Earlier this month, the Department of Justice released a White Paper and FAQ on the Clarifying Lawful Overseas Use of Data (CLOUD) Act. Enacted in March 2018, the CLOUD Act attempts to resolve the legal conflicts that arise when one country orders the disclosure of electronic data pursuant to a criminal investigation, but another country’s laws restrict or prohibit such disclosure.
Communications service providers with customers, offices, and storage facilities worldwide often encounter this issue, and it can be challenging to respond in the timely and efficient manner the order necessitates. According to the DOJ, many U.S.-based CSPs will not respond to foreign authority orders due to concerns about restrictions and liability under U.S. law. As a result, foreign law enforcement agencies have been forced to turn to Mutual Legal Assistance Treaties and request the assistance of their U.S. counterparts in obtaining a court order for the data. The MLAT process is time consuming and burdensome and in recent years has been unable to keep up with the increasing number of requests.
The CLOUD Act takes a two-step approach to resolving these issues. First, the Act allows the U.S. to enter into agreements with trusted partner countries to expeditiously obtain access to electronic data to investigate and fight serious crime and terrorism. These partner countries must meet certain criteria, including implementing substantive and procedural protections for privacy and civil liberties. The agreements will remove any legal barriers that would otherwise prohibit companies from complying with qualifying court orders from these partner countries. Second, the CLOUD Act codifies the principle that a company subject to a country’s jurisdiction can be required to produce data the company controls, regardless of where it stores that data, at any time.
The report ultimately concludes that the CLOUD Act adequately addresses the “unsustainable” MLAT situation and supports rights-respecting countries’ efforts to investigate serious crimes. As a result, U.S.-based CSPs who receive a foreign order from a partner country to disclose information, regardless of where that information is stored, must either do so or challenge the order under that country’s laws. The provider may no longer refuse to comply with the order on the grounds that doing so conflicts with U.S. law.