The Clarifying Lawful Overseas Use of Data act, signed into law in March 2018
While much of the technology world has been preparing for or bracing for GDPR, Congress passed the CLOUD Act...
The Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, signed into law in March 2018, provides United States law enforcement agencies access to user data such as emails and text messages stored on severs located in foreign jurisdictions. While it remains to be seen how, or even whether, the rights and obligations created by the CLOUD Act will intersect with GDPR, it seems the two are manifestations of two differing philosophies to data privacy.¹
While the CLOUD Act brings welcomed certainty for companies in the technology sector, data privacy advocates are concerned this certainty comes at the price of personal privacy.
The Act supplements the Stored Communications Act (SCA) of 1986 which “governs U.S. authority to compel disclosure of electronic communications or data stored with a service provider.2 Warrants issued under the SCA were, and remain, the mechanism under which U.S. agencies may obtain a warrant compelling companies to turn over the private data of its users.
The Act extends the reach of the SCA in several important ways: First, the Act allows foreign agencies to obtain personal information stored on U.S. servers without a warrant, a procedural mechanism that ensuring judicial review.³ Second, the Act allows foreign agencies to collect personal information such as emails and text messages without notifying the person whose private data is being collected.4 the Act allows U.S. agencies to collect private data of any person regardless of the location of the data so long as a U.S. company has control or custody of the data.5 Fourth, the Act allows the Executive branch to enter into agreements with foreign countries that have substantially lower privacy standards.6
Impact for our U.S. Clients
Technology companies also laud the CLOUD Act for balancing the needs of domestic and foreign government agencies with the rights of the technology companies.7 Moreover, because the Act only allows entering into Executive agreements with countries that meet the specified privacy standards, the Act creates an incentive for foreign countries to update their own privacy standards.8 Under the rubric of the CLOUD Act, companies can challenge an order compelling production of user data, but the Act does not provide a mechanism for individuals whose data is the subject of the order.
The Act empowers the Executive Branch to enter into agreements with foreign countries, granting agencies in those foreign countries to compel production of user data stored within the United States. Foreign countries entering into such agreements must meet minimum data privacy standards and agree to minimize the amount of personal data collected on United States citizens. Like other Executive agreements, Congress can object to agreements with individual foreign countries, but they will not be subject to judicial review by the Courts.
While at first blush the CLOUD Act presents regulatory compliance issues, much remains unsettled. For example, because Executive agreement nations each have their own mechanism for seeking data stored in the United States, the potential implications for liability are hard to predict. Likewise, it remains unclear whether the CLOUD Act will inspire lawsuits against service providers filed by customers whose data is produced to government agencies for failing to challenge the data request.
Visit us here: www.beazley.com