The massive US$1.3 trillion appropriations bill signed on March 23, 2018 included a separate measure called the “Clarifying Lawful Overseas Use of Data” or CLOUD Act. That bill was introduced to address the central issue in the U.S. v. Microsoft case regarding access to data stored outside the U.S. by U.S. cloud providers. Other provisions of this new law, however, may have far broader implications for U.S. cloud companies and the companies and individuals who rely on their services.
Summary of Report
- The CLOUD Act resolves the central issue in United States v. Microsoft—U.S. law enforcement agencies now have explicit legal authority to obtain electronic data from U.S. cloud and communication companies regardless of where the company stores the data.
- The Act includes provisions that allow U.S. cloud companies to challenge such efforts when their customer is not a U.S. citizen or resident and the disclosure would violate the law of “qualifying” countries, but the availability and efficacy of these protections are uncertain.
- The CLOUD Act also proposes a legal framework for expeditious international data-sharing using executive agreements and an elaborate certification process by which countries can become “qualifying foreign governments” (QFGs). Countries that do pursue and obtain QFG status will provide greater privacy protection for their citizens and residents when their information is sought by U.S. law enforcement and will be entitled to obtain electronic data from U.S. tech companies without prior approval or oversight of the U.S. Government.
- But it is not clear if other countries will be interested in pursuing QFG status. This is particularly true for the EU and its member states because the CLOUD Act may conflict with the soon-to-be effective GDPR. If so any executive agreement between the U.S. and the EU or an EU member state would require an act of the EU legislature.
- Given the growing volume of business and personal data stored in the cloud, the lack of any Congressional legislative history, and the significant uncertainties arising from the structure and terms of the CLOUD Act, cloud companies and their customers should continue to closely monitor these developments in this area. Other practical guidance steps are provided in the attached analysis.
Read the full report here.