New law forces tech companies to surrender foreign-stored data

A recent act of Congress forces technology companies to comply with the government when it comes to surrendering user data stored in foreign countries.

The March 23 passage of the Clarifying Lawful Overseas Use of Data Act or CLOUD -- included as a rider to the omnibus budget bill -- explicitly addresses when the U.S. government can access personal data stored by tech companies on overseas servers. Specifically, it gives the government the ability to request -- through a magistrate judge's warrant -- data kept in foreign countries.

The CLOUD Act's most immediate impact was to dissolve a U.S. Supreme Court battle between the Department of Justice and Microsoft Corp. over a warrant to seize private correspondence stored on a server in Dublin, Ireland as part of a drug-related investigation. United States v. Microsoft Corp., 17-2 (U.S. Sup. Ct., filed June 27, 2017).

For the past four years, Microsoft has refused to comply with the warrant, arguing that it is an impermissible extraterritorial application of the Stored Communications Act.

According to Microsoft, the creators of the Stored Communications Act in 1986 had little conception of internet technology, and the language of the act didn't address the specific circumstances of serving a warrant to retrieve emails.

The parties argued before the U.S. Supreme Court in February, with both sides emphasizing the need for congressional action.

In light of a new U.S. Department of Justice warrant submitted under CLOUD last Friday, Microsoft filed a motion on Tuesday asking the court to dismiss the case as moot because there is no longer a live controversy.

Technology companies like Microsoft appear to be pleased with the CLOUD Act for setting up clear guidelines on when and how to comply with federal investigations relating to data kept in foreign servers.

In a recent blog post, Microsoft's president and chief legal officer, Brad Smith, praised the act for establishing "new international rules that will avoid legal conflicts and advance privacy rights and law enforcement needs together."

A representative of the Justice Department said the government did not have any additional comments beyond its court filings.

As the Microsoft case demonstrates, the CLOUD Act is also a boon for the federal government because it streamlines the procedure for acquiring foreign-stored electronic data.

It also creates a counterbalance against the only appellate decision in the country that addressed this issue, which happened to favor Microsoft's argument. (The government is seeking to vacate the 2nd U.S. Circuit Court of Appeals' decision given "serious flaws" that allegedly plague the court's reasoning.)

But a string of similar cases suggest the government has rarely struggled when it comes to accessing data held overseas.

Last year, U.S. Magistrate Judge John E. McDermott in the Central district of California ordered Alphabet Inc.-owned Google to surrender emails stored on foreign servers, pursuant to a Justice Department warrant issued under the Stored Communications Act. In Re search of information associated with accounts identified as [redacted]@gmail.com and others identified in attachment A that are stored at premises controlled by Google Inc., 16-MJ02197 (C.D., Cal., filed Nov. 3, 2016).

This marked the sixth time in 2017 that the Department of Justice persuaded a U.S. court that these kinds of warrants didn't violate the Stored Communications Act.

Cybersecurity attorneys noted that the government has explored other legal routes to acquire electronic data, such as 2703 (D) orders, which permit the collection of certain types of metadata.

For privacy advocates, the CLOUD Act represents a dangerous lowering of the threshold needed by U.S. and foreign governments to access data.

"It's a total game changer," said Camille Fischer, a fellow with the Electronic Frontier Foundation.

According to Fischer, the new law lacks language to define territorial limits for U.S. law enforcement. By the same token, she said, it also allows foreign law enforcement agencies to access data stored in the U.S. under relatively low standards.

While the act ostensibly protects Americans from being targeted by foreign governments, she said incidental collection of data may undermine these restrictions.

"It is inevitable that a lot of people will be swept up in these foreign law enforcement orders," she added.

The Electronic Frontier Foundation has long advocated for the U.S. to engage with other countries on these issues through mutual legal assistance treaties. While they tend to be slower and involve a more complex procedure, Fischer said they afford greater protection of privacy rights and due process.