User data protection a bit CLOUDy after Microsoft case

The Clarifying Lawful Overseas Use of Data Act was enacted into law on March 23, intending to resolve one of the most significant U.S. Supreme Court cases this term: United States v. Microsoft, 2018 DJDAR 3369 (April 17, 2018). The unintended consequences of the act could be extraordinary and implicate disparate areas of the law, including international lawmaking, separation of powers, privacy regulation and conflicts of law.

More strikingly, the "CLOUD Act" was enacted with no legislative action or review as part of a $1.3 trillion omnibus bill. While the act arguably provides some clarity, it should also raise concerns for lack of thorough reviews, by failing to provide adequate safeguards for privacy, and by creating potential conflicts with national and international regimes.

The Case that Started It All

This case underpinning the central issue in the CLOUD Act started in 2013 when the federal government applied for and the magistrate judge issued a warrant that required Microsoft to turn over "all e-mails" stored in a specific customer's email account and all "other information" related to that account. The government then served Microsoft with the warrant, directing the company to seize and produce all targeted communications within its possession. Microsoft agreed to turn over account information stored in the United States, but refused to turn over the targeted email content, which was stored in a data center in Dublin, Ireland.

Microsoft moved to vacate the warrant insofar as it compels Microsoft's assistance in executing the warrant in a foreign country. Microsoft argued that the federal government must go through a process established by the mutual legal assistance treaty between the United States and Ireland rather than relying on the Stored Communications Act to request the email content. The government contended that it was more efficient to obtain the email content from Microsoft's data center through a warrant issued under Stored Communications Act than through the treaty process. Microsoft did not even dispute that the treaty process was available to obtain the targeted email content.

The magistrate judge denied Microsoft's motion and concluded that the warrant issued under the Stored Communications Act was "a hybrid: part search warrant and part subpoena." Microsoft, therefore, must produce the targeted email content even if it is only stored in a data center located in Ireland. The district court then summarily affirmed.

The 2nd U.S. Circuit Court of Appeals unanimously reversed. The 2nd Circuit concluded that directing Microsoft to assist with executing the warrant to obtain the targeted email content in Ireland would be an impermissible extraterritorial application of the Stored Communications Act for two reasons. First, Congress did not expressly provide for the extraterritorial application of that act in the language of the statute. And second, the focus of the act -- "protecting the privacy of the content of a user's stored ... communication" -- also cautions against extraterritorial application. These rationales led the 2nd Circuit to conclude that the warrants can only be issued to execute searches and seizures within the United States. Perhaps most notable, the 2nd Circuit stated that its interpretation of the Stored Communications Act avoids the possibility of "conflicts with foreign laws and procedures."

The CLOUD Act and Its Relevant Provision

After oral arguments before the Supreme Court and prior to a decision, Congress enacted the CLOUD Act, which amended the Stored Communications Act to address the primary issue in Microsoft. Section 2713 of the CLOUD Act states: "A provider of electronic communication service ... shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."

Section 2713 permits law enforcement officials, from local police officers to federal agents, to seek search warrants that compel companies like Microsoft to turn over user content and information regardless of whether that data is stored within or outside of the United States.

Moreover, Section 2713 permits the U.S. government to enter into "executive agreements" with foreign governments whereby each country would be allowed to obtain user content and information stored in the other country, irrespective of privacy laws. These agreements do not need congressional approval: executive agreements with foreign governments would be effective 90 days after notice to Congress if no joint resolution of disapproval is introduced and enacted. The agreements last for five years.

Because of the enactment of the CLOUD Act, the Supreme Court remanded Microsoft and instructed the district court to dismiss the case as moot.

Implications

While purportedly enacted to clarify the extraterritorial application of the Stored Communications Act and the primary dispute in Microsoft, the CLOUD Act raises several significant concerns.

First, it erodes existing mutual legal assistance treaty processes that result from bilateral negotiations and agreements. Each treaty is voted on by the Senate and must receive a two-thirds support to pass. The CLOUD Act, however, permits the executive branch to unilaterally enter into agreements to provide governments with easier access to user content and information.

Second, the act raises significant privacy concerns. Many experts have rightly criticized the length it takes to fulfil a request under a legal assistance treaty. Moreover, evidence obtained through a treaty process often becomes significantly less relevant or even moot in criminal investigations.

These criticisms are dwarfed by diminished privacy protections for individuals. In enacting the CLOUD Act, Congress has implicitly concluded that efficient resolution of criminal investigations and individual safety outweigh privacy protections. But in light of recent revelations like data mining of users' data by Cambridge Analytica, privacy protections -- particularly for cross-border data -- should be paramount.

Finally, the CLOUD Act may unintentionally create a conflict of law problem, something the 2nd Circuit alluded to in its opinion. For example, the European Union is in the process of rolling out its General Data Protection Regulation. Article 48 of the GDPR prohibits a controller or processor of personal data to transfer or disclose such data unless through a legal assistance treaty or a similar international agreement. It is unclear if "executive agreements" would comply with Article 48.

Conclusion

While the CLOUD Act was enacted with bipartisan support (and support from the technology industry), it remains an incomplete, inelegant solution to a complex issue. And as some have noted, the forecast on user data protection is still "cloudy."