtain electronic data for law enforcement purposes. These agreements, which help supplement the existing Mutual Legal Assistance Treaty (MLAT) process, allow data access to countries on a reciprocal basis. The Act requires that agreements may only be made with countries that have implemented certain privacy and human rights protections.
Second, the CLOUD Act clarifies that communications service providers under United States jurisdiction may be required to provide data, regardless of where the service provider stores it. In other words, the location of the data will not allow a company to avoid a request for information, although the law does provide a means to challenge an SCA warrant aimed at the disclosure of electronic communications of non-U.S. individuals who are located outside of the country.
The technology giants have been largely supportive of the CLOUD Act. In February 2018, Apple, Facebook, Google, Microsoft, and Oath sent a joint letter urging enactment of the law to congressional leaders, arguing that it “would be notable progress to protect consumers’ rights and would reduce conflicts of law.”
On the other hand, a coalition of two dozen privacy, civil liberties, and human rights organizations published a joint letter to lawmakers urging rejection of the CLOUD Act, citing privacy and human rights concerns. In April 2018, Microsoft president Brad Smith published a blog post arguing that the CLOUD Act is an important step forward, but that further measures should be taken by government and private industry to protect public safety and preserve personal privacy. Amazon maintains a webpage explaining the Act.
Now a year after the law’s enactment, the DOJ white paper describes the policy and legal motivations for the CLOUD Act and details how it works within the existing framework governing international government cooperation when cross-border requests are made for electronic information. The second half of the white paper includes an “FAQ” section with answers to 29 frequently asked questions related to the operation of the law. The DOJ’s responses answer a broad range of questions – from basic inquiries like who can enter into a CLOUD Act agreement with the United States to more technical questions. For example, DOJ explains that the CLOUD Act is “encryption neutral” because, while it does not create new authority to compel service providers to decrypt requested communications, the CLOUD Act does not stop service providers from voluntarily decrypting requested communications.