Supreme Court: The CLOUD Act Takes Microsoft v. US Govt Off the Table

As expected, the US Supreme Court has dismissed the dispute regarding the government’s ability to access information stored on Microsoft servers located in Ireland in light of the recent passage of the CLOUD Act. The dispute, which originally arose when the government sought access to emails as part of a drug trafficking matter, has been widely seen as an important test case in defining individual privacy rights for data stored by cloud services providers, and the rights of the government to access that information when stored outside of the US.

The CLOUD Act (“Clarifying Lawful Overseas Use of Data Act”), which replaces the 32-year old Stored Communications Act (SCA), was attached to the omnibus spending bill in March and contains a number of provisions that will impact when and how government requests for information will be evaluated. At its heart, the CLOUD Act states that:

“A provider of electronic communication service or remote computing service shall comply with the obligations to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”

The CLOUD Act goes beyond the SCA, and the need to negotiate individual Mutual Legal Assistance Treaties  (MLATs) to govern terms over the cross-border exchange of information, in two important areas:

  • Creating a mechanism to modify or quash requests that are in violation of the country where data is possessed (e.g. EU General Data Privacy Regulation), thus eliminating the current no-win situation for US corporations that receive US government requests that would violate local data privacy laws. For example, a US-based cloud service provider storing information in Ireland can now attempt to modify or negate a US government request as it would create a violation of GDPR;
  • Enabling the creation of “Executive Agreements” where the US Government can enter bi-lateral agreements with foreign governments to expedite the processing of their citizen’s data if held in the U.S. These Executive Agreements fall under the control of the US Attorney General and Secretary of State and require that those foreign governments demonstrate that it has sufficient legal protections in place to protect the privacy of US citizen data.

What are the Implications of the Cloud Act?

In spite of the support of Google, Apple and others, the CLOUD Act is already raising a red flag for privacy advocates such as the ACLU and others who worry about potential Fourth Amendment issues of unwarranted government searches without prior authorization. And, clearly, the notion of Executive Agreements created with foreign governments is enough to make a more than a few people uncomfortable in today’s polarized political environment.

For the users of cloud services, such as individuals using social media or consumer apps, the importance placed on where your data is being stored only increases. As was highlighted by last week’s Facebook testimony, people need to be more tuned into the specifics of user agreements, including research into where that provider stores your data and the presence of legal protections for privacy in that country. Unfortunately, that’s a lot of homework for those who simply want to play Plunder Pirates or share a doc with an overseas friend on Google Drive.

For organizations that utilize cloud services for business applications, the CLOUD Act simply raises the bar on the due diligence required to evaluate the variety of services providers. Some of the key considerations include:

  • Does the cloud provider provide jurisdictional assurance regarding where your data will be stored?  In spite of a market full of self-proclaimed GDPR-compatible solutions, many cloud services continue to operate with operational models that distribute processing burdens to lowest cost locations. Knowing exactly where all copies of your data is located – at all times – becomes an even greater consideration for those who store data that is subjected to regulatory compliance or data privacy mandates.
  • Can your cloud provider meet the 14-day requirement to modify or quash a disclosure request? Cloud providers must be able to understand the scope, volume, and location of information that could be subjected to a request. Cloud services built upon modern, robust technology infrastructures becomes more critical to ensure that information can be easily and efficiently indexed, searched, and reviewed in order to support one’s legal argument to modify or quash a data request.
  • Can you cloud provider create and manage legal holds against data that is the subject of a CLOUD Act request? As noted in the quotation, cloud service providers have an obligation to preserve information pertaining to an individual that is subject to a request. This means ensuring that targeted information can be suspended from normal disposition routines, stored in the system immutably, and preserved without tampering by the individual for whatever time period is required for the request to move through court proceedings.
  • Does your cloud provider support the Privacy Shield? As a successor to Safe Harbor provisions, the Privacy Shield provides a framework for how data is transferred between the EU and US, and enables a self-certification for cloud providers commit to specific data privacy protections. Firms that have made the investment here are more likely to be prepared today to address new CLOUD Act demands over time.
  • Is your cloud provider’s service build with Privacy by Design and Default? Once again borrowing from the language of GDPR, the CLOUD Act will be less of a surprise to those who have invested in the management, operational, and privacy controls reflecting the high priority they place on protecting your data. These firms are better prepared for the CLOUD Act by having data under active management, and having invested in sophisticated encryption and access control technologies to reduce the likelihood of inadvertent disclosure of data.

As an attachment to a major spending bill, the CLOUD Act escaped the public debate and scrutiny that one would normally expect from a regulatory change whose impact will be felt across a major growth area of technology. With this Supreme Court decision, coupled with last week’s Facebook testimony, expect that the debate on government vs. industry over data privacy to only intensify from here.

Originally published on Actiance.com, April 18, 2018

Share this post!

Robert Cruz

Contact Us

Tell us about yourself, and we’ll be in touch right away.