Earlier this year, the much-anticipated case between Microsoft and the US Justice Department reached the US Supreme Court. The case concerned the access to user data stored offshore, and was regarded as a defining case for the regulation of (borderless) data and cross-border access to data.
However, with the passing of the Clarifying Lawful Overseas Use of Data Act, commonly known as the CLOUD Act, on 22 March 2018, the US Supreme Court decided that the case, in which Microsoft refused to hand over emails held in its servers in Ireland to the FBI, is moot.
The CLOUD Act allows law enforcement agencies with warrants to directly access data held overseas. Under the new laws, companies are required to provide information requested by law enforcement “regardless of whether such communication, record or other information is located within or outside the United States.” This means that law enforcement won’t be blocked from accessing someone’s Outlook account just because the Microsoft server is located in a different country, such as Ireland for example.
However, under the CLOUD Act, companies do not have to provide the information requested by law enforcement where doing so would break that country’s laws (which may range from privacy to data protection to banking laws).
The introduction of the CLOUD Act follows extensive discussions and debates in recent years about a suitable structure for cross-border access to data that could achieve international consensus for the rules that should apply to requests for access to cross-border data. Tech companies have hailed the new laws as the much-needed modernisation of the legal framework concerning data access in light of the emergence of cloud computing and rapid technological change.
There are two key elements of the CLOUD Act:
- a mechanism for the United States to enter into an ‘Executive Agreement’ for foreign access to data stored in the United States, provided the foreign government that meets a list of privacy and human right requirements; and
- provisions for the United States to access foreign stored data.
Under the CLOUD Act, an Executive Agreement enabling foreign access to data stored in the United States, can be entered if the foreign government meets certain standards or sufficient protections for privacy. In addition, the foreign government must also agree to abide by several limitations, including:
- a prohibition on the direct or indirect targeting of U.S. citizen and resident data, including a prohibition on the foreign government from sharing that data back with the United States unless it relates to significant harm or the threat of such harm to the United States;
- a requirement that requests relate to a specific person, account, address, personal device or other identified;
- a prohibition on the use of data to infringe on freedom of speech;
- a requirement to meet human rights standards;
- a requirement for the foreign government to agree to compliance reviews.
Once an Executive Agreement is in place, the request for access to information stored in the United States is granted without federal official or court review, including oversight to determine whether the request complies with the Executive Agreement or other legal protections.
United States Access to Foreign Data
Under the CLOUD Act, companies are required to provide information requested by law enforcement agencies “regardless of whether such communication, record or other information is located within or outside the United States.” The CLOUD Act provides a mechanism for companies or a communications provider to challenge the order if disclosing the data would risk violating foreign law, which means the legal protections for individual privacy rights depends on the objection by a company or provider.
The ability for companies to challenge the order raises the question of what happens if the relevant foreign law does not permit the disclosure to United States law enforcement agencies. The CLOUD Act will require a court to consider the order for disclosure under a multi-factor ‘comity’ analysis to determine and assess the various (including foreign) interests as stake. Should the court determine the United States’ interest in access to the cross-border data outweighs other interests, it can order the production of the information, regardless of whether this would result in the violation of another nation’s laws.
The Australian Government has welcomed the United States’ move to introduce more powers for law enforcement agencies to access overseas data through the CLOUD Act. Minister for Law Enforcement and Cyber Security, Angus Taylor, said the CLOUD Act is a significant step in international law enforcement cooperation in the digital age.
“Given the size and scale of technology and communications companies based in the US, the CLOUD Act has the potential to be of significant benefit to law enforcement. Australia welcomes the US taking leadership on this issue” says Taylor.