No More Hiding in the Cloud (Taiwan)

2018.5.10
Ankwei Chen

The closely-watched US Supreme Court case U.S. v. Microsoft came to an abrupt end on April 17, 2018 after the Justices delivered a three-page per curiam opinion finding that there is no longer any point of dispute between the parties over the issue submitted to the Supreme Court.  As it turned out, the solution that both parties had mentioned in their respective briefs and recognized by the Justices during oral argument as the most appropriate for the matter – US congressional action –materialized when President Trump signed the Clarifying Lawful Overseas Use of Data Act (CLOUD) Act on March 22, 2018.  The new law provided potentially controversial greater ability for the US government to access private information held overseas, and with the burgeoning data privacy regimes in other countries around the world, particularly in light of the recent revelations regarding Facebook and Cambridge Analytica, future challenges may have substantial international implications.  This short article will provide a summary on the U.S. v. Microsoft case, the issues that the CLOUD Act addresses and the mechanism it uses, followed by questions that still need to be answered.

In December 2013, federal agents applied to obtain a Section 2703 warrant (18 U.S.C. §2703) to be served to Microsoft requiring it to disclose certain emails of an account in relation to a drug trafficking matter that the agents were investigating.  Microsoft sought to quash the warrant in the US District Court for the Southern District of New York.  The District Court declined to quash the warrant in 2014 (and held Microsoft in contempt for failure to comply), but the Second Circuit Court of Appeals reversed.  The US government thus brought this case on appeal to the Supreme Court in June 23, 2017, and certiorari was granted on October 16, 2017.

At the heart of the case was the Stored Communications Act (“SCA”), a part of the Electronic Communications Privacy Act that was enacted by the US Congress in 1986 in light of the potential that information may be more and more stored in electronic form, but such electronic information was not yet afforded the same legal protections against unauthorized disclosure as letters in sealed envelopes or spoken communications.  As mentioned above, Section 2703 sets out protection of communications in electronic storage from unwarranted search and seizure by law enforcement, as well as the methods and circumstances by which law enforcement officers may obtain such information, which is explicitly stated as “…only pursuant to a warrant issued…by a court of competent jurisdiction.” Before its amendment by the CLOUD Act, Section 2703 has no language whatsoever regarding whether such communications are still protectable if they are stored electronically overseas.  As a result, the main legal conflict in U.S. v. Microsoft was one of statutory interpretation, but not over whether the SCA has extraterritoriality application; the parties recognized that pursuant to the Supreme Court’ decision in Morrison v. National Australia Bank Ltd., the lack of express congressional intent meant that no extraterritorial application may be read to Section 2703.  Instead, the US government argued that the lack of extraterritoriality for Section 2703 is irrelevant because the relevant conduct would have all taken place within the United States, as the warrant was served on Microsoft, a domestic company, in the United States, and the information will be ultimately disclosed in the United States as well.  Microsoft countered that the SCA is about protecting stored information instead of disclosure of stored information, thus where the information is disclosed is irrelevant, and the government cannot get around the fact that at least some part of the actions it is demanding Microsoft to perform will necessarily have to occur in a foreign country, which put it outside the scope of a warrant as warrants cannot be enforced outside US territory, and the government must rely on its Mutual Legal Assistance Treaty (“MLAT”) with Ireland to get such information.

At the time the oral arguments hearing was held on February 27, 2018, the CLOUD Act had already been introduced as Bill H.R.4943 to the House of Representatives just days beforehand on February 6, 2018.  As such, even as the US government’s attorney explained how the bill is in effect an endorsement of the government’s power to obtain data from a provider regardless of where it is stored anywhere in the world, in responding to Justice Sotomayor’s question about the status of the bill, he nevertheless cautioned to the effect that it would be a while before the bill may become law, and it is not the Court’s practice to wait for the legislative process to resolve the case.  It is therefore surprising that the CLOUD Act found its way into the omnibus appropriations package that was passed in great haste in March to keep the US government running, even as very few representatives have actually reviewed the text of bill.

As mentioned, the CLOUD Act unequivocally provides the SCA with extraterritoriality application: The new provision (18 U.S.C. §2713) specifically states that service providers must “comply [with the SCA] to preserve, backup, or disclose the contents of…electronic communication…regardless of whether such communication, record or other information is located within or outside the United States [emphasis added].” As a counterbalance, service providers are now provided with a statutory basis (as the newly added 18 U.S.C. §2703(h)) to quash a request if it reasonably believes both of the following is present:

  • The subject whose electronic communications or data is being sought by the US government is not a citizen or lawful resident of the United States; and
  • The disclosure would bring a material risk of causing the service provider to be in violation of the laws of a “qualifying” foreign government.

This second requirement is part of the United States’ new approach in international mutual law enforcement assistance with respect to accessing electronic data, which will be discussed shortly.  Once the court receives a motion from the service provider to quash, under the new Section 2703(h)(2)(B), in addition to reviewing the above two statutory bases asserted by the service provider, the court shall also engage in a “totality of circumstances” comity analysis as to whether to rule against the government’s information request.  The CLOUD Act has enumerated some of the issues to be taken into account in this comity analysis as:

  • The interests of the United States in obtaining the information and the interests of the qualifying foreign government in preventing disclosure;
  • The likelihood the provider may be subject to penalties as a result of the conflict of laws;
  • The location and nationality of the subject whose communications are being sought from and the subject’s connection to the United States;
  • The nature of the provider’s ties and presence to the United States;
  • Importance of the information to the investigation in question;
  • Possibility that the information sought may be obtained in ways that would cause less serious negative consequences

For situations where this §2703(h)(2) challenge is not available, either because the subject is a US citizen or permanent resident, or the foreign government in question does not “qualify”, the CLOUD Act provides a general savings clause as a backstop and merely instructs the courts that “common law standards” apply with respect to “comity analysis” as to whether the request shall be granted.  The SCA, however, has not been a frequently litigated statute with respect to conflict of laws, and it is not clear whether the factors listed in the above “totality of circumstances” comity analysis may be applied here as well (the factors are clearly based on existing conflict of laws principles).  Therefore, while the new legal mechanisms more or less explicitly addresses the major issues in the application of the SCA with respect to obtaining information stored abroad that was raised in the Microsoft case, as is usual with statutory language, it will still be the job of the courts to determine how these comity analysis factors may be applied in practice.

The other major purpose of the CLOUD Act is more policy-based and presents a plan to overhaul inter-government access to electronic information worldwide.  One of the US government’s positions in the Microsoft case was that despite Microsoft’s characterization otherwise, requesting access to electronic information through the traditional MLAT regime often required months of work of working with the other country’s law enforcement authority to obtain the authority to conduct the search and seizure of such data, and the government has further argued that since it is possible for the relevant electronic data to be stored across multiple jurisdictions, it renders obtaining information through MLATs extremely impractical in the cloud storage context.  The CLOUD Act, therefore, proposes a new system between countries by which cross-border information requests may be processed more efficiently without official MLAT requests.  This system will be  codified as 18 U.S.C. §2523 and enables  executive agreements to be entered between the US government and a “qualified” foreign country under which both countries will in general be able to mutually access and share information that is stored in each other’s countries, albeit with certain limitations placed on the ability of foreign governments to target specific United States persons or persons located in the United States save for certain exceptional circumstances.

To determine whether a country is “qualified”, the CLOUD Act puts the responsibility in the hands of the U.S. Attorney General, who is tasked with reviewing whether that country’s laws provide “adequate substantive and procedural laws on cybercrime and electronic evidence”, “adhere to applicable international human rights obligations”,  among other factors.  Once a prospective country is determined to conform to these requirements, the Attorney General, with the concurrence of the Secretary of State, will provide Congress with a notification of how the above determination was made and submit a copy of the executive agreement.  While no approval from Congress is needed for an executive agreement, the CLOUD Act nevertheless provides some congressional oversight by stipulating a 180-day review process (revised from the bill’s original 90-day period) for Congress to issue a joint resolution of disapproval.

The passage of the CLOUD Act received support from both law enforcement as well as technology firms (who generally holds a large amount of customer data) because the law generally strived to satisfy the requirements of both sides of the issue in expressly setting out legal mechanisms in both obtaining the information and challenging overreaching requests for information, the lack of which arguably caused the legal dispute in the Microsoft case in the first place.  Furthermore, it intends to create a new regime worldwide for the sharing of information for law enforcement purposes that bypasses much of the timeliness issues involved with traditional the MLAT process, but at the same time basing the availability of such a network on the robustness of each country’s legal system and the level of compliance with international human rights obligations and the importance of privacy.  It thus appears that no side loses as a result of this new law, and the raw. untested nature of the new mechanisms is expected to become clearer once the first batch of bilateral executive agreements are reached between the US and other countries, as well as the first wave of litigation in which the lower courts will attempt to apply the statutory comity analysis factors.

However, since a substantial portion of the mechanisms depend on the construction and presence of this new global information sharing regime, a potential stumbling block would be the receptiveness of other countries with respect to US overtures in entering into such bilateral executive agreements.  The primary example of this as cited by many experts is the imminent arrival of the General Data Protection Regulation (“GDPR”) in the EU, in which Article 48 expressly prohibits the recognition and enforcement of a foreign court order requiring a service provider to release personal data unless such order is based on an international agreement, and the text cites MLATs as an example of such international agreement.  It is then questionable whether the kind of bilateral executive agreements under the CLOUD Act may fall under the same “international agreement” category.  If the US cannot work out a deal with the EU as a result of the GDPR, or with other countries that also has similar privacy laws that generally prohibit disclosure of personal information by a service provider/data controller to a foreign authority, the information sharing paradigm that the CLOUD Act envisioned for law enforcement purposes would be dramatically weakened.

Expectedly, privacy activists have also been very concerned about this information sharing paradigm.  Although the counterpart country to a bilateral executive agreement formed under the CLOUD Act may be said to be “vetted” by the US Attorney General, from the US perspective, there is no clear mechanism which will “vet” an information request from that country for a US citizen’s information stored in the US as being compliant with the laws of that country.  Moreover, the service provider is no longer prevented by US law to give up such information to foreign law enforcement (the more potentially insidious result being that it is entirely up to the service provider to oppose such a request, and the ability or willingness to do so is untested at best), which was expressly prohibited in the previous version of the SCA.  Furthermore, neither the text of the new Section 2713 nor the amended Section 2703 speak specifically in terms of warrants, court orders or subpoenas with respect to requests made by US law enforcement, as it is termed “a legal process” that may be “modif(ied) or quash(ed)”, which may raise questions as to the legality of such requests under current jurisprudence regarding warrantless searches.  All these issues require testing in court, which in turn requires the aforementioned executive agreements to take shape between the US and several jurisdictions.  Currently, the latest news is that the UK, fresh after breaking away from the EU, will soon be the first country to sign an executive agreement with the US, and the UK has taken measures to address the apparent lack of oversight for outbound information requests, but whether such measures are sufficient in practice remains to be seen.

Deus ex machina solutions do not happen often in law.  The issues with the previous version of the SCA were deemed sufficiently serious for the Supreme Court to take up before a clear circuit split had developed, and the timing only worked out because the CLOUD Act was included into the politically more urgent omnibus appropriations bill with minimal revisions from the original text.  Although the CLOUD Act had bipartisan political support as well as from both sides of the Microsoft case due to the sorely needed black-letter law it provides, it remains to be seen whether its lightning-fast passage into law was a blessing or a curse.   In any case, given the unprecedented potential access to personal information by governments who enter into such agreements with the US, new developments of CLOUD Act-related practices will need to be observed closely both in the legal community as well as on a personal basis.